diff --git a/README.md b/README.md
index 69be31e..7fc25bf 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,10 @@ ID |Framework | URL | Version |  Notes
 `800_171_v1` | Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | [NIST 800-171](https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final) | 1 |
 `owasp_10_v3` | Open Web Application Security Project (OWASP) Top Ten Proactive Controls 2018 | [OWASP Top 10](https://owasp.org/www-project-proactive-controls/) | 3 | Distinct from [OWASP Top 10 Security Risks](https://owasp.org/www-project-top-ten/)
 `asvs_v4.0.1` | OWASP Application Security Verification Standard | [ASVS](https://owasp.org/www-project-application-security-verification-standard/) | 4.0.1 |
+`fsscc_profile_v1.0` | Financial Services Sector Coordinating Council (FSSCC) Profile | [FSSCC](https://fsscc.org/The-Profile-FAQs) | 1.0 |
+`ffiec_cat_v2017.05` | Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool | [FFIEC](https://www.ffiec.gov/cyberassessmenttool.htm) | 2017.05 (May, 2017) | Only includes maturity domains; risk profiles are excluded as they do not fit within the framework of this project
+`aicpa_tsc_v2017` | AICPA Trust Services Criteria (SOC2 / SOC3) | [AICPA](https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf) | 2017 |
+`scf` | Secure Controls Framework | [SCF](https://www.securecontrolsframework.com/trust-services-criteria.pdf) | 2022.3 |
 
 ### Control Format
 
@@ -168,7 +172,7 @@ The data and tools in this project can support:
 * [ ] Capture equivalence and associative mappings for 800-171 to 800-53
 * [ ] Capture equivalence and associative mappings for CIS CSC to NIST 800-53
 * [ ] Consider ways to include adversary activity taxonomies (_e.g._, [ATT&CK](https://attack.mitre.org/), [OWASP Top 10 Security Risks](https://owasp.org/www-project-top-ten/), [CAPEC](https://capec.mitre.org/))
-* [ ] Consider including additional frameworks like SOC 2, PCI/DSS, ISO 2700X, COBIT, ITIL, HIPAA/HITRUST, FedRAMP
+* [ ] Consider including additional frameworks like PCI/DSS, ISO 2700X, COBIT, ITIL, HIPAA/HITRUST, FedRAMP
 
 ## License and Notice
 
diff --git a/data/controls.csv b/data/controls.csv
index 2b01d79..357d5bf 100644
--- a/data/controls.csv
+++ b/data/controls.csv
@@ -318,1284 +318,1284 @@ nist_800_171_v1,nist_800_171_v1:3.9,3.9,Family,0,9,Personnel Security,
 nist_800_171_v1,nist_800_171_v1:3.9.1,3.9.1,Requirement,1,73,,Screen individuals prior to authorizing access to organizational systems containing CUI.
 nist_800_171_v1,nist_800_171_v1:3.9.2,3.9.2,Requirement,1,74,,Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
 nist_800_53_v4,nist_800_53_v4:ac,AC,Family,0,1,Access Control,
-nist_800_53_v4,nist_800_53_v4:ac-1,AC-1,Control,1,,Access Control Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ac-10,AC-10,Control,1,,Concurrent Session Control,
-nist_800_53_v4,nist_800_53_v4:ac-11,AC-11,Control,1,,Session Lock,
-nist_800_53_v4,nist_800_53_v4:ac-11(1),AC-11 (1),Enhancement,2,,Pattern-Hiding Displays,"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."
-nist_800_53_v4,nist_800_53_v4:ac-11a.,AC-11a.,Statement,2,,,The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
-nist_800_53_v4,nist_800_53_v4:ac-11b.,AC-11b.,Statement,2,,,The information system: Retains the session lock until the user reestablishes access using established identification and authentication procedures.
-nist_800_53_v4,nist_800_53_v4:ac-12,AC-12,Control,1,,Session Termination,
-nist_800_53_v4,nist_800_53_v4:ac-12(1),AC-12 (1),Enhancement,2,,User-Initiated Logouts / Message Displays,The information system: Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
-nist_800_53_v4,nist_800_53_v4:ac-13,AC-13,Control,1,,Supervision and Review - Access Control,
-nist_800_53_v4,nist_800_53_v4:ac-14,AC-14,Control,1,,Permitted Actions Without Identification Or Authentication,
-nist_800_53_v4,nist_800_53_v4:ac-14a.,AC-14a.,Statement,2,,,The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
-nist_800_53_v4,nist_800_53_v4:ac-14b.,AC-14b.,Statement,2,,,"The organization: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."
-nist_800_53_v4,nist_800_53_v4:ac-15,AC-15,Control,1,,Automated Marking,
-nist_800_53_v4,nist_800_53_v4:ac-16,AC-16,Control,1,,Security Attributes,
-nist_800_53_v4,nist_800_53_v4:ac-16(1),AC-16 (1),Enhancement,2,,Dynamic Attribute Association,The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined.
-nist_800_53_v4,nist_800_53_v4:ac-16(10),AC-16 (10),Enhancement,2,,Attribute Configuration By Authorized Individuals,The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.
-nist_800_53_v4,nist_800_53_v4:ac-16(2),AC-16 (2),Enhancement,2,,Attribute Value Changes By Authorized Individuals,The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
-nist_800_53_v4,nist_800_53_v4:ac-16(3),AC-16 (3),Enhancement,2,,Maintenance Of Attribute Associations By Information System,The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects].
-nist_800_53_v4,nist_800_53_v4:ac-16(4),AC-16 (4),Enhancement,2,,Association Of Attributes By Authorized Individuals,The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
-nist_800_53_v4,nist_800_53_v4:ac-16(5),AC-16 (5),Enhancement,2,,Attribute Displays For Output Devices,"The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]."
-nist_800_53_v4,nist_800_53_v4:ac-16(6),AC-16 (6),Enhancement,2,,Maintenance Of Attribute Association By Organization,"The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]."
-nist_800_53_v4,nist_800_53_v4:ac-16(7),AC-16 (7),Enhancement,2,,Consistent Attribute Interpretation,The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
-nist_800_53_v4,nist_800_53_v4:ac-16(8),AC-16 (8),Enhancement,2,,Association Techniques / Technologies,The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information.
-nist_800_53_v4,nist_800_53_v4:ac-16(9),AC-16 (9),Enhancement,2,,Attribute Reassignment,The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures].
-nist_800_53_v4,nist_800_53_v4:ac-16a.,AC-16a.,Statement,2,,,"The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;"
-nist_800_53_v4,nist_800_53_v4:ac-16b.,AC-16b.,Statement,2,,,The organization: Ensures that the security attribute associations are made and retained with the information;
-nist_800_53_v4,nist_800_53_v4:ac-16c.,AC-16c.,Statement,2,,,The organization: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
-nist_800_53_v4,nist_800_53_v4:ac-16d.,AC-16d.,Statement,2,,,The organization: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.
-nist_800_53_v4,nist_800_53_v4:ac-17,AC-17,Control,1,,Remote Access,
-nist_800_53_v4,nist_800_53_v4:ac-17(1),AC-17 (1),Enhancement,2,,Automated Monitoring / Control,The information system monitors and controls remote access methods.
-nist_800_53_v4,nist_800_53_v4:ac-17(2),AC-17 (2),Enhancement,2,,Protection Of Confidentiality / Integrity Using Encryption,The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
-nist_800_53_v4,nist_800_53_v4:ac-17(3),AC-17 (3),Enhancement,2,,Managed Access Control Points,The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
-nist_800_53_v4,nist_800_53_v4:ac-17(4),AC-17 (4),Enhancement,2,,Privileged Commands / Access,The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system.
-nist_800_53_v4,nist_800_53_v4:ac-17(6),AC-17 (6),Enhancement,2,,Protection Of Information,The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
-nist_800_53_v4,nist_800_53_v4:ac-17(9),AC-17 (9),Enhancement,2,,Disconnect / Disable Access,The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ac-17a.,AC-17a.,Statement,2,,,"The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"
-nist_800_53_v4,nist_800_53_v4:ac-17b.,AC-17b.,Statement,2,,,The organization: Authorizes remote access to the information system prior to allowing such connections.
-nist_800_53_v4,nist_800_53_v4:ac-18,AC-18,Control,1,,Wireless Access,
-nist_800_53_v4,nist_800_53_v4:ac-18(1),AC-18 (1),Enhancement,2,,Authentication And Encryption,The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
-nist_800_53_v4,nist_800_53_v4:ac-18(3),AC-18 (3),Enhancement,2,,Disable Wireless Networking,"The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."
-nist_800_53_v4,nist_800_53_v4:ac-18(4),AC-18 (4),Enhancement,2,,Restrict Configurations By Users,The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
-nist_800_53_v4,nist_800_53_v4:ac-18(5),AC-18 (5),Enhancement,2,,Antennas / Transmission Power Levels,The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
-nist_800_53_v4,nist_800_53_v4:ac-18a.,AC-18a.,Statement,2,,,"The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and"
-nist_800_53_v4,nist_800_53_v4:ac-18b.,AC-18b.,Statement,2,,,The organization: Authorizes wireless access to the information system prior to allowing such connections.
-nist_800_53_v4,nist_800_53_v4:ac-19,AC-19,Control,1,,Access Control For Mobile Devices,
-nist_800_53_v4,nist_800_53_v4:ac-19(4),AC-19 (4),Enhancement,2,,Restrictions For Classified Information,"The organization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified information systems is prohibited; Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]."
-nist_800_53_v4,nist_800_53_v4:ac-19(5),AC-19 (5),Enhancement,2,,Full Device / Container-Based  Encryption,The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
-nist_800_53_v4,nist_800_53_v4:ac-19a.,AC-19a.,Statement,2,,,"The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"
-nist_800_53_v4,nist_800_53_v4:ac-19b.,AC-19b.,Statement,2,,,The organization: Authorizes the connection of mobile devices to organizational information systems.
-nist_800_53_v4,nist_800_53_v4:ac-1a.,AC-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and"
-nist_800_53_v4,nist_800_53_v4:ac-1b.,AC-1b.,Statement,2,,,The organization: Reviews and updates the current: Access control policy [Assignment: organization-defined frequency]; and Access control procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ac-2,AC-2,Control,1,,Account Management,
-nist_800_53_v4,nist_800_53_v4:ac-2(1),AC-2 (1),Enhancement,2,,Automated System Account Management,The organization employs automated mechanisms to support the management of information system accounts.
-nist_800_53_v4,nist_800_53_v4:ac-2(10),AC-2 (10),Enhancement,2,,Shared / Group Account Credential Termination,The information system terminates shared/group account credentials when members leave the group.
-nist_800_53_v4,nist_800_53_v4:ac-2(11),AC-2 (11),Enhancement,2,,Usage Conditions,The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
-nist_800_53_v4,nist_800_53_v4:ac-2(12),AC-2 (12),Enhancement,2,,Account Monitoring / Atypical Usage,The organization: Monitors information system accounts for [Assignment: organization-defined atypical usage]; and Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:ac-2(13),AC-2 (13),Enhancement,2,,Disable Accounts For High-Risk Individuals,The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
-nist_800_53_v4,nist_800_53_v4:ac-2(2),AC-2 (2),Enhancement,2,,Removal Of Temporary / Emergency Accounts,The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
-nist_800_53_v4,nist_800_53_v4:ac-2(3),AC-2 (3),Enhancement,2,,Disable Inactive Accounts,The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ac-2(4),AC-2 (4),Enhancement,2,,Automated Audit Actions,"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]."
-nist_800_53_v4,nist_800_53_v4:ac-2(5),AC-2 (5),Enhancement,2,,Inactivity Logout,The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
-nist_800_53_v4,nist_800_53_v4:ac-2(6),AC-2 (6),Enhancement,2,,Dynamic Privilege Management,The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].
-nist_800_53_v4,nist_800_53_v4:ac-2(7),AC-2 (7),Enhancement,2,,Role-Based Schemes,The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
-nist_800_53_v4,nist_800_53_v4:ac-2(8),AC-2 (8),Enhancement,2,,Dynamic Account Creation,The information system creates [Assignment: organization-defined information system accounts] dynamically.
-nist_800_53_v4,nist_800_53_v4:ac-2(9),AC-2 (9),Enhancement,2,,Restrictions On Use Of Shared / Group Accounts,The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].
-nist_800_53_v4,nist_800_53_v4:ac-20,AC-20,Control,1,,Use Of External Information Systems,
-nist_800_53_v4,nist_800_53_v4:ac-20(1),AC-20 (1),Enhancement,2,,Limits On Authorized Use,"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."
-nist_800_53_v4,nist_800_53_v4:ac-20(2),AC-20 (2),Enhancement,2,,Portable Storage Devices,The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
-nist_800_53_v4,nist_800_53_v4:ac-20(3),AC-20 (3),Enhancement,2,,Non-Organizationally Owned Systems / Components / Devices,"The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information."
-nist_800_53_v4,nist_800_53_v4:ac-20(4),AC-20 (4),Enhancement,2,,Network Accessible Storage Devices,The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems.
-nist_800_53_v4,nist_800_53_v4:ac-20a.,AC-20a.,Statement,2,,,"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and"
-nist_800_53_v4,nist_800_53_v4:ac-20b.,AC-20b.,Statement,2,,,"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Process, store, or transmit organization-controlled information using external information systems."
-nist_800_53_v4,nist_800_53_v4:ac-21,AC-21,Control,1,,Information Sharing,
-nist_800_53_v4,nist_800_53_v4:ac-21(1),AC-21 (1),Enhancement,2,,Automated Decision Support,The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
-nist_800_53_v4,nist_800_53_v4:ac-21(2),AC-21 (2),Enhancement,2,,Information Search And Retrieval,The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
-nist_800_53_v4,nist_800_53_v4:ac-21a.,AC-21a.,Statement,2,,,The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
-nist_800_53_v4,nist_800_53_v4:ac-21b.,AC-21b.,Statement,2,,,The organization: Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
-nist_800_53_v4,nist_800_53_v4:ac-22,AC-22,Control,1,,Publicly Accessible Content,
-nist_800_53_v4,nist_800_53_v4:ac-22a.,AC-22a.,Statement,2,,,The organization: Designates individuals authorized to post information onto a publicly accessible information system;
-nist_800_53_v4,nist_800_53_v4:ac-22b.,AC-22b.,Statement,2,,,The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
-nist_800_53_v4,nist_800_53_v4:ac-22c.,AC-22c.,Statement,2,,,The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
-nist_800_53_v4,nist_800_53_v4:ac-22d.,AC-22d.,Statement,2,,,"The organization: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered."
-nist_800_53_v4,nist_800_53_v4:ac-23,AC-23,Control,1,,Data Mining Protection,
-nist_800_53_v4,nist_800_53_v4:ac-24,AC-24,Control,1,,Access Control Decisions,
-nist_800_53_v4,nist_800_53_v4:ac-24(1),AC-24 (1),Enhancement,2,,Transmit Access Authorization Information,The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions.
-nist_800_53_v4,nist_800_53_v4:ac-24(2),AC-24 (2),Enhancement,2,,No User Or Process Identity,The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user.
-nist_800_53_v4,nist_800_53_v4:ac-25,AC-25,Control,1,,Reference Monitor,
-nist_800_53_v4,nist_800_53_v4:ac-2a.,AC-2a.,Statement,2,,,The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
-nist_800_53_v4,nist_800_53_v4:ac-2b.,AC-2b.,Statement,2,,,The organization: Assigns account managers for information system accounts;
-nist_800_53_v4,nist_800_53_v4:ac-2c.,AC-2c.,Statement,2,,,The organization: Establishes conditions for group and role membership;
-nist_800_53_v4,nist_800_53_v4:ac-2d.,AC-2d.,Statement,2,,,"The organization: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"
-nist_800_53_v4,nist_800_53_v4:ac-2e.,AC-2e.,Statement,2,,,The organization: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
-nist_800_53_v4,nist_800_53_v4:ac-2f.,AC-2f.,Statement,2,,,"The organization: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];"
-nist_800_53_v4,nist_800_53_v4:ac-2g.,AC-2g.,Statement,2,,,The organization: Monitors the use of information system accounts;
-nist_800_53_v4,nist_800_53_v4:ac-2h.,AC-2h.,Statement,2,,,The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes;
-nist_800_53_v4,nist_800_53_v4:ac-2i.,AC-2i.,Statement,2,,,The organization: Authorizes access to the information system based on: A valid access authorization; Intended system usage; and Other attributes as required by the organization or associated missions/business functions;
-nist_800_53_v4,nist_800_53_v4:ac-2j.,AC-2j.,Statement,2,,,The organization: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
-nist_800_53_v4,nist_800_53_v4:ac-2k.,AC-2k.,Statement,2,,,The organization: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
-nist_800_53_v4,nist_800_53_v4:ac-3,AC-3,Control,1,,Access Enforcement,
-nist_800_53_v4,nist_800_53_v4:ac-3(10),AC-3 (10),Enhancement,2,,Audited Override Of Access Control Mechanisms,The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions].
-nist_800_53_v4,nist_800_53_v4:ac-3(2),AC-3 (2),Enhancement,2,,Dual Authorization,The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
-nist_800_53_v4,nist_800_53_v4:ac-3(3),AC-3 (3),Enhancement,2,,Mandatory Access Control,"The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes on subjects, objects, the information system, or information system components; Choosing the security attributes and attribute values to be associated with newly created or modified objects; or Changing the rules governing access control; and Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints."
-nist_800_53_v4,nist_800_53_v4:ac-3(4),AC-3 (4),Enhancement,2,,Discretionary Access Control,"The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the information system, or the information system's components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control."
-nist_800_53_v4,nist_800_53_v4:ac-3(5),AC-3 (5),Enhancement,2,,Security-Relevant Information,"The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states."
-nist_800_53_v4,nist_800_53_v4:ac-3(7),AC-3 (7),Enhancement,2,,Role-Based Access Control,The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
-nist_800_53_v4,nist_800_53_v4:ac-3(8),AC-3 (8),Enhancement,2,,Revocation Of Access Authorizations,The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
-nist_800_53_v4,nist_800_53_v4:ac-3(9),AC-3 (9),Enhancement,2,,Controlled Release,The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.
-nist_800_53_v4,nist_800_53_v4:ac-4,AC-4,Control,1,,Information Flow Enforcement,
-nist_800_53_v4,nist_800_53_v4:ac-4(1),AC-4 (1),Enhancement,2,,Object Security Attributes,"The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."
-nist_800_53_v4,nist_800_53_v4:ac-4(10),AC-4 (10),Enhancement,2,,Enable / Disable Security Policy Filters,The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].
-nist_800_53_v4,nist_800_53_v4:ac-4(11),AC-4 (11),Enhancement,2,,Configuration Of Security Policy Filters,The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.
-nist_800_53_v4,nist_800_53_v4:ac-4(12),AC-4 (12),Enhancement,2,,Data Type Identifiers,"The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions."
-nist_800_53_v4,nist_800_53_v4:ac-4(13),AC-4 (13),Enhancement,2,,Decomposition Into Policy-Relevant Subcomponents,"The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms."
-nist_800_53_v4,nist_800_53_v4:ac-4(14),AC-4 (14),Enhancement,2,,Security Policy Filter Constraints,"The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content."
-nist_800_53_v4,nist_800_53_v4:ac-4(15),AC-4 (15),Enhancement,2,,Detection Of Unsanctioned Information,"The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]."
-nist_800_53_v4,nist_800_53_v4:ac-4(17),AC-4 (17),Enhancement,2,,Domain Authentication,"The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer."
-nist_800_53_v4,nist_800_53_v4:ac-4(18),AC-4 (18),Enhancement,2,,Security Attribute Binding,The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement.
-nist_800_53_v4,nist_800_53_v4:ac-4(19),AC-4 (19),Enhancement,2,,Validation Of Metadata,"The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."
-nist_800_53_v4,nist_800_53_v4:ac-4(2),AC-4 (2),Enhancement,2,,Processing Domains,The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
-nist_800_53_v4,nist_800_53_v4:ac-4(20),AC-4 (20),Enhancement,2,,Approved Solutions,The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
-nist_800_53_v4,nist_800_53_v4:ac-4(21),AC-4 (21),Enhancement,2,,Physical / Logical Separation Of Information Flows,The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
-nist_800_53_v4,nist_800_53_v4:ac-4(22),AC-4 (22),Enhancement,2,,Access Only,"The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."
-nist_800_53_v4,nist_800_53_v4:ac-4(3),AC-4 (3),Enhancement,2,,Dynamic Information Flow Control,The information system enforces dynamic information flow control based on [Assignment: organization-defined policies].
-nist_800_53_v4,nist_800_53_v4:ac-4(4),AC-4 (4),Enhancement,2,,Content Check Encrypted Information,The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
-nist_800_53_v4,nist_800_53_v4:ac-4(5),AC-4 (5),Enhancement,2,,Embedded Data Types,The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.
-nist_800_53_v4,nist_800_53_v4:ac-4(6),AC-4 (6),Enhancement,2,,Metadata,The information system enforces information flow control based on [Assignment: organization-defined metadata].
-nist_800_53_v4,nist_800_53_v4:ac-4(7),AC-4 (7),Enhancement,2,,One-Way Flow Mechanisms,The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms.
-nist_800_53_v4,nist_800_53_v4:ac-4(8),AC-4 (8),Enhancement,2,,Security Policy Filters,The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
-nist_800_53_v4,nist_800_53_v4:ac-4(9),AC-4 (9),Enhancement,2,,Human Reviews,The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
-nist_800_53_v4,nist_800_53_v4:ac-5,AC-5,Control,1,,Separation Of Duties,
-nist_800_53_v4,nist_800_53_v4:ac-5a.,AC-5a.,Statement,2,,,The organization: Separates [Assignment: organization-defined duties of individuals];
-nist_800_53_v4,nist_800_53_v4:ac-5b.,AC-5b.,Statement,2,,,The organization: Documents separation of duties of individuals; and
-nist_800_53_v4,nist_800_53_v4:ac-5c.,AC-5c.,Statement,2,,,The organization: Defines information system access authorizations to support separation of duties.
-nist_800_53_v4,nist_800_53_v4:ac-6,AC-6,Control,1,,Least Privilege,
-nist_800_53_v4,nist_800_53_v4:ac-6(1),AC-6 (1),Enhancement,2,,Authorize Access To Security Functions,"The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]."
-nist_800_53_v4,nist_800_53_v4:ac-6(10),AC-6 (10),Enhancement,2,,Prohibit Non-Privileged Users From Executing Privileged Functions,"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
-nist_800_53_v4,nist_800_53_v4:ac-6(2),AC-6 (2),Enhancement,2,,Non-Privileged Access For Nonsecurity Functions,"The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions."
-nist_800_53_v4,nist_800_53_v4:ac-6(3),AC-6 (3),Enhancement,2,,Network Access To Privileged Commands,The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
-nist_800_53_v4,nist_800_53_v4:ac-6(4),AC-6 (4),Enhancement,2,,Separate Processing Domains,The information system provides separate processing domains to enable finer-grained allocation of user privileges.
-nist_800_53_v4,nist_800_53_v4:ac-6(5),AC-6 (5),Enhancement,2,,Privileged Accounts,The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:ac-6(6),AC-6 (6),Enhancement,2,,Privileged Access By Non-Organizational Users,The organization prohibits privileged access to the information system by non-organizational users.
-nist_800_53_v4,nist_800_53_v4:ac-6(7),AC-6 (7),Enhancement,2,,Review Of User Privileges,"The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."
-nist_800_53_v4,nist_800_53_v4:ac-6(8),AC-6 (8),Enhancement,2,,Privilege Levels For Code Execution,The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
-nist_800_53_v4,nist_800_53_v4:ac-6(9),AC-6 (9),Enhancement,2,,Auditing Use Of Privileged Functions,The information system audits the execution of privileged functions.
-nist_800_53_v4,nist_800_53_v4:ac-7,AC-7,Control,1,,Unsuccessful Logon Attempts,
-nist_800_53_v4,nist_800_53_v4:ac-7(2),AC-7 (2),Enhancement,2,,Purge / Wipe Mobile Device,"The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."
-nist_800_53_v4,nist_800_53_v4:ac-7a.,AC-7a.,Statement,2,,,The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
-nist_800_53_v4,nist_800_53_v4:ac-7b.,AC-7b.,Statement,2,,,The information system: Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
-nist_800_53_v4,nist_800_53_v4:ac-8,AC-8,Control,1,,System Use Notification,
-nist_800_53_v4,nist_800_53_v4:ac-8a.,AC-8a.,Statement,2,,,"The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording;"
-nist_800_53_v4,nist_800_53_v4:ac-8b.,AC-8b.,Statement,2,,,The information system: Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
-nist_800_53_v4,nist_800_53_v4:ac-8c.,AC-8c.,Statement,2,,,"The information system: For publicly accessible systems: Displays system use information [Assignment: organization-defined conditions], before granting further access; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system."
-nist_800_53_v4,nist_800_53_v4:ac-9,AC-9,Control,1,,Previous Logon (Access) Notification,
-nist_800_53_v4,nist_800_53_v4:ac-9(1),AC-9 (1),Enhancement,2,,Unsuccessful Logons,"The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access."
-nist_800_53_v4,nist_800_53_v4:ac-9(2),AC-9 (2),Enhancement,2,,Successful / Unsuccessful Logons,The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ac-9(3),AC-9 (3),Enhancement,2,,Notification Of Account Changes,The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ac-9(4),AC-9 (4),Enhancement,2,,Additional Logon Information,"The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]."
+nist_800_53_v4,nist_800_53_v4:ac-1,AC-1,Control,1,1,Access Control Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ac-10,AC-10,Control,1,10,Concurrent Session Control,
+nist_800_53_v4,nist_800_53_v4:ac-11,AC-11,Control,1,11,Session Lock,
+nist_800_53_v4,nist_800_53_v4:ac-11(1),AC-11 (1),Enhancement,2,1,Pattern-Hiding Displays,"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."
+nist_800_53_v4,nist_800_53_v4:ac-11a.,AC-11a.,Statement,2,1,,The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
+nist_800_53_v4,nist_800_53_v4:ac-11b.,AC-11b.,Statement,2,2,,The information system: Retains the session lock until the user reestablishes access using established identification and authentication procedures.
+nist_800_53_v4,nist_800_53_v4:ac-12,AC-12,Control,1,12,Session Termination,
+nist_800_53_v4,nist_800_53_v4:ac-12(1),AC-12 (1),Enhancement,2,1,User-Initiated Logouts / Message Displays,The information system: Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
+nist_800_53_v4,nist_800_53_v4:ac-13,AC-13,Control,1,13,Supervision and Review - Access Control,
+nist_800_53_v4,nist_800_53_v4:ac-14,AC-14,Control,1,14,Permitted Actions Without Identification Or Authentication,
+nist_800_53_v4,nist_800_53_v4:ac-14a.,AC-14a.,Statement,2,1,,The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
+nist_800_53_v4,nist_800_53_v4:ac-14b.,AC-14b.,Statement,2,2,,"The organization: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."
+nist_800_53_v4,nist_800_53_v4:ac-15,AC-15,Control,1,15,Automated Marking,
+nist_800_53_v4,nist_800_53_v4:ac-16,AC-16,Control,1,16,Security Attributes,
+nist_800_53_v4,nist_800_53_v4:ac-16(1),AC-16 (1),Enhancement,2,1,Dynamic Attribute Association,The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined.
+nist_800_53_v4,nist_800_53_v4:ac-16(10),AC-16 (10),Enhancement,2,10,Attribute Configuration By Authorized Individuals,The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.
+nist_800_53_v4,nist_800_53_v4:ac-16(2),AC-16 (2),Enhancement,2,2,Attribute Value Changes By Authorized Individuals,The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
+nist_800_53_v4,nist_800_53_v4:ac-16(3),AC-16 (3),Enhancement,2,3,Maintenance Of Attribute Associations By Information System,The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects].
+nist_800_53_v4,nist_800_53_v4:ac-16(4),AC-16 (4),Enhancement,2,4,Association Of Attributes By Authorized Individuals,The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
+nist_800_53_v4,nist_800_53_v4:ac-16(5),AC-16 (5),Enhancement,2,5,Attribute Displays For Output Devices,"The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]."
+nist_800_53_v4,nist_800_53_v4:ac-16(6),AC-16 (6),Enhancement,2,6,Maintenance Of Attribute Association By Organization,"The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]."
+nist_800_53_v4,nist_800_53_v4:ac-16(7),AC-16 (7),Enhancement,2,7,Consistent Attribute Interpretation,The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
+nist_800_53_v4,nist_800_53_v4:ac-16(8),AC-16 (8),Enhancement,2,8,Association Techniques / Technologies,The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information.
+nist_800_53_v4,nist_800_53_v4:ac-16(9),AC-16 (9),Enhancement,2,9,Attribute Reassignment,The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures].
+nist_800_53_v4,nist_800_53_v4:ac-16a.,AC-16a.,Statement,2,1,,"The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;"
+nist_800_53_v4,nist_800_53_v4:ac-16b.,AC-16b.,Statement,2,2,,The organization: Ensures that the security attribute associations are made and retained with the information;
+nist_800_53_v4,nist_800_53_v4:ac-16c.,AC-16c.,Statement,2,3,,The organization: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
+nist_800_53_v4,nist_800_53_v4:ac-16d.,AC-16d.,Statement,2,4,,The organization: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.
+nist_800_53_v4,nist_800_53_v4:ac-17,AC-17,Control,1,17,Remote Access,
+nist_800_53_v4,nist_800_53_v4:ac-17(1),AC-17 (1),Enhancement,2,1,Automated Monitoring / Control,The information system monitors and controls remote access methods.
+nist_800_53_v4,nist_800_53_v4:ac-17(2),AC-17 (2),Enhancement,2,2,Protection Of Confidentiality / Integrity Using Encryption,The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
+nist_800_53_v4,nist_800_53_v4:ac-17(3),AC-17 (3),Enhancement,2,3,Managed Access Control Points,The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
+nist_800_53_v4,nist_800_53_v4:ac-17(4),AC-17 (4),Enhancement,2,4,Privileged Commands / Access,The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system.
+nist_800_53_v4,nist_800_53_v4:ac-17(6),AC-17 (6),Enhancement,2,6,Protection Of Information,The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
+nist_800_53_v4,nist_800_53_v4:ac-17(9),AC-17 (9),Enhancement,2,9,Disconnect / Disable Access,The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ac-17a.,AC-17a.,Statement,2,1,,"The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"
+nist_800_53_v4,nist_800_53_v4:ac-17b.,AC-17b.,Statement,2,2,,The organization: Authorizes remote access to the information system prior to allowing such connections.
+nist_800_53_v4,nist_800_53_v4:ac-18,AC-18,Control,1,18,Wireless Access,
+nist_800_53_v4,nist_800_53_v4:ac-18(1),AC-18 (1),Enhancement,2,1,Authentication And Encryption,The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
+nist_800_53_v4,nist_800_53_v4:ac-18(3),AC-18 (3),Enhancement,2,3,Disable Wireless Networking,"The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."
+nist_800_53_v4,nist_800_53_v4:ac-18(4),AC-18 (4),Enhancement,2,4,Restrict Configurations By Users,The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
+nist_800_53_v4,nist_800_53_v4:ac-18(5),AC-18 (5),Enhancement,2,5,Antennas / Transmission Power Levels,The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
+nist_800_53_v4,nist_800_53_v4:ac-18a.,AC-18a.,Statement,2,1,,"The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and"
+nist_800_53_v4,nist_800_53_v4:ac-18b.,AC-18b.,Statement,2,2,,The organization: Authorizes wireless access to the information system prior to allowing such connections.
+nist_800_53_v4,nist_800_53_v4:ac-19,AC-19,Control,1,19,Access Control For Mobile Devices,
+nist_800_53_v4,nist_800_53_v4:ac-19(4),AC-19 (4),Enhancement,2,4,Restrictions For Classified Information,"The organization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified information systems is prohibited; Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]."
+nist_800_53_v4,nist_800_53_v4:ac-19(5),AC-19 (5),Enhancement,2,5,Full Device / Container-Based  Encryption,The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
+nist_800_53_v4,nist_800_53_v4:ac-19a.,AC-19a.,Statement,2,1,,"The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"
+nist_800_53_v4,nist_800_53_v4:ac-19b.,AC-19b.,Statement,2,2,,The organization: Authorizes the connection of mobile devices to organizational information systems.
+nist_800_53_v4,nist_800_53_v4:ac-1a.,AC-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and"
+nist_800_53_v4,nist_800_53_v4:ac-1b.,AC-1b.,Statement,2,2,,The organization: Reviews and updates the current: Access control policy [Assignment: organization-defined frequency]; and Access control procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ac-2,AC-2,Control,1,2,Account Management,
+nist_800_53_v4,nist_800_53_v4:ac-2(1),AC-2 (1),Enhancement,2,1,Automated System Account Management,The organization employs automated mechanisms to support the management of information system accounts.
+nist_800_53_v4,nist_800_53_v4:ac-2(10),AC-2 (10),Enhancement,2,10,Shared / Group Account Credential Termination,The information system terminates shared/group account credentials when members leave the group.
+nist_800_53_v4,nist_800_53_v4:ac-2(11),AC-2 (11),Enhancement,2,11,Usage Conditions,The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
+nist_800_53_v4,nist_800_53_v4:ac-2(12),AC-2 (12),Enhancement,2,12,Account Monitoring / Atypical Usage,The organization: Monitors information system accounts for [Assignment: organization-defined atypical usage]; and Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:ac-2(13),AC-2 (13),Enhancement,2,13,Disable Accounts For High-Risk Individuals,The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
+nist_800_53_v4,nist_800_53_v4:ac-2(2),AC-2 (2),Enhancement,2,2,Removal Of Temporary / Emergency Accounts,The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
+nist_800_53_v4,nist_800_53_v4:ac-2(3),AC-2 (3),Enhancement,2,3,Disable Inactive Accounts,The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ac-2(4),AC-2 (4),Enhancement,2,4,Automated Audit Actions,"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]."
+nist_800_53_v4,nist_800_53_v4:ac-2(5),AC-2 (5),Enhancement,2,5,Inactivity Logout,The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
+nist_800_53_v4,nist_800_53_v4:ac-2(6),AC-2 (6),Enhancement,2,6,Dynamic Privilege Management,The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].
+nist_800_53_v4,nist_800_53_v4:ac-2(7),AC-2 (7),Enhancement,2,7,Role-Based Schemes,The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
+nist_800_53_v4,nist_800_53_v4:ac-2(8),AC-2 (8),Enhancement,2,8,Dynamic Account Creation,The information system creates [Assignment: organization-defined information system accounts] dynamically.
+nist_800_53_v4,nist_800_53_v4:ac-2(9),AC-2 (9),Enhancement,2,9,Restrictions On Use Of Shared / Group Accounts,The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].
+nist_800_53_v4,nist_800_53_v4:ac-20,AC-20,Control,1,20,Use Of External Information Systems,
+nist_800_53_v4,nist_800_53_v4:ac-20(1),AC-20 (1),Enhancement,2,1,Limits On Authorized Use,"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."
+nist_800_53_v4,nist_800_53_v4:ac-20(2),AC-20 (2),Enhancement,2,2,Portable Storage Devices,The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
+nist_800_53_v4,nist_800_53_v4:ac-20(3),AC-20 (3),Enhancement,2,3,Non-Organizationally Owned Systems / Components / Devices,"The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information."
+nist_800_53_v4,nist_800_53_v4:ac-20(4),AC-20 (4),Enhancement,2,4,Network Accessible Storage Devices,The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems.
+nist_800_53_v4,nist_800_53_v4:ac-20a.,AC-20a.,Statement,2,1,,"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and"
+nist_800_53_v4,nist_800_53_v4:ac-20b.,AC-20b.,Statement,2,2,,"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Process, store, or transmit organization-controlled information using external information systems."
+nist_800_53_v4,nist_800_53_v4:ac-21,AC-21,Control,1,21,Information Sharing,
+nist_800_53_v4,nist_800_53_v4:ac-21(1),AC-21 (1),Enhancement,2,1,Automated Decision Support,The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
+nist_800_53_v4,nist_800_53_v4:ac-21(2),AC-21 (2),Enhancement,2,2,Information Search And Retrieval,The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
+nist_800_53_v4,nist_800_53_v4:ac-21a.,AC-21a.,Statement,2,1,,The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
+nist_800_53_v4,nist_800_53_v4:ac-21b.,AC-21b.,Statement,2,2,,The organization: Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
+nist_800_53_v4,nist_800_53_v4:ac-22,AC-22,Control,1,22,Publicly Accessible Content,
+nist_800_53_v4,nist_800_53_v4:ac-22a.,AC-22a.,Statement,2,1,,The organization: Designates individuals authorized to post information onto a publicly accessible information system;
+nist_800_53_v4,nist_800_53_v4:ac-22b.,AC-22b.,Statement,2,2,,The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
+nist_800_53_v4,nist_800_53_v4:ac-22c.,AC-22c.,Statement,2,3,,The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
+nist_800_53_v4,nist_800_53_v4:ac-22d.,AC-22d.,Statement,2,4,,"The organization: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered."
+nist_800_53_v4,nist_800_53_v4:ac-23,AC-23,Control,1,23,Data Mining Protection,
+nist_800_53_v4,nist_800_53_v4:ac-24,AC-24,Control,1,24,Access Control Decisions,
+nist_800_53_v4,nist_800_53_v4:ac-24(1),AC-24 (1),Enhancement,2,1,Transmit Access Authorization Information,The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions.
+nist_800_53_v4,nist_800_53_v4:ac-24(2),AC-24 (2),Enhancement,2,2,No User Or Process Identity,The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user.
+nist_800_53_v4,nist_800_53_v4:ac-25,AC-25,Control,1,25,Reference Monitor,
+nist_800_53_v4,nist_800_53_v4:ac-2a.,AC-2a.,Statement,2,1,,The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
+nist_800_53_v4,nist_800_53_v4:ac-2b.,AC-2b.,Statement,2,2,,The organization: Assigns account managers for information system accounts;
+nist_800_53_v4,nist_800_53_v4:ac-2c.,AC-2c.,Statement,2,3,,The organization: Establishes conditions for group and role membership;
+nist_800_53_v4,nist_800_53_v4:ac-2d.,AC-2d.,Statement,2,4,,"The organization: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"
+nist_800_53_v4,nist_800_53_v4:ac-2e.,AC-2e.,Statement,2,5,,The organization: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
+nist_800_53_v4,nist_800_53_v4:ac-2f.,AC-2f.,Statement,2,6,,"The organization: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];"
+nist_800_53_v4,nist_800_53_v4:ac-2g.,AC-2g.,Statement,2,7,,The organization: Monitors the use of information system accounts;
+nist_800_53_v4,nist_800_53_v4:ac-2h.,AC-2h.,Statement,2,8,,The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes;
+nist_800_53_v4,nist_800_53_v4:ac-2i.,AC-2i.,Statement,2,9,,The organization: Authorizes access to the information system based on: A valid access authorization; Intended system usage; and Other attributes as required by the organization or associated missions/business functions;
+nist_800_53_v4,nist_800_53_v4:ac-2j.,AC-2j.,Statement,2,10,,The organization: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
+nist_800_53_v4,nist_800_53_v4:ac-2k.,AC-2k.,Statement,2,11,,The organization: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
+nist_800_53_v4,nist_800_53_v4:ac-3,AC-3,Control,1,3,Access Enforcement,
+nist_800_53_v4,nist_800_53_v4:ac-3(10),AC-3 (10),Enhancement,2,10,Audited Override Of Access Control Mechanisms,The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions].
+nist_800_53_v4,nist_800_53_v4:ac-3(2),AC-3 (2),Enhancement,2,2,Dual Authorization,The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
+nist_800_53_v4,nist_800_53_v4:ac-3(3),AC-3 (3),Enhancement,2,3,Mandatory Access Control,"The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes on subjects, objects, the information system, or information system components; Choosing the security attributes and attribute values to be associated with newly created or modified objects; or Changing the rules governing access control; and Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints."
+nist_800_53_v4,nist_800_53_v4:ac-3(4),AC-3 (4),Enhancement,2,4,Discretionary Access Control,"The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the information system, or the information system's components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control."
+nist_800_53_v4,nist_800_53_v4:ac-3(5),AC-3 (5),Enhancement,2,5,Security-Relevant Information,"The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states."
+nist_800_53_v4,nist_800_53_v4:ac-3(7),AC-3 (7),Enhancement,2,7,Role-Based Access Control,The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
+nist_800_53_v4,nist_800_53_v4:ac-3(8),AC-3 (8),Enhancement,2,8,Revocation Of Access Authorizations,The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
+nist_800_53_v4,nist_800_53_v4:ac-3(9),AC-3 (9),Enhancement,2,9,Controlled Release,The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.
+nist_800_53_v4,nist_800_53_v4:ac-4,AC-4,Control,1,4,Information Flow Enforcement,
+nist_800_53_v4,nist_800_53_v4:ac-4(1),AC-4 (1),Enhancement,2,1,Object Security Attributes,"The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."
+nist_800_53_v4,nist_800_53_v4:ac-4(10),AC-4 (10),Enhancement,2,10,Enable / Disable Security Policy Filters,The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].
+nist_800_53_v4,nist_800_53_v4:ac-4(11),AC-4 (11),Enhancement,2,11,Configuration Of Security Policy Filters,The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.
+nist_800_53_v4,nist_800_53_v4:ac-4(12),AC-4 (12),Enhancement,2,12,Data Type Identifiers,"The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions."
+nist_800_53_v4,nist_800_53_v4:ac-4(13),AC-4 (13),Enhancement,2,13,Decomposition Into Policy-Relevant Subcomponents,"The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms."
+nist_800_53_v4,nist_800_53_v4:ac-4(14),AC-4 (14),Enhancement,2,14,Security Policy Filter Constraints,"The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content."
+nist_800_53_v4,nist_800_53_v4:ac-4(15),AC-4 (15),Enhancement,2,15,Detection Of Unsanctioned Information,"The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]."
+nist_800_53_v4,nist_800_53_v4:ac-4(17),AC-4 (17),Enhancement,2,17,Domain Authentication,"The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer."
+nist_800_53_v4,nist_800_53_v4:ac-4(18),AC-4 (18),Enhancement,2,18,Security Attribute Binding,The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement.
+nist_800_53_v4,nist_800_53_v4:ac-4(19),AC-4 (19),Enhancement,2,19,Validation Of Metadata,"The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."
+nist_800_53_v4,nist_800_53_v4:ac-4(2),AC-4 (2),Enhancement,2,2,Processing Domains,The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
+nist_800_53_v4,nist_800_53_v4:ac-4(20),AC-4 (20),Enhancement,2,20,Approved Solutions,The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
+nist_800_53_v4,nist_800_53_v4:ac-4(21),AC-4 (21),Enhancement,2,21,Physical / Logical Separation Of Information Flows,The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
+nist_800_53_v4,nist_800_53_v4:ac-4(22),AC-4 (22),Enhancement,2,22,Access Only,"The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."
+nist_800_53_v4,nist_800_53_v4:ac-4(3),AC-4 (3),Enhancement,2,3,Dynamic Information Flow Control,The information system enforces dynamic information flow control based on [Assignment: organization-defined policies].
+nist_800_53_v4,nist_800_53_v4:ac-4(4),AC-4 (4),Enhancement,2,4,Content Check Encrypted Information,The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
+nist_800_53_v4,nist_800_53_v4:ac-4(5),AC-4 (5),Enhancement,2,5,Embedded Data Types,The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.
+nist_800_53_v4,nist_800_53_v4:ac-4(6),AC-4 (6),Enhancement,2,6,Metadata,The information system enforces information flow control based on [Assignment: organization-defined metadata].
+nist_800_53_v4,nist_800_53_v4:ac-4(7),AC-4 (7),Enhancement,2,7,One-Way Flow Mechanisms,The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms.
+nist_800_53_v4,nist_800_53_v4:ac-4(8),AC-4 (8),Enhancement,2,8,Security Policy Filters,The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
+nist_800_53_v4,nist_800_53_v4:ac-4(9),AC-4 (9),Enhancement,2,9,Human Reviews,The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
+nist_800_53_v4,nist_800_53_v4:ac-5,AC-5,Control,1,5,Separation Of Duties,
+nist_800_53_v4,nist_800_53_v4:ac-5a.,AC-5a.,Statement,2,1,,The organization: Separates [Assignment: organization-defined duties of individuals];
+nist_800_53_v4,nist_800_53_v4:ac-5b.,AC-5b.,Statement,2,2,,The organization: Documents separation of duties of individuals; and
+nist_800_53_v4,nist_800_53_v4:ac-5c.,AC-5c.,Statement,2,3,,The organization: Defines information system access authorizations to support separation of duties.
+nist_800_53_v4,nist_800_53_v4:ac-6,AC-6,Control,1,6,Least Privilege,
+nist_800_53_v4,nist_800_53_v4:ac-6(1),AC-6 (1),Enhancement,2,1,Authorize Access To Security Functions,"The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]."
+nist_800_53_v4,nist_800_53_v4:ac-6(10),AC-6 (10),Enhancement,2,10,Prohibit Non-Privileged Users From Executing Privileged Functions,"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
+nist_800_53_v4,nist_800_53_v4:ac-6(2),AC-6 (2),Enhancement,2,2,Non-Privileged Access For Nonsecurity Functions,"The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions."
+nist_800_53_v4,nist_800_53_v4:ac-6(3),AC-6 (3),Enhancement,2,3,Network Access To Privileged Commands,The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
+nist_800_53_v4,nist_800_53_v4:ac-6(4),AC-6 (4),Enhancement,2,4,Separate Processing Domains,The information system provides separate processing domains to enable finer-grained allocation of user privileges.
+nist_800_53_v4,nist_800_53_v4:ac-6(5),AC-6 (5),Enhancement,2,5,Privileged Accounts,The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:ac-6(6),AC-6 (6),Enhancement,2,6,Privileged Access By Non-Organizational Users,The organization prohibits privileged access to the information system by non-organizational users.
+nist_800_53_v4,nist_800_53_v4:ac-6(7),AC-6 (7),Enhancement,2,7,Review Of User Privileges,"The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."
+nist_800_53_v4,nist_800_53_v4:ac-6(8),AC-6 (8),Enhancement,2,8,Privilege Levels For Code Execution,The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
+nist_800_53_v4,nist_800_53_v4:ac-6(9),AC-6 (9),Enhancement,2,9,Auditing Use Of Privileged Functions,The information system audits the execution of privileged functions.
+nist_800_53_v4,nist_800_53_v4:ac-7,AC-7,Control,1,7,Unsuccessful Logon Attempts,
+nist_800_53_v4,nist_800_53_v4:ac-7(2),AC-7 (2),Enhancement,2,2,Purge / Wipe Mobile Device,"The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."
+nist_800_53_v4,nist_800_53_v4:ac-7a.,AC-7a.,Statement,2,1,,The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
+nist_800_53_v4,nist_800_53_v4:ac-7b.,AC-7b.,Statement,2,2,,The information system: Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
+nist_800_53_v4,nist_800_53_v4:ac-8,AC-8,Control,1,8,System Use Notification,
+nist_800_53_v4,nist_800_53_v4:ac-8a.,AC-8a.,Statement,2,1,,"The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording;"
+nist_800_53_v4,nist_800_53_v4:ac-8b.,AC-8b.,Statement,2,2,,The information system: Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
+nist_800_53_v4,nist_800_53_v4:ac-8c.,AC-8c.,Statement,2,3,,"The information system: For publicly accessible systems: Displays system use information [Assignment: organization-defined conditions], before granting further access; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system."
+nist_800_53_v4,nist_800_53_v4:ac-9,AC-9,Control,1,9,Previous Logon (Access) Notification,
+nist_800_53_v4,nist_800_53_v4:ac-9(1),AC-9 (1),Enhancement,2,1,Unsuccessful Logons,"The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access."
+nist_800_53_v4,nist_800_53_v4:ac-9(2),AC-9 (2),Enhancement,2,2,Successful / Unsuccessful Logons,The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ac-9(3),AC-9 (3),Enhancement,2,3,Notification Of Account Changes,The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ac-9(4),AC-9 (4),Enhancement,2,4,Additional Logon Information,"The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]."
 nist_800_53_v4,nist_800_53_v4:at,AT,Family,0,2,Awareness and Training,
-nist_800_53_v4,nist_800_53_v4:at-1,AT-1,Control,1,,Security Awareness and Training Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:at-1a.,AT-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"
-nist_800_53_v4,nist_800_53_v4:at-1b.,AT-1b.,Statement,2,,,The organization: Reviews and updates the current: Security awareness and training policy [Assignment: organization-defined frequency]; and Security awareness and training procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:at-2,AT-2,Control,1,,Security Awareness Training,
-nist_800_53_v4,nist_800_53_v4:at-2(1),AT-2 (1),Enhancement,2,,Practical Exercises,The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
-nist_800_53_v4,nist_800_53_v4:at-2(2),AT-2 (2),Enhancement,2,,Insider Threat,The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
-nist_800_53_v4,nist_800_53_v4:at-2a.,AT-2a.,Statement,2,,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users;"
-nist_800_53_v4,nist_800_53_v4:at-2b.,AT-2b.,Statement,2,,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and"
-nist_800_53_v4,nist_800_53_v4:at-2c.,AT-2c.,Statement,2,,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [Assignment: organization-defined frequency] thereafter."
-nist_800_53_v4,nist_800_53_v4:at-3,AT-3,Control,1,,Role-Based Security Training,
-nist_800_53_v4,nist_800_53_v4:at-3(1),AT-3 (1),Enhancement,2,,Environmental Controls,The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
-nist_800_53_v4,nist_800_53_v4:at-3(2),AT-3 (2),Enhancement,2,,Physical Security Controls,The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
-nist_800_53_v4,nist_800_53_v4:at-3(3),AT-3 (3),Enhancement,2,,Practical Exercises,The organization includes practical exercises in security training that reinforce training objectives.
-nist_800_53_v4,nist_800_53_v4:at-3(4),AT-3 (4),Enhancement,2,,Suspicious Communications And Anomalous System Behavior,The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.
-nist_800_53_v4,nist_800_53_v4:at-3a.,AT-3a.,Statement,2,,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties;
-nist_800_53_v4,nist_800_53_v4:at-3b.,AT-3b.,Statement,2,,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and
-nist_800_53_v4,nist_800_53_v4:at-3c.,AT-3c.,Statement,2,,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
-nist_800_53_v4,nist_800_53_v4:at-4,AT-4,Control,1,,Security Training Records,
-nist_800_53_v4,nist_800_53_v4:at-4a.,AT-4a.,Statement,2,,,The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
-nist_800_53_v4,nist_800_53_v4:at-4b.,AT-4b.,Statement,2,,,The organization: Retains individual training records for [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:at-5,AT-5,Control,1,,Contacts With Security Groups and Associations,
+nist_800_53_v4,nist_800_53_v4:at-1,AT-1,Control,1,1,Security Awareness and Training Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:at-1a.,AT-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"
+nist_800_53_v4,nist_800_53_v4:at-1b.,AT-1b.,Statement,2,2,,The organization: Reviews and updates the current: Security awareness and training policy [Assignment: organization-defined frequency]; and Security awareness and training procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:at-2,AT-2,Control,1,2,Security Awareness Training,
+nist_800_53_v4,nist_800_53_v4:at-2(1),AT-2 (1),Enhancement,2,1,Practical Exercises,The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
+nist_800_53_v4,nist_800_53_v4:at-2(2),AT-2 (2),Enhancement,2,2,Insider Threat,The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
+nist_800_53_v4,nist_800_53_v4:at-2a.,AT-2a.,Statement,2,1,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users;"
+nist_800_53_v4,nist_800_53_v4:at-2b.,AT-2b.,Statement,2,2,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and"
+nist_800_53_v4,nist_800_53_v4:at-2c.,AT-2c.,Statement,2,3,,"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [Assignment: organization-defined frequency] thereafter."
+nist_800_53_v4,nist_800_53_v4:at-3,AT-3,Control,1,3,Role-Based Security Training,
+nist_800_53_v4,nist_800_53_v4:at-3(1),AT-3 (1),Enhancement,2,1,Environmental Controls,The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
+nist_800_53_v4,nist_800_53_v4:at-3(2),AT-3 (2),Enhancement,2,2,Physical Security Controls,The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
+nist_800_53_v4,nist_800_53_v4:at-3(3),AT-3 (3),Enhancement,2,3,Practical Exercises,The organization includes practical exercises in security training that reinforce training objectives.
+nist_800_53_v4,nist_800_53_v4:at-3(4),AT-3 (4),Enhancement,2,4,Suspicious Communications And Anomalous System Behavior,The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.
+nist_800_53_v4,nist_800_53_v4:at-3a.,AT-3a.,Statement,2,1,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties;
+nist_800_53_v4,nist_800_53_v4:at-3b.,AT-3b.,Statement,2,2,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and
+nist_800_53_v4,nist_800_53_v4:at-3c.,AT-3c.,Statement,2,3,,The organization provides role-based security training to personnel with assigned security roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
+nist_800_53_v4,nist_800_53_v4:at-4,AT-4,Control,1,4,Security Training Records,
+nist_800_53_v4,nist_800_53_v4:at-4a.,AT-4a.,Statement,2,1,,The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
+nist_800_53_v4,nist_800_53_v4:at-4b.,AT-4b.,Statement,2,2,,The organization: Retains individual training records for [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:at-5,AT-5,Control,1,5,Contacts With Security Groups and Associations,
 nist_800_53_v4,nist_800_53_v4:au,AU,Family,0,3,Audit and Accountability,
-nist_800_53_v4,nist_800_53_v4:au-1,AU-1,Control,1,,Audit and Accountability Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:au-10,AU-10,Control,1,,Non-Repudiation,
-nist_800_53_v4,nist_800_53_v4:au-10(1),AU-10 (1),Enhancement,2,,Association Of Identities,The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information.
-nist_800_53_v4,nist_800_53_v4:au-10(2),AU-10 (2),Enhancement,2,,Validate Binding Of Information Producer Identity,The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error.
-nist_800_53_v4,nist_800_53_v4:au-10(3),AU-10 (3),Enhancement,2,,Chain Of Custody,The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
-nist_800_53_v4,nist_800_53_v4:au-10(4),AU-10 (4),Enhancement,2,,Validate Binding Of Information Reviewer Identity,The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error.
-nist_800_53_v4,nist_800_53_v4:au-11,AU-11,Control,1,,Audit Record Retention,
-nist_800_53_v4,nist_800_53_v4:au-11(1),AU-11 (1),Enhancement,2,,Long-Term Retrieval Capability,The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.
-nist_800_53_v4,nist_800_53_v4:au-12,AU-12,Control,1,,Audit Generation,
-nist_800_53_v4,nist_800_53_v4:au-12(1),AU-12 (1),Enhancement,2,,System-Wide / Time-Correlated Audit Trail,The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
-nist_800_53_v4,nist_800_53_v4:au-12(2),AU-12 (2),Enhancement,2,,Standardized Formats,The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
-nist_800_53_v4,nist_800_53_v4:au-12(3),AU-12 (3),Enhancement,2,,Changes By Authorized Individuals,The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
-nist_800_53_v4,nist_800_53_v4:au-12a.,AU-12a.,Statement,2,,,The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
-nist_800_53_v4,nist_800_53_v4:au-12b.,AU-12b.,Statement,2,,,The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
-nist_800_53_v4,nist_800_53_v4:au-12c.,AU-12c.,Statement,2,,,The information system: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
-nist_800_53_v4,nist_800_53_v4:au-13,AU-13,Control,1,,Monitoring For Information Disclosure,
-nist_800_53_v4,nist_800_53_v4:au-13(1),AU-13 (1),Enhancement,2,,Use Of Automated Tools,The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.
-nist_800_53_v4,nist_800_53_v4:au-13(2),AU-13 (2),Enhancement,2,,Review Of Monitored Sites,The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:au-14,AU-14,Control,1,,Session Audit,
-nist_800_53_v4,nist_800_53_v4:au-14(1),AU-14 (1),Enhancement,2,,System Start-Up,The information system initiates session audits at system start-up.
-nist_800_53_v4,nist_800_53_v4:au-14(2),AU-14 (2),Enhancement,2,,Capture/Record And Log Content,The information system provides the capability for authorized users to capture/record and log content related to a user session.
-nist_800_53_v4,nist_800_53_v4:au-14(3),AU-14 (3),Enhancement,2,,Remote Viewing / Listening,The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.
-nist_800_53_v4,nist_800_53_v4:au-15,AU-15,Control,1,,Alternate Audit Capability,
-nist_800_53_v4,nist_800_53_v4:au-16,AU-16,Control,1,,Cross-Organizational Auditing,
-nist_800_53_v4,nist_800_53_v4:au-16(1),AU-16 (1),Enhancement,2,,Identity Preservation,The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
-nist_800_53_v4,nist_800_53_v4:au-16(2),AU-16 (2),Enhancement,2,,Sharing Of Audit Information,The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
-nist_800_53_v4,nist_800_53_v4:au-1a.,AU-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"
-nist_800_53_v4,nist_800_53_v4:au-1b.,AU-1b.,Statement,2,,,The organization: Reviews and updates the current: Audit and accountability policy [Assignment: organization-defined frequency]; and Audit and accountability procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:au-2,AU-2,Control,1,,Audit Events,
-nist_800_53_v4,nist_800_53_v4:au-2(3),AU-2 (3),Enhancement,2,,Reviews And Updates,The organization reviews and updates the audited events [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:au-2a.,AU-2a.,Statement,2,,,The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
-nist_800_53_v4,nist_800_53_v4:au-2b.,AU-2b.,Statement,2,,,The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
-nist_800_53_v4,nist_800_53_v4:au-2c.,AU-2c.,Statement,2,,,The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
-nist_800_53_v4,nist_800_53_v4:au-2d.,AU-2d.,Statement,2,,,The organization: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
-nist_800_53_v4,nist_800_53_v4:au-3,AU-3,Control,1,,Content Of Audit Records,
-nist_800_53_v4,nist_800_53_v4:au-3(1),AU-3 (1),Enhancement,2,,Additional Audit Information,"The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]."
-nist_800_53_v4,nist_800_53_v4:au-3(2),AU-3 (2),Enhancement,2,,Centralized Management Of Planned Audit Record Content,The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:au-4,AU-4,Control,1,,Audit Storage Capacity,
-nist_800_53_v4,nist_800_53_v4:au-4(1),AU-4 (1),Enhancement,2,,Transfer To Alternate Storage,The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
-nist_800_53_v4,nist_800_53_v4:au-5,AU-5,Control,1,,Response To Audit Processing Failures,
-nist_800_53_v4,nist_800_53_v4:au-5(1),AU-5 (1),Enhancement,2,,Audit Storage Capacity,"The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."
-nist_800_53_v4,nist_800_53_v4:au-5(2),AU-5 (2),Enhancement,2,,Real-Time Alerts,"The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]."
-nist_800_53_v4,nist_800_53_v4:au-5(3),AU-5 (3),Enhancement,2,,Configurable Traffic Volume Thresholds,The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
-nist_800_53_v4,nist_800_53_v4:au-5(4),AU-5 (4),Enhancement,2,,Shutdown On Failure,"The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists."
-nist_800_53_v4,nist_800_53_v4:au-5a.,AU-5a.,Statement,2,,,The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
-nist_800_53_v4,nist_800_53_v4:au-5b.,AU-5b.,Statement,2,,,"The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."
-nist_800_53_v4,nist_800_53_v4:au-6,AU-6,Control,1,,"Audit Review, Analysis, and Reporting",
-nist_800_53_v4,nist_800_53_v4:au-6(1),AU-6 (1),Enhancement,2,,Process Integration,"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."
-nist_800_53_v4,nist_800_53_v4:au-6(10),AU-6 (10),Enhancement,2,,Audit Level Adjustment,"The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
-nist_800_53_v4,nist_800_53_v4:au-6(3),AU-6 (3),Enhancement,2,,Correlate Audit Repositories,The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
-nist_800_53_v4,nist_800_53_v4:au-6(4),AU-6 (4),Enhancement,2,,Central Review And Analysis,The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
-nist_800_53_v4,nist_800_53_v4:au-6(5),AU-6 (5),Enhancement,2,,Integration / Scanning And Monitoring Capabilities,The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
-nist_800_53_v4,nist_800_53_v4:au-6(6),AU-6 (6),Enhancement,2,,Correlation With Physical Monitoring,"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
-nist_800_53_v4,nist_800_53_v4:au-6(7),AU-6 (7),Enhancement,2,,Permitted Actions,"The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."
-nist_800_53_v4,nist_800_53_v4:au-6(8),AU-6 (8),Enhancement,2,,Full Text Analysis Of Privileged Commands,"The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis."
-nist_800_53_v4,nist_800_53_v4:au-6(9),AU-6 (9),Enhancement,2,,Correlation With Information From Nontechnical Sources,The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
-nist_800_53_v4,nist_800_53_v4:au-6a.,AU-6a.,Statement,2,,,The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
-nist_800_53_v4,nist_800_53_v4:au-6b.,AU-6b.,Statement,2,,,The organization: Reports findings to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:au-7,AU-7,Control,1,,Audit Reduction and Report Generation,
-nist_800_53_v4,nist_800_53_v4:au-7(1),AU-7 (1),Enhancement,2,,Automatic Processing,The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
-nist_800_53_v4,nist_800_53_v4:au-7(2),AU-7 (2),Enhancement,2,,Automatic Sort And Search,The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].
-nist_800_53_v4,nist_800_53_v4:au-7a.,AU-7a.,Statement,2,,,"The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"
-nist_800_53_v4,nist_800_53_v4:au-7b.,AU-7b.,Statement,2,,,The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records.
-nist_800_53_v4,nist_800_53_v4:au-8,AU-8,Control,1,,Time Stamps,
-nist_800_53_v4,nist_800_53_v4:au-8(1),AU-8 (1),Enhancement,2,,Synchronization With Authoritative Time Source,The information system: Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:au-8(2),AU-8 (2),Enhancement,2,,Secondary Authoritative Time Source,The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
-nist_800_53_v4,nist_800_53_v4:au-8a.,AU-8a.,Statement,2,,,The information system: Uses internal system clocks to generate time stamps for audit records; and
-nist_800_53_v4,nist_800_53_v4:au-8b.,AU-8b.,Statement,2,,,The information system: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
-nist_800_53_v4,nist_800_53_v4:au-9,AU-9,Control,1,,Protection Of Audit Information,
-nist_800_53_v4,nist_800_53_v4:au-9(1),AU-9 (1),Enhancement,2,,Hardware Write-Once Media,"The information system writes audit trails to hardware-enforced, write-once media."
-nist_800_53_v4,nist_800_53_v4:au-9(2),AU-9 (2),Enhancement,2,,Audit Backup On Separate Physical Systems / Components,The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
-nist_800_53_v4,nist_800_53_v4:au-9(3),AU-9 (3),Enhancement,2,,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
-nist_800_53_v4,nist_800_53_v4:au-9(4),AU-9 (4),Enhancement,2,,Access By Subset Of Privileged Users,The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
-nist_800_53_v4,nist_800_53_v4:au-9(5),AU-9 (5),Enhancement,2,,Dual Authorization,The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
-nist_800_53_v4,nist_800_53_v4:au-9(6),AU-9 (6),Enhancement,2,,Read Only Access,The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
+nist_800_53_v4,nist_800_53_v4:au-1,AU-1,Control,1,1,Audit and Accountability Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:au-10,AU-10,Control,1,10,Non-Repudiation,
+nist_800_53_v4,nist_800_53_v4:au-10(1),AU-10 (1),Enhancement,2,1,Association Of Identities,The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information.
+nist_800_53_v4,nist_800_53_v4:au-10(2),AU-10 (2),Enhancement,2,2,Validate Binding Of Information Producer Identity,The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error.
+nist_800_53_v4,nist_800_53_v4:au-10(3),AU-10 (3),Enhancement,2,3,Chain Of Custody,The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
+nist_800_53_v4,nist_800_53_v4:au-10(4),AU-10 (4),Enhancement,2,4,Validate Binding Of Information Reviewer Identity,The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error.
+nist_800_53_v4,nist_800_53_v4:au-11,AU-11,Control,1,11,Audit Record Retention,
+nist_800_53_v4,nist_800_53_v4:au-11(1),AU-11 (1),Enhancement,2,1,Long-Term Retrieval Capability,The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.
+nist_800_53_v4,nist_800_53_v4:au-12,AU-12,Control,1,12,Audit Generation,
+nist_800_53_v4,nist_800_53_v4:au-12(1),AU-12 (1),Enhancement,2,1,System-Wide / Time-Correlated Audit Trail,The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
+nist_800_53_v4,nist_800_53_v4:au-12(2),AU-12 (2),Enhancement,2,2,Standardized Formats,The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
+nist_800_53_v4,nist_800_53_v4:au-12(3),AU-12 (3),Enhancement,2,3,Changes By Authorized Individuals,The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
+nist_800_53_v4,nist_800_53_v4:au-12a.,AU-12a.,Statement,2,1,,The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
+nist_800_53_v4,nist_800_53_v4:au-12b.,AU-12b.,Statement,2,2,,The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
+nist_800_53_v4,nist_800_53_v4:au-12c.,AU-12c.,Statement,2,3,,The information system: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
+nist_800_53_v4,nist_800_53_v4:au-13,AU-13,Control,1,13,Monitoring For Information Disclosure,
+nist_800_53_v4,nist_800_53_v4:au-13(1),AU-13 (1),Enhancement,2,1,Use Of Automated Tools,The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.
+nist_800_53_v4,nist_800_53_v4:au-13(2),AU-13 (2),Enhancement,2,2,Review Of Monitored Sites,The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:au-14,AU-14,Control,1,14,Session Audit,
+nist_800_53_v4,nist_800_53_v4:au-14(1),AU-14 (1),Enhancement,2,1,System Start-Up,The information system initiates session audits at system start-up.
+nist_800_53_v4,nist_800_53_v4:au-14(2),AU-14 (2),Enhancement,2,2,Capture/Record And Log Content,The information system provides the capability for authorized users to capture/record and log content related to a user session.
+nist_800_53_v4,nist_800_53_v4:au-14(3),AU-14 (3),Enhancement,2,3,Remote Viewing / Listening,The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.
+nist_800_53_v4,nist_800_53_v4:au-15,AU-15,Control,1,15,Alternate Audit Capability,
+nist_800_53_v4,nist_800_53_v4:au-16,AU-16,Control,1,16,Cross-Organizational Auditing,
+nist_800_53_v4,nist_800_53_v4:au-16(1),AU-16 (1),Enhancement,2,1,Identity Preservation,The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
+nist_800_53_v4,nist_800_53_v4:au-16(2),AU-16 (2),Enhancement,2,2,Sharing Of Audit Information,The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
+nist_800_53_v4,nist_800_53_v4:au-1a.,AU-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"
+nist_800_53_v4,nist_800_53_v4:au-1b.,AU-1b.,Statement,2,2,,The organization: Reviews and updates the current: Audit and accountability policy [Assignment: organization-defined frequency]; and Audit and accountability procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:au-2,AU-2,Control,1,2,Audit Events,
+nist_800_53_v4,nist_800_53_v4:au-2(3),AU-2 (3),Enhancement,2,3,Reviews And Updates,The organization reviews and updates the audited events [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:au-2a.,AU-2a.,Statement,2,1,,The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
+nist_800_53_v4,nist_800_53_v4:au-2b.,AU-2b.,Statement,2,2,,The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
+nist_800_53_v4,nist_800_53_v4:au-2c.,AU-2c.,Statement,2,3,,The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
+nist_800_53_v4,nist_800_53_v4:au-2d.,AU-2d.,Statement,2,4,,The organization: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
+nist_800_53_v4,nist_800_53_v4:au-3,AU-3,Control,1,3,Content Of Audit Records,
+nist_800_53_v4,nist_800_53_v4:au-3(1),AU-3 (1),Enhancement,2,1,Additional Audit Information,"The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]."
+nist_800_53_v4,nist_800_53_v4:au-3(2),AU-3 (2),Enhancement,2,2,Centralized Management Of Planned Audit Record Content,The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:au-4,AU-4,Control,1,4,Audit Storage Capacity,
+nist_800_53_v4,nist_800_53_v4:au-4(1),AU-4 (1),Enhancement,2,1,Transfer To Alternate Storage,The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
+nist_800_53_v4,nist_800_53_v4:au-5,AU-5,Control,1,5,Response To Audit Processing Failures,
+nist_800_53_v4,nist_800_53_v4:au-5(1),AU-5 (1),Enhancement,2,1,Audit Storage Capacity,"The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."
+nist_800_53_v4,nist_800_53_v4:au-5(2),AU-5 (2),Enhancement,2,2,Real-Time Alerts,"The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]."
+nist_800_53_v4,nist_800_53_v4:au-5(3),AU-5 (3),Enhancement,2,3,Configurable Traffic Volume Thresholds,The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
+nist_800_53_v4,nist_800_53_v4:au-5(4),AU-5 (4),Enhancement,2,4,Shutdown On Failure,"The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists."
+nist_800_53_v4,nist_800_53_v4:au-5a.,AU-5a.,Statement,2,1,,The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
+nist_800_53_v4,nist_800_53_v4:au-5b.,AU-5b.,Statement,2,2,,"The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."
+nist_800_53_v4,nist_800_53_v4:au-6,AU-6,Control,1,6,"Audit Review, Analysis, and Reporting",
+nist_800_53_v4,nist_800_53_v4:au-6(1),AU-6 (1),Enhancement,2,1,Process Integration,"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."
+nist_800_53_v4,nist_800_53_v4:au-6(10),AU-6 (10),Enhancement,2,10,Audit Level Adjustment,"The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
+nist_800_53_v4,nist_800_53_v4:au-6(3),AU-6 (3),Enhancement,2,3,Correlate Audit Repositories,The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
+nist_800_53_v4,nist_800_53_v4:au-6(4),AU-6 (4),Enhancement,2,4,Central Review And Analysis,The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
+nist_800_53_v4,nist_800_53_v4:au-6(5),AU-6 (5),Enhancement,2,5,Integration / Scanning And Monitoring Capabilities,The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
+nist_800_53_v4,nist_800_53_v4:au-6(6),AU-6 (6),Enhancement,2,6,Correlation With Physical Monitoring,"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
+nist_800_53_v4,nist_800_53_v4:au-6(7),AU-6 (7),Enhancement,2,7,Permitted Actions,"The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."
+nist_800_53_v4,nist_800_53_v4:au-6(8),AU-6 (8),Enhancement,2,8,Full Text Analysis Of Privileged Commands,"The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis."
+nist_800_53_v4,nist_800_53_v4:au-6(9),AU-6 (9),Enhancement,2,9,Correlation With Information From Nontechnical Sources,The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
+nist_800_53_v4,nist_800_53_v4:au-6a.,AU-6a.,Statement,2,1,,The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
+nist_800_53_v4,nist_800_53_v4:au-6b.,AU-6b.,Statement,2,2,,The organization: Reports findings to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:au-7,AU-7,Control,1,7,Audit Reduction and Report Generation,
+nist_800_53_v4,nist_800_53_v4:au-7(1),AU-7 (1),Enhancement,2,1,Automatic Processing,The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
+nist_800_53_v4,nist_800_53_v4:au-7(2),AU-7 (2),Enhancement,2,2,Automatic Sort And Search,The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].
+nist_800_53_v4,nist_800_53_v4:au-7a.,AU-7a.,Statement,2,1,,"The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"
+nist_800_53_v4,nist_800_53_v4:au-7b.,AU-7b.,Statement,2,2,,The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records.
+nist_800_53_v4,nist_800_53_v4:au-8,AU-8,Control,1,8,Time Stamps,
+nist_800_53_v4,nist_800_53_v4:au-8(1),AU-8 (1),Enhancement,2,1,Synchronization With Authoritative Time Source,The information system: Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:au-8(2),AU-8 (2),Enhancement,2,2,Secondary Authoritative Time Source,The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
+nist_800_53_v4,nist_800_53_v4:au-8a.,AU-8a.,Statement,2,1,,The information system: Uses internal system clocks to generate time stamps for audit records; and
+nist_800_53_v4,nist_800_53_v4:au-8b.,AU-8b.,Statement,2,2,,The information system: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
+nist_800_53_v4,nist_800_53_v4:au-9,AU-9,Control,1,9,Protection Of Audit Information,
+nist_800_53_v4,nist_800_53_v4:au-9(1),AU-9 (1),Enhancement,2,1,Hardware Write-Once Media,"The information system writes audit trails to hardware-enforced, write-once media."
+nist_800_53_v4,nist_800_53_v4:au-9(2),AU-9 (2),Enhancement,2,2,Audit Backup On Separate Physical Systems / Components,The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
+nist_800_53_v4,nist_800_53_v4:au-9(3),AU-9 (3),Enhancement,2,3,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
+nist_800_53_v4,nist_800_53_v4:au-9(4),AU-9 (4),Enhancement,2,4,Access By Subset Of Privileged Users,The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
+nist_800_53_v4,nist_800_53_v4:au-9(5),AU-9 (5),Enhancement,2,5,Dual Authorization,The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
+nist_800_53_v4,nist_800_53_v4:au-9(6),AU-9 (6),Enhancement,2,6,Read Only Access,The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
 nist_800_53_v4,nist_800_53_v4:ca,CA,Family,0,4,Security Assessment and Authorization,
-nist_800_53_v4,nist_800_53_v4:ca-1,CA-1,Control,1,,Security Assessment and Authorization Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ca-1a.,CA-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"
-nist_800_53_v4,nist_800_53_v4:ca-1b.,CA-1b.,Statement,2,,,The organization: Reviews and updates the current: Security assessment and authorization policy [Assignment: organization-defined frequency]; and Security assessment and authorization procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ca-2,CA-2,Control,1,,Security Assessments,
-nist_800_53_v4,nist_800_53_v4:ca-2(1),CA-2 (1),Enhancement,2,,Independent Assessors,The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
-nist_800_53_v4,nist_800_53_v4:ca-2(2),CA-2 (2),Enhancement,2,,Specialized Assessments,"The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."
-nist_800_53_v4,nist_800_53_v4:ca-2(3),CA-2 (3),Enhancement,2,,External Organizations,The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
-nist_800_53_v4,nist_800_53_v4:ca-2a.,CA-2a.,Statement,2,,,"The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;"
-nist_800_53_v4,nist_800_53_v4:ca-2b.,CA-2b.,Statement,2,,,"The organization: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
-nist_800_53_v4,nist_800_53_v4:ca-2c.,CA-2c.,Statement,2,,,The organization: Produces a security assessment report that documents the results of the assessment; and
-nist_800_53_v4,nist_800_53_v4:ca-2d.,CA-2d.,Statement,2,,,The organization: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
-nist_800_53_v4,nist_800_53_v4:ca-3,CA-3,Control,1,,System Interconnections,
-nist_800_53_v4,nist_800_53_v4:ca-3(1),CA-3 (1),Enhancement,2,,Unclassified National Security System Connections,"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]."
-nist_800_53_v4,nist_800_53_v4:ca-3(2),CA-3 (2),Enhancement,2,,Classified National Security System Connections,"The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]."
-nist_800_53_v4,nist_800_53_v4:ca-3(3),CA-3 (3),Enhancement,2,,Unclassified Non-National Security System Connections,"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]."
-nist_800_53_v4,nist_800_53_v4:ca-3(4),CA-3 (4),Enhancement,2,,Connections To Public Networks,The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.
-nist_800_53_v4,nist_800_53_v4:ca-3(5),CA-3 (5),Enhancement,2,,Restrictions On External System Connections,"The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems."
-nist_800_53_v4,nist_800_53_v4:ca-3a.,CA-3a.,Statement,2,,,The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
-nist_800_53_v4,nist_800_53_v4:ca-3b.,CA-3b.,Statement,2,,,"The organization: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"
-nist_800_53_v4,nist_800_53_v4:ca-3c.,CA-3c.,Statement,2,,,The organization: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ca-4,CA-4,Control,1,,Security Certification,
-nist_800_53_v4,nist_800_53_v4:ca-5,CA-5,Control,1,,Plan Of Action and Milestones,
-nist_800_53_v4,nist_800_53_v4:ca-5(1),CA-5 (1),Enhancement,2,,Automation Support For Accuracy / Currency,"The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available."
-nist_800_53_v4,nist_800_53_v4:ca-5a.,CA-5a.,Statement,2,,,The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
-nist_800_53_v4,nist_800_53_v4:ca-5b.,CA-5b.,Statement,2,,,"The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."
-nist_800_53_v4,nist_800_53_v4:ca-6,CA-6,Control,1,,Security Authorization,
-nist_800_53_v4,nist_800_53_v4:ca-6a.,CA-6a.,Statement,2,,,The organization: Assigns a senior-level executive or manager as the authorizing official for the information system;
-nist_800_53_v4,nist_800_53_v4:ca-6b.,CA-6b.,Statement,2,,,The organization: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
-nist_800_53_v4,nist_800_53_v4:ca-6c.,CA-6c.,Statement,2,,,The organization: Updates the security authorization [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ca-7,CA-7,Control,1,,Continuous Monitoring,
-nist_800_53_v4,nist_800_53_v4:ca-7(1),CA-7 (1),Enhancement,2,,Independent Assessment,The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.
-nist_800_53_v4,nist_800_53_v4:ca-7(3),CA-7 (3),Enhancement,2,,Trend Analyses,"The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
-nist_800_53_v4,nist_800_53_v4:ca-7a.,CA-7a.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored;
-nist_800_53_v4,nist_800_53_v4:ca-7b.,CA-7b.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
-nist_800_53_v4,nist_800_53_v4:ca-7c.,CA-7c.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
-nist_800_53_v4,nist_800_53_v4:ca-7d.,CA-7d.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
-nist_800_53_v4,nist_800_53_v4:ca-7e.,CA-7e.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring;
-nist_800_53_v4,nist_800_53_v4:ca-7f.,CA-7f.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and
-nist_800_53_v4,nist_800_53_v4:ca-7g.,CA-7g.,Statement,2,,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ca-8,CA-8,Control,1,,Penetration Testing,
-nist_800_53_v4,nist_800_53_v4:ca-8(1),CA-8 (1),Enhancement,2,,Independent Penetration Agent Or Team,The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
-nist_800_53_v4,nist_800_53_v4:ca-8(2),CA-8 (2),Enhancement,2,,Red Team Exercises,The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].
-nist_800_53_v4,nist_800_53_v4:ca-9,CA-9,Control,1,,Internal System Connections,
-nist_800_53_v4,nist_800_53_v4:ca-9(1),CA-9 (1),Enhancement,2,,Security Compliance Checks,The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.
-nist_800_53_v4,nist_800_53_v4:ca-9a.,CA-9a.,Statement,2,,,The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
-nist_800_53_v4,nist_800_53_v4:ca-9b.,CA-9b.,Statement,2,,,"The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."
+nist_800_53_v4,nist_800_53_v4:ca-1,CA-1,Control,1,1,Security Assessment and Authorization Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ca-1a.,CA-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"
+nist_800_53_v4,nist_800_53_v4:ca-1b.,CA-1b.,Statement,2,2,,The organization: Reviews and updates the current: Security assessment and authorization policy [Assignment: organization-defined frequency]; and Security assessment and authorization procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ca-2,CA-2,Control,1,2,Security Assessments,
+nist_800_53_v4,nist_800_53_v4:ca-2(1),CA-2 (1),Enhancement,2,1,Independent Assessors,The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
+nist_800_53_v4,nist_800_53_v4:ca-2(2),CA-2 (2),Enhancement,2,2,Specialized Assessments,"The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."
+nist_800_53_v4,nist_800_53_v4:ca-2(3),CA-2 (3),Enhancement,2,3,External Organizations,The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
+nist_800_53_v4,nist_800_53_v4:ca-2a.,CA-2a.,Statement,2,1,,"The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;"
+nist_800_53_v4,nist_800_53_v4:ca-2b.,CA-2b.,Statement,2,2,,"The organization: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+nist_800_53_v4,nist_800_53_v4:ca-2c.,CA-2c.,Statement,2,3,,The organization: Produces a security assessment report that documents the results of the assessment; and
+nist_800_53_v4,nist_800_53_v4:ca-2d.,CA-2d.,Statement,2,4,,The organization: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
+nist_800_53_v4,nist_800_53_v4:ca-3,CA-3,Control,1,3,System Interconnections,
+nist_800_53_v4,nist_800_53_v4:ca-3(1),CA-3 (1),Enhancement,2,1,Unclassified National Security System Connections,"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]."
+nist_800_53_v4,nist_800_53_v4:ca-3(2),CA-3 (2),Enhancement,2,2,Classified National Security System Connections,"The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]."
+nist_800_53_v4,nist_800_53_v4:ca-3(3),CA-3 (3),Enhancement,2,3,Unclassified Non-National Security System Connections,"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]."
+nist_800_53_v4,nist_800_53_v4:ca-3(4),CA-3 (4),Enhancement,2,4,Connections To Public Networks,The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.
+nist_800_53_v4,nist_800_53_v4:ca-3(5),CA-3 (5),Enhancement,2,5,Restrictions On External System Connections,"The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems."
+nist_800_53_v4,nist_800_53_v4:ca-3a.,CA-3a.,Statement,2,1,,The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
+nist_800_53_v4,nist_800_53_v4:ca-3b.,CA-3b.,Statement,2,2,,"The organization: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"
+nist_800_53_v4,nist_800_53_v4:ca-3c.,CA-3c.,Statement,2,3,,The organization: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ca-4,CA-4,Control,1,4,Security Certification,
+nist_800_53_v4,nist_800_53_v4:ca-5,CA-5,Control,1,5,Plan Of Action and Milestones,
+nist_800_53_v4,nist_800_53_v4:ca-5(1),CA-5 (1),Enhancement,2,1,Automation Support For Accuracy / Currency,"The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available."
+nist_800_53_v4,nist_800_53_v4:ca-5a.,CA-5a.,Statement,2,1,,The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
+nist_800_53_v4,nist_800_53_v4:ca-5b.,CA-5b.,Statement,2,2,,"The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."
+nist_800_53_v4,nist_800_53_v4:ca-6,CA-6,Control,1,6,Security Authorization,
+nist_800_53_v4,nist_800_53_v4:ca-6a.,CA-6a.,Statement,2,1,,The organization: Assigns a senior-level executive or manager as the authorizing official for the information system;
+nist_800_53_v4,nist_800_53_v4:ca-6b.,CA-6b.,Statement,2,2,,The organization: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
+nist_800_53_v4,nist_800_53_v4:ca-6c.,CA-6c.,Statement,2,3,,The organization: Updates the security authorization [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ca-7,CA-7,Control,1,7,Continuous Monitoring,
+nist_800_53_v4,nist_800_53_v4:ca-7(1),CA-7 (1),Enhancement,2,1,Independent Assessment,The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.
+nist_800_53_v4,nist_800_53_v4:ca-7(3),CA-7 (3),Enhancement,2,3,Trend Analyses,"The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
+nist_800_53_v4,nist_800_53_v4:ca-7a.,CA-7a.,Statement,2,1,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored;
+nist_800_53_v4,nist_800_53_v4:ca-7b.,CA-7b.,Statement,2,2,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
+nist_800_53_v4,nist_800_53_v4:ca-7c.,CA-7c.,Statement,2,3,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
+nist_800_53_v4,nist_800_53_v4:ca-7d.,CA-7d.,Statement,2,4,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
+nist_800_53_v4,nist_800_53_v4:ca-7e.,CA-7e.,Statement,2,5,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring;
+nist_800_53_v4,nist_800_53_v4:ca-7f.,CA-7f.,Statement,2,6,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and
+nist_800_53_v4,nist_800_53_v4:ca-7g.,CA-7g.,Statement,2,7,,The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ca-8,CA-8,Control,1,8,Penetration Testing,
+nist_800_53_v4,nist_800_53_v4:ca-8(1),CA-8 (1),Enhancement,2,1,Independent Penetration Agent Or Team,The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
+nist_800_53_v4,nist_800_53_v4:ca-8(2),CA-8 (2),Enhancement,2,2,Red Team Exercises,The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].
+nist_800_53_v4,nist_800_53_v4:ca-9,CA-9,Control,1,9,Internal System Connections,
+nist_800_53_v4,nist_800_53_v4:ca-9(1),CA-9 (1),Enhancement,2,1,Security Compliance Checks,The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.
+nist_800_53_v4,nist_800_53_v4:ca-9a.,CA-9a.,Statement,2,1,,The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
+nist_800_53_v4,nist_800_53_v4:ca-9b.,CA-9b.,Statement,2,2,,"The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."
 nist_800_53_v4,nist_800_53_v4:cm,CM,Family,0,5,Configuration Management,
-nist_800_53_v4,nist_800_53_v4:cm-1,CM-1,Control,1,,Configuration Management Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:cm-10,CM-10,Control,1,,Software Usage Restrictions,
-nist_800_53_v4,nist_800_53_v4:cm-10(1),CM-10 (1),Enhancement,2,,Open Source Software,The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].
-nist_800_53_v4,nist_800_53_v4:cm-10a.,CM-10a.,Statement,2,,,The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;
-nist_800_53_v4,nist_800_53_v4:cm-10b.,CM-10b.,Statement,2,,,The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
-nist_800_53_v4,nist_800_53_v4:cm-10c.,CM-10c.,Statement,2,,,"The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
-nist_800_53_v4,nist_800_53_v4:cm-11,CM-11,Control,1,,User-Installed Software,
-nist_800_53_v4,nist_800_53_v4:cm-11(1),CM-11 (1),Enhancement,2,,Alerts For Unauthorized Installations,The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.
-nist_800_53_v4,nist_800_53_v4:cm-11(2),CM-11 (2),Enhancement,2,,Prohibit Installation Without Privileged Status,The information system prohibits user installation of software without explicit privileged status.
-nist_800_53_v4,nist_800_53_v4:cm-11a.,CM-11a.,Statement,2,,,The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;
-nist_800_53_v4,nist_800_53_v4:cm-11b.,CM-11b.,Statement,2,,,The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and
-nist_800_53_v4,nist_800_53_v4:cm-11c.,CM-11c.,Statement,2,,,The organization: Monitors policy compliance at [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cm-1a.,CM-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"
-nist_800_53_v4,nist_800_53_v4:cm-1b.,CM-1b.,Statement,2,,,The organization: Reviews and updates the current: Configuration management policy [Assignment: organization-defined frequency]; and Configuration management procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cm-2,CM-2,Control,1,,Baseline Configuration,
-nist_800_53_v4,nist_800_53_v4:cm-2(1),CM-2 (1),Enhancement,2,,Reviews And Updates,The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades.
-nist_800_53_v4,nist_800_53_v4:cm-2(2),CM-2 (2),Enhancement,2,,Automation Support For Accuracy / Currency,"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."
-nist_800_53_v4,nist_800_53_v4:cm-2(3),CM-2 (3),Enhancement,2,,Retention Of Previous Configurations,The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
-nist_800_53_v4,nist_800_53_v4:cm-2(6),CM-2 (6),Enhancement,2,,Development And Test Environments,The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
-nist_800_53_v4,nist_800_53_v4:cm-2(7),CM-2 (7),Enhancement,2,,"Configure Systems, Components, Or Devices For High-Risk Areas","The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."
-nist_800_53_v4,nist_800_53_v4:cm-3,CM-3,Control,1,,Configuration Change Control,
-nist_800_53_v4,nist_800_53_v4:cm-3(1),CM-3 (1),Enhancement,2,,Automated Document / Notification / Prohibition Of Changes,The organization employs automated mechanisms to: Document proposed changes to the information system; Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
-nist_800_53_v4,nist_800_53_v4:cm-3(2),CM-3 (2),Enhancement,2,,Test / Validate / Document Changes,"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."
-nist_800_53_v4,nist_800_53_v4:cm-3(3),CM-3 (3),Enhancement,2,,Automated Change Implementation,The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
-nist_800_53_v4,nist_800_53_v4:cm-3(4),CM-3 (4),Enhancement,2,,Security Representative,The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
-nist_800_53_v4,nist_800_53_v4:cm-3(5),CM-3 (5),Enhancement,2,,Automated Security Response,The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.
-nist_800_53_v4,nist_800_53_v4:cm-3(6),CM-3 (6),Enhancement,2,,Cryptography Management,The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.
-nist_800_53_v4,nist_800_53_v4:cm-3a.,CM-3a.,Statement,2,,,The organization: Determines the types of changes to the information system that are configuration-controlled;
-nist_800_53_v4,nist_800_53_v4:cm-3b.,CM-3b.,Statement,2,,,The organization: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
-nist_800_53_v4,nist_800_53_v4:cm-3c.,CM-3c.,Statement,2,,,The organization: Documents configuration change decisions associated with the information system;
-nist_800_53_v4,nist_800_53_v4:cm-3d.,CM-3d.,Statement,2,,,The organization: Implements approved configuration-controlled changes to the information system;
-nist_800_53_v4,nist_800_53_v4:cm-3e.,CM-3e.,Statement,2,,,The organization: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
-nist_800_53_v4,nist_800_53_v4:cm-3f.,CM-3f.,Statement,2,,,The organization: Audits and reviews activities associated with configuration-controlled changes to the information system; and
-nist_800_53_v4,nist_800_53_v4:cm-3g.,CM-3g.,Statement,2,,,"The organization: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."
-nist_800_53_v4,nist_800_53_v4:cm-4,CM-4,Control,1,,Security Impact Analysis,
-nist_800_53_v4,nist_800_53_v4:cm-4(1),CM-4 (1),Enhancement,2,,Separate Test Environments,"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."
-nist_800_53_v4,nist_800_53_v4:cm-4(2),CM-4 (2),Enhancement,2,,Verification Of Security Functions,"The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system."
-nist_800_53_v4,nist_800_53_v4:cm-5,CM-5,Control,1,,Access Restrictions For Change,
-nist_800_53_v4,nist_800_53_v4:cm-5(1),CM-5 (1),Enhancement,2,,Automated Access Enforcement / Auditing,The information system enforces access restrictions and supports auditing of the enforcement actions.
-nist_800_53_v4,nist_800_53_v4:cm-5(2),CM-5 (2),Enhancement,2,,Review System Changes,The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
-nist_800_53_v4,nist_800_53_v4:cm-5(3),CM-5 (3),Enhancement,2,,Signed Components,The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
-nist_800_53_v4,nist_800_53_v4:cm-5(4),CM-5 (4),Enhancement,2,,Dual Authorization,The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].
-nist_800_53_v4,nist_800_53_v4:cm-5(5),CM-5 (5),Enhancement,2,,Limit Production / Operational Privileges,The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cm-5(6),CM-5 (6),Enhancement,2,,Limit Library Privileges,The organization limits privileges to change software resident within software libraries.
-nist_800_53_v4,nist_800_53_v4:cm-6,CM-6,Control,1,,Configuration Settings,
-nist_800_53_v4,nist_800_53_v4:cm-6(1),CM-6 (1),Enhancement,2,,Automated Central Management / Application / Verification,"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."
-nist_800_53_v4,nist_800_53_v4:cm-6(2),CM-6 (2),Enhancement,2,,Respond To Unauthorized Changes,The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].
-nist_800_53_v4,nist_800_53_v4:cm-6a.,CM-6a.,Statement,2,,,The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
-nist_800_53_v4,nist_800_53_v4:cm-6b.,CM-6b.,Statement,2,,,The organization: Implements the configuration settings;
-nist_800_53_v4,nist_800_53_v4:cm-6c.,CM-6c.,Statement,2,,,"The organization: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and"
-nist_800_53_v4,nist_800_53_v4:cm-6d.,CM-6d.,Statement,2,,,The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
-nist_800_53_v4,nist_800_53_v4:cm-7,CM-7,Control,1,,Least Functionality,
-nist_800_53_v4,nist_800_53_v4:cm-7(1),CM-7 (1),Enhancement,2,,Periodic Review,"The organization: Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."
-nist_800_53_v4,nist_800_53_v4:cm-7(2),CM-7 (2),Enhancement,2,,Prevent Program Execution,The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
-nist_800_53_v4,nist_800_53_v4:cm-7(3),CM-7 (3),Enhancement,2,,Registration Compliance,"The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]."
-nist_800_53_v4,nist_800_53_v4:cm-7(4),CM-7 (4),Enhancement,2,,Unauthorized Software / Blacklisting,"The organization: Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]."
-nist_800_53_v4,nist_800_53_v4:cm-7(5),CM-7 (5),Enhancement,2,,Authorized Software / Whitelisting,"The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]."
-nist_800_53_v4,nist_800_53_v4:cm-7a.,CM-7a.,Statement,2,,,The organization: Configures the information system to provide only essential capabilities; and
-nist_800_53_v4,nist_800_53_v4:cm-7b.,CM-7b.,Statement,2,,,"The organization: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]."
-nist_800_53_v4,nist_800_53_v4:cm-8,CM-8,Control,1,,Information System Component Inventory,
-nist_800_53_v4,nist_800_53_v4:cm-8(1),CM-8 (1),Enhancement,2,,Updates During Installations / Removals,"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."
-nist_800_53_v4,nist_800_53_v4:cm-8(2),CM-8 (2),Enhancement,2,,Automated Maintenance,"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."
-nist_800_53_v4,nist_800_53_v4:cm-8(3),CM-8 (3),Enhancement,2,,Automated Unauthorized Component Detection,"The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."
-nist_800_53_v4,nist_800_53_v4:cm-8(4),CM-8 (4),Enhancement,2,,Accountability Information,"The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."
-nist_800_53_v4,nist_800_53_v4:cm-8(5),CM-8 (5),Enhancement,2,,No Duplicate Accounting Of Components,The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.
-nist_800_53_v4,nist_800_53_v4:cm-8(6),CM-8 (6),Enhancement,2,,Assessed Configurations / Approved Deviations,The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
-nist_800_53_v4,nist_800_53_v4:cm-8(7),CM-8 (7),Enhancement,2,,Centralized Repository,The organization provides a centralized repository for the inventory of information system components.
-nist_800_53_v4,nist_800_53_v4:cm-8(8),CM-8 (8),Enhancement,2,,Automated Location Tracking,The organization employs automated mechanisms to support tracking of information system components by geographic location.
-nist_800_53_v4,nist_800_53_v4:cm-8(9),CM-8 (9),Enhancement,2,,Assignment Of Components To Systems,The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment.
-nist_800_53_v4,nist_800_53_v4:cm-8a.,CM-8a.,Statement,2,,,The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
-nist_800_53_v4,nist_800_53_v4:cm-8b.,CM-8b.,Statement,2,,,The organization: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cm-9,CM-9,Control,1,,Configuration Management Plan,
-nist_800_53_v4,nist_800_53_v4:cm-9(1),CM-9 (1),Enhancement,2,,Assignment Of Responsibility,The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.
-nist_800_53_v4,nist_800_53_v4:cm-9a.,CM-9a.,Statement,2,,,"The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures;"
-nist_800_53_v4,nist_800_53_v4:cm-9b.,CM-9b.,Statement,2,,,"The organization develops, documents, and implements a configuration management plan for the information system that: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"
-nist_800_53_v4,nist_800_53_v4:cm-9c.,CM-9c.,Statement,2,,,"The organization develops, documents, and implements a configuration management plan for the information system that: Defines the configuration items for the information system and places the configuration items under configuration management; and"
-nist_800_53_v4,nist_800_53_v4:cm-9d.,CM-9d.,Statement,2,,,"The organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification."
+nist_800_53_v4,nist_800_53_v4:cm-1,CM-1,Control,1,1,Configuration Management Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:cm-10,CM-10,Control,1,10,Software Usage Restrictions,
+nist_800_53_v4,nist_800_53_v4:cm-10(1),CM-10 (1),Enhancement,2,1,Open Source Software,The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].
+nist_800_53_v4,nist_800_53_v4:cm-10a.,CM-10a.,Statement,2,1,,The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;
+nist_800_53_v4,nist_800_53_v4:cm-10b.,CM-10b.,Statement,2,2,,The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
+nist_800_53_v4,nist_800_53_v4:cm-10c.,CM-10c.,Statement,2,3,,"The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
+nist_800_53_v4,nist_800_53_v4:cm-11,CM-11,Control,1,11,User-Installed Software,
+nist_800_53_v4,nist_800_53_v4:cm-11(1),CM-11 (1),Enhancement,2,1,Alerts For Unauthorized Installations,The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.
+nist_800_53_v4,nist_800_53_v4:cm-11(2),CM-11 (2),Enhancement,2,2,Prohibit Installation Without Privileged Status,The information system prohibits user installation of software without explicit privileged status.
+nist_800_53_v4,nist_800_53_v4:cm-11a.,CM-11a.,Statement,2,1,,The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;
+nist_800_53_v4,nist_800_53_v4:cm-11b.,CM-11b.,Statement,2,2,,The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and
+nist_800_53_v4,nist_800_53_v4:cm-11c.,CM-11c.,Statement,2,3,,The organization: Monitors policy compliance at [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cm-1a.,CM-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"
+nist_800_53_v4,nist_800_53_v4:cm-1b.,CM-1b.,Statement,2,2,,The organization: Reviews and updates the current: Configuration management policy [Assignment: organization-defined frequency]; and Configuration management procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cm-2,CM-2,Control,1,2,Baseline Configuration,
+nist_800_53_v4,nist_800_53_v4:cm-2(1),CM-2 (1),Enhancement,2,1,Reviews And Updates,The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades.
+nist_800_53_v4,nist_800_53_v4:cm-2(2),CM-2 (2),Enhancement,2,2,Automation Support For Accuracy / Currency,"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."
+nist_800_53_v4,nist_800_53_v4:cm-2(3),CM-2 (3),Enhancement,2,3,Retention Of Previous Configurations,The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
+nist_800_53_v4,nist_800_53_v4:cm-2(6),CM-2 (6),Enhancement,2,6,Development And Test Environments,The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
+nist_800_53_v4,nist_800_53_v4:cm-2(7),CM-2 (7),Enhancement,2,7,"Configure Systems, Components, Or Devices For High-Risk Areas","The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."
+nist_800_53_v4,nist_800_53_v4:cm-3,CM-3,Control,1,3,Configuration Change Control,
+nist_800_53_v4,nist_800_53_v4:cm-3(1),CM-3 (1),Enhancement,2,1,Automated Document / Notification / Prohibition Of Changes,The organization employs automated mechanisms to: Document proposed changes to the information system; Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
+nist_800_53_v4,nist_800_53_v4:cm-3(2),CM-3 (2),Enhancement,2,2,Test / Validate / Document Changes,"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."
+nist_800_53_v4,nist_800_53_v4:cm-3(3),CM-3 (3),Enhancement,2,3,Automated Change Implementation,The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
+nist_800_53_v4,nist_800_53_v4:cm-3(4),CM-3 (4),Enhancement,2,4,Security Representative,The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
+nist_800_53_v4,nist_800_53_v4:cm-3(5),CM-3 (5),Enhancement,2,5,Automated Security Response,The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.
+nist_800_53_v4,nist_800_53_v4:cm-3(6),CM-3 (6),Enhancement,2,6,Cryptography Management,The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.
+nist_800_53_v4,nist_800_53_v4:cm-3a.,CM-3a.,Statement,2,1,,The organization: Determines the types of changes to the information system that are configuration-controlled;
+nist_800_53_v4,nist_800_53_v4:cm-3b.,CM-3b.,Statement,2,2,,The organization: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
+nist_800_53_v4,nist_800_53_v4:cm-3c.,CM-3c.,Statement,2,3,,The organization: Documents configuration change decisions associated with the information system;
+nist_800_53_v4,nist_800_53_v4:cm-3d.,CM-3d.,Statement,2,4,,The organization: Implements approved configuration-controlled changes to the information system;
+nist_800_53_v4,nist_800_53_v4:cm-3e.,CM-3e.,Statement,2,5,,The organization: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
+nist_800_53_v4,nist_800_53_v4:cm-3f.,CM-3f.,Statement,2,6,,The organization: Audits and reviews activities associated with configuration-controlled changes to the information system; and
+nist_800_53_v4,nist_800_53_v4:cm-3g.,CM-3g.,Statement,2,7,,"The organization: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."
+nist_800_53_v4,nist_800_53_v4:cm-4,CM-4,Control,1,4,Security Impact Analysis,
+nist_800_53_v4,nist_800_53_v4:cm-4(1),CM-4 (1),Enhancement,2,1,Separate Test Environments,"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."
+nist_800_53_v4,nist_800_53_v4:cm-4(2),CM-4 (2),Enhancement,2,2,Verification Of Security Functions,"The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system."
+nist_800_53_v4,nist_800_53_v4:cm-5,CM-5,Control,1,5,Access Restrictions For Change,
+nist_800_53_v4,nist_800_53_v4:cm-5(1),CM-5 (1),Enhancement,2,1,Automated Access Enforcement / Auditing,The information system enforces access restrictions and supports auditing of the enforcement actions.
+nist_800_53_v4,nist_800_53_v4:cm-5(2),CM-5 (2),Enhancement,2,2,Review System Changes,The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
+nist_800_53_v4,nist_800_53_v4:cm-5(3),CM-5 (3),Enhancement,2,3,Signed Components,The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
+nist_800_53_v4,nist_800_53_v4:cm-5(4),CM-5 (4),Enhancement,2,4,Dual Authorization,The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].
+nist_800_53_v4,nist_800_53_v4:cm-5(5),CM-5 (5),Enhancement,2,5,Limit Production / Operational Privileges,The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cm-5(6),CM-5 (6),Enhancement,2,6,Limit Library Privileges,The organization limits privileges to change software resident within software libraries.
+nist_800_53_v4,nist_800_53_v4:cm-6,CM-6,Control,1,6,Configuration Settings,
+nist_800_53_v4,nist_800_53_v4:cm-6(1),CM-6 (1),Enhancement,2,1,Automated Central Management / Application / Verification,"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."
+nist_800_53_v4,nist_800_53_v4:cm-6(2),CM-6 (2),Enhancement,2,2,Respond To Unauthorized Changes,The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].
+nist_800_53_v4,nist_800_53_v4:cm-6a.,CM-6a.,Statement,2,1,,The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
+nist_800_53_v4,nist_800_53_v4:cm-6b.,CM-6b.,Statement,2,2,,The organization: Implements the configuration settings;
+nist_800_53_v4,nist_800_53_v4:cm-6c.,CM-6c.,Statement,2,3,,"The organization: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and"
+nist_800_53_v4,nist_800_53_v4:cm-6d.,CM-6d.,Statement,2,4,,The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
+nist_800_53_v4,nist_800_53_v4:cm-7,CM-7,Control,1,7,Least Functionality,
+nist_800_53_v4,nist_800_53_v4:cm-7(1),CM-7 (1),Enhancement,2,1,Periodic Review,"The organization: Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."
+nist_800_53_v4,nist_800_53_v4:cm-7(2),CM-7 (2),Enhancement,2,2,Prevent Program Execution,The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
+nist_800_53_v4,nist_800_53_v4:cm-7(3),CM-7 (3),Enhancement,2,3,Registration Compliance,"The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]."
+nist_800_53_v4,nist_800_53_v4:cm-7(4),CM-7 (4),Enhancement,2,4,Unauthorized Software / Blacklisting,"The organization: Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]."
+nist_800_53_v4,nist_800_53_v4:cm-7(5),CM-7 (5),Enhancement,2,5,Authorized Software / Whitelisting,"The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]."
+nist_800_53_v4,nist_800_53_v4:cm-7a.,CM-7a.,Statement,2,1,,The organization: Configures the information system to provide only essential capabilities; and
+nist_800_53_v4,nist_800_53_v4:cm-7b.,CM-7b.,Statement,2,2,,"The organization: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]."
+nist_800_53_v4,nist_800_53_v4:cm-8,CM-8,Control,1,8,Information System Component Inventory,
+nist_800_53_v4,nist_800_53_v4:cm-8(1),CM-8 (1),Enhancement,2,1,Updates During Installations / Removals,"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."
+nist_800_53_v4,nist_800_53_v4:cm-8(2),CM-8 (2),Enhancement,2,2,Automated Maintenance,"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."
+nist_800_53_v4,nist_800_53_v4:cm-8(3),CM-8 (3),Enhancement,2,3,Automated Unauthorized Component Detection,"The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."
+nist_800_53_v4,nist_800_53_v4:cm-8(4),CM-8 (4),Enhancement,2,4,Accountability Information,"The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."
+nist_800_53_v4,nist_800_53_v4:cm-8(5),CM-8 (5),Enhancement,2,5,No Duplicate Accounting Of Components,The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.
+nist_800_53_v4,nist_800_53_v4:cm-8(6),CM-8 (6),Enhancement,2,6,Assessed Configurations / Approved Deviations,The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
+nist_800_53_v4,nist_800_53_v4:cm-8(7),CM-8 (7),Enhancement,2,7,Centralized Repository,The organization provides a centralized repository for the inventory of information system components.
+nist_800_53_v4,nist_800_53_v4:cm-8(8),CM-8 (8),Enhancement,2,8,Automated Location Tracking,The organization employs automated mechanisms to support tracking of information system components by geographic location.
+nist_800_53_v4,nist_800_53_v4:cm-8(9),CM-8 (9),Enhancement,2,9,Assignment Of Components To Systems,The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment.
+nist_800_53_v4,nist_800_53_v4:cm-8a.,CM-8a.,Statement,2,1,,The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
+nist_800_53_v4,nist_800_53_v4:cm-8b.,CM-8b.,Statement,2,2,,The organization: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cm-9,CM-9,Control,1,9,Configuration Management Plan,
+nist_800_53_v4,nist_800_53_v4:cm-9(1),CM-9 (1),Enhancement,2,1,Assignment Of Responsibility,The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.
+nist_800_53_v4,nist_800_53_v4:cm-9a.,CM-9a.,Statement,2,1,,"The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures;"
+nist_800_53_v4,nist_800_53_v4:cm-9b.,CM-9b.,Statement,2,2,,"The organization develops, documents, and implements a configuration management plan for the information system that: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"
+nist_800_53_v4,nist_800_53_v4:cm-9c.,CM-9c.,Statement,2,3,,"The organization develops, documents, and implements a configuration management plan for the information system that: Defines the configuration items for the information system and places the configuration items under configuration management; and"
+nist_800_53_v4,nist_800_53_v4:cm-9d.,CM-9d.,Statement,2,4,,"The organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification."
 nist_800_53_v4,nist_800_53_v4:cp,CP,Family,0,6,Contingency Planning,
-nist_800_53_v4,nist_800_53_v4:cp-1,CP-1,Control,1,,Contingency Planning Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:cp-10,CP-10,Control,1,,Information System Recovery and Reconstitution,
-nist_800_53_v4,nist_800_53_v4:cp-10(2),CP-10 (2),Enhancement,2,,Transaction Recovery,The information system implements transaction recovery for systems that are transaction-based.
-nist_800_53_v4,nist_800_53_v4:cp-10(4),CP-10 (4),Enhancement,2,,Restore Within Time Period,"The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components."
-nist_800_53_v4,nist_800_53_v4:cp-10(6),CP-10 (6),Enhancement,2,,Component Protection,"The organization protects backup and restoration hardware, firmware, and software."
-nist_800_53_v4,nist_800_53_v4:cp-11,CP-11,Control,1,,Alternate Communications Protocols,
-nist_800_53_v4,nist_800_53_v4:cp-12,CP-12,Control,1,,Safe Mode,
-nist_800_53_v4,nist_800_53_v4:cp-13,CP-13,Control,1,,Alternative Security Mechanisms,
-nist_800_53_v4,nist_800_53_v4:cp-1a.,CP-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"
-nist_800_53_v4,nist_800_53_v4:cp-1b.,CP-1b.,Statement,2,,,The organization: Reviews and updates the current: Contingency planning policy [Assignment: organization-defined frequency]; and Contingency planning procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cp-2,CP-2,Control,1,,Contingency Plan,
-nist_800_53_v4,nist_800_53_v4:cp-2(1),CP-2 (1),Enhancement,2,,Coordinate With Related Plans,The organization coordinates contingency plan development with organizational elements responsible for related plans.
-nist_800_53_v4,nist_800_53_v4:cp-2(2),CP-2 (2),Enhancement,2,,Capacity Planning,"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."
-nist_800_53_v4,nist_800_53_v4:cp-2(3),CP-2 (3),Enhancement,2,,Resume Essential Missions / Business Functions,The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
-nist_800_53_v4,nist_800_53_v4:cp-2(4),CP-2 (4),Enhancement,2,,Resume All Missions / Business Functions,The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
-nist_800_53_v4,nist_800_53_v4:cp-2(5),CP-2 (5),Enhancement,2,,Continue  Essential Missions / Business Functions,The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
-nist_800_53_v4,nist_800_53_v4:cp-2(6),CP-2 (6),Enhancement,2,,Alternate Processing / Storage Site,The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
-nist_800_53_v4,nist_800_53_v4:cp-2(7),CP-2 (7),Enhancement,2,,Coordinate  With External Service Providers,The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
-nist_800_53_v4,nist_800_53_v4:cp-2(8),CP-2 (8),Enhancement,2,,Identify Critical Assets,The organization identifies critical information system assets supporting essential missions and business functions.
-nist_800_53_v4,nist_800_53_v4:cp-2a.,CP-2a.,Statement,2,,,"The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
-nist_800_53_v4,nist_800_53_v4:cp-2b.,CP-2b.,Statement,2,,,The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
-nist_800_53_v4,nist_800_53_v4:cp-2c.,CP-2c.,Statement,2,,,The organization: Coordinates contingency planning activities with incident handling activities;
-nist_800_53_v4,nist_800_53_v4:cp-2d.,CP-2d.,Statement,2,,,The organization: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
-nist_800_53_v4,nist_800_53_v4:cp-2e.,CP-2e.,Statement,2,,,"The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"
-nist_800_53_v4,nist_800_53_v4:cp-2f.,CP-2f.,Statement,2,,,The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
-nist_800_53_v4,nist_800_53_v4:cp-2g.,CP-2g.,Statement,2,,,The organization: Protects the contingency plan from unauthorized disclosure and modification.
-nist_800_53_v4,nist_800_53_v4:cp-3,CP-3,Control,1,,Contingency Training,
-nist_800_53_v4,nist_800_53_v4:cp-3(1),CP-3 (1),Enhancement,2,,Simulated Events,The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
-nist_800_53_v4,nist_800_53_v4:cp-3(2),CP-3 (2),Enhancement,2,,Automated Training Environments,The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
-nist_800_53_v4,nist_800_53_v4:cp-3a.,CP-3a.,Statement,2,,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
-nist_800_53_v4,nist_800_53_v4:cp-3b.,CP-3b.,Statement,2,,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and
-nist_800_53_v4,nist_800_53_v4:cp-3c.,CP-3c.,Statement,2,,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
-nist_800_53_v4,nist_800_53_v4:cp-4,CP-4,Control,1,,Contingency Plan Testing,
-nist_800_53_v4,nist_800_53_v4:cp-4(1),CP-4 (1),Enhancement,2,,Coordinate With Related Plans,The organization coordinates contingency plan testing with organizational elements responsible for related plans.
-nist_800_53_v4,nist_800_53_v4:cp-4(2),CP-4 (2),Enhancement,2,,Alternate Processing Site,The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.
-nist_800_53_v4,nist_800_53_v4:cp-4(3),CP-4 (3),Enhancement,2,,Automated Testing,The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
-nist_800_53_v4,nist_800_53_v4:cp-4(4),CP-4 (4),Enhancement,2,,Full Recovery / Reconstitution,The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
-nist_800_53_v4,nist_800_53_v4:cp-4a.,CP-4a.,Statement,2,,,The organization: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
-nist_800_53_v4,nist_800_53_v4:cp-4b.,CP-4b.,Statement,2,,,The organization: Reviews the contingency plan test results; and
-nist_800_53_v4,nist_800_53_v4:cp-4c.,CP-4c.,Statement,2,,,"The organization: Initiates corrective actions, if needed."
-nist_800_53_v4,nist_800_53_v4:cp-5,CP-5,Control,1,,Contingency Plan Update,
-nist_800_53_v4,nist_800_53_v4:cp-6,CP-6,Control,1,,Alternate Storage Site,
-nist_800_53_v4,nist_800_53_v4:cp-6(1),CP-6 (1),Enhancement,2,,Separation From Primary Site,The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
-nist_800_53_v4,nist_800_53_v4:cp-6(2),CP-6 (2),Enhancement,2,,Recovery Time / Point Objectives,The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
-nist_800_53_v4,nist_800_53_v4:cp-6(3),CP-6 (3),Enhancement,2,,Accessibility,The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
-nist_800_53_v4,nist_800_53_v4:cp-6a.,CP-6a.,Statement,2,,,The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
-nist_800_53_v4,nist_800_53_v4:cp-6b.,CP-6b.,Statement,2,,,The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
-nist_800_53_v4,nist_800_53_v4:cp-7,CP-7,Control,1,,Alternate Processing Site,
-nist_800_53_v4,nist_800_53_v4:cp-7(1),CP-7 (1),Enhancement,2,,Separation From Primary Site,The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
-nist_800_53_v4,nist_800_53_v4:cp-7(2),CP-7 (2),Enhancement,2,,Accessibility,The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
-nist_800_53_v4,nist_800_53_v4:cp-7(3),CP-7 (3),Enhancement,2,,Priority Of Service,The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
-nist_800_53_v4,nist_800_53_v4:cp-7(4),CP-7 (4),Enhancement,2,,Preparation For Use,The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.
-nist_800_53_v4,nist_800_53_v4:cp-7(6),CP-7 (6),Enhancement,2,,Inability To Return To Primary Site,The organization plans and prepares for circumstances that preclude returning to the primary processing site.
-nist_800_53_v4,nist_800_53_v4:cp-7a.,CP-7a.,Statement,2,,,The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
-nist_800_53_v4,nist_800_53_v4:cp-7b.,CP-7b.,Statement,2,,,The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
-nist_800_53_v4,nist_800_53_v4:cp-7c.,CP-7c.,Statement,2,,,The organization: Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.
-nist_800_53_v4,nist_800_53_v4:cp-8,CP-8,Control,1,,Telecommunications Services,
-nist_800_53_v4,nist_800_53_v4:cp-8(1),CP-8 (1),Enhancement,2,,Priority Of Service Provisions,The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
-nist_800_53_v4,nist_800_53_v4:cp-8(2),CP-8 (2),Enhancement,2,,Single Points Of Failure,The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
-nist_800_53_v4,nist_800_53_v4:cp-8(3),CP-8 (3),Enhancement,2,,Separation Of Primary / Alternate Providers,The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
-nist_800_53_v4,nist_800_53_v4:cp-8(4),CP-8 (4),Enhancement,2,,Provider Contingency Plan,The organization: Requires primary and alternate telecommunications service providers to have contingency plans; Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cp-8(5),CP-8 (5),Enhancement,2,,Alternate Telecommunication Service Testing,The organization tests alternate telecommunication services [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:cp-9,CP-9,Control,1,,Information System Backup,
-nist_800_53_v4,nist_800_53_v4:cp-9(1),CP-9 (1),Enhancement,2,,Testing For Reliability / Integrity,The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
-nist_800_53_v4,nist_800_53_v4:cp-9(2),CP-9 (2),Enhancement,2,,Test Restoration Using Sampling,The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
-nist_800_53_v4,nist_800_53_v4:cp-9(3),CP-9 (3),Enhancement,2,,Separate Storage For Critical Information,The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
-nist_800_53_v4,nist_800_53_v4:cp-9(5),CP-9 (5),Enhancement,2,,Transfer To Alternate Storage Site,The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
-nist_800_53_v4,nist_800_53_v4:cp-9(6),CP-9 (6),Enhancement,2,,Redundant Secondary System,The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
-nist_800_53_v4,nist_800_53_v4:cp-9(7),CP-9 (7),Enhancement,2,,Dual Authorization,The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
-nist_800_53_v4,nist_800_53_v4:cp-9a.,CP-9a.,Statement,2,,,The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
-nist_800_53_v4,nist_800_53_v4:cp-9b.,CP-9b.,Statement,2,,,The organization: Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
-nist_800_53_v4,nist_800_53_v4:cp-9c.,CP-9c.,Statement,2,,,The organization: Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
-nist_800_53_v4,nist_800_53_v4:cp-9d.,CP-9d.,Statement,2,,,"The organization: Protects the confidentiality, integrity, and availability of backup information at storage locations."
+nist_800_53_v4,nist_800_53_v4:cp-1,CP-1,Control,1,1,Contingency Planning Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:cp-10,CP-10,Control,1,10,Information System Recovery and Reconstitution,
+nist_800_53_v4,nist_800_53_v4:cp-10(2),CP-10 (2),Enhancement,2,2,Transaction Recovery,The information system implements transaction recovery for systems that are transaction-based.
+nist_800_53_v4,nist_800_53_v4:cp-10(4),CP-10 (4),Enhancement,2,4,Restore Within Time Period,"The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components."
+nist_800_53_v4,nist_800_53_v4:cp-10(6),CP-10 (6),Enhancement,2,6,Component Protection,"The organization protects backup and restoration hardware, firmware, and software."
+nist_800_53_v4,nist_800_53_v4:cp-11,CP-11,Control,1,11,Alternate Communications Protocols,
+nist_800_53_v4,nist_800_53_v4:cp-12,CP-12,Control,1,12,Safe Mode,
+nist_800_53_v4,nist_800_53_v4:cp-13,CP-13,Control,1,13,Alternative Security Mechanisms,
+nist_800_53_v4,nist_800_53_v4:cp-1a.,CP-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"
+nist_800_53_v4,nist_800_53_v4:cp-1b.,CP-1b.,Statement,2,2,,The organization: Reviews and updates the current: Contingency planning policy [Assignment: organization-defined frequency]; and Contingency planning procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cp-2,CP-2,Control,1,2,Contingency Plan,
+nist_800_53_v4,nist_800_53_v4:cp-2(1),CP-2 (1),Enhancement,2,1,Coordinate With Related Plans,The organization coordinates contingency plan development with organizational elements responsible for related plans.
+nist_800_53_v4,nist_800_53_v4:cp-2(2),CP-2 (2),Enhancement,2,2,Capacity Planning,"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."
+nist_800_53_v4,nist_800_53_v4:cp-2(3),CP-2 (3),Enhancement,2,3,Resume Essential Missions / Business Functions,The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
+nist_800_53_v4,nist_800_53_v4:cp-2(4),CP-2 (4),Enhancement,2,4,Resume All Missions / Business Functions,The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
+nist_800_53_v4,nist_800_53_v4:cp-2(5),CP-2 (5),Enhancement,2,5,Continue  Essential Missions / Business Functions,The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.
+nist_800_53_v4,nist_800_53_v4:cp-2(6),CP-2 (6),Enhancement,2,6,Alternate Processing / Storage Site,The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
+nist_800_53_v4,nist_800_53_v4:cp-2(7),CP-2 (7),Enhancement,2,7,Coordinate  With External Service Providers,The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
+nist_800_53_v4,nist_800_53_v4:cp-2(8),CP-2 (8),Enhancement,2,8,Identify Critical Assets,The organization identifies critical information system assets supporting essential missions and business functions.
+nist_800_53_v4,nist_800_53_v4:cp-2a.,CP-2a.,Statement,2,1,,"The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
+nist_800_53_v4,nist_800_53_v4:cp-2b.,CP-2b.,Statement,2,2,,The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
+nist_800_53_v4,nist_800_53_v4:cp-2c.,CP-2c.,Statement,2,3,,The organization: Coordinates contingency planning activities with incident handling activities;
+nist_800_53_v4,nist_800_53_v4:cp-2d.,CP-2d.,Statement,2,4,,The organization: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
+nist_800_53_v4,nist_800_53_v4:cp-2e.,CP-2e.,Statement,2,5,,"The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"
+nist_800_53_v4,nist_800_53_v4:cp-2f.,CP-2f.,Statement,2,6,,The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
+nist_800_53_v4,nist_800_53_v4:cp-2g.,CP-2g.,Statement,2,7,,The organization: Protects the contingency plan from unauthorized disclosure and modification.
+nist_800_53_v4,nist_800_53_v4:cp-3,CP-3,Control,1,3,Contingency Training,
+nist_800_53_v4,nist_800_53_v4:cp-3(1),CP-3 (1),Enhancement,2,1,Simulated Events,The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
+nist_800_53_v4,nist_800_53_v4:cp-3(2),CP-3 (2),Enhancement,2,2,Automated Training Environments,The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
+nist_800_53_v4,nist_800_53_v4:cp-3a.,CP-3a.,Statement,2,1,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
+nist_800_53_v4,nist_800_53_v4:cp-3b.,CP-3b.,Statement,2,2,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and
+nist_800_53_v4,nist_800_53_v4:cp-3c.,CP-3c.,Statement,2,3,,The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
+nist_800_53_v4,nist_800_53_v4:cp-4,CP-4,Control,1,4,Contingency Plan Testing,
+nist_800_53_v4,nist_800_53_v4:cp-4(1),CP-4 (1),Enhancement,2,1,Coordinate With Related Plans,The organization coordinates contingency plan testing with organizational elements responsible for related plans.
+nist_800_53_v4,nist_800_53_v4:cp-4(2),CP-4 (2),Enhancement,2,2,Alternate Processing Site,The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.
+nist_800_53_v4,nist_800_53_v4:cp-4(3),CP-4 (3),Enhancement,2,3,Automated Testing,The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
+nist_800_53_v4,nist_800_53_v4:cp-4(4),CP-4 (4),Enhancement,2,4,Full Recovery / Reconstitution,The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
+nist_800_53_v4,nist_800_53_v4:cp-4a.,CP-4a.,Statement,2,1,,The organization: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
+nist_800_53_v4,nist_800_53_v4:cp-4b.,CP-4b.,Statement,2,2,,The organization: Reviews the contingency plan test results; and
+nist_800_53_v4,nist_800_53_v4:cp-4c.,CP-4c.,Statement,2,3,,"The organization: Initiates corrective actions, if needed."
+nist_800_53_v4,nist_800_53_v4:cp-5,CP-5,Control,1,5,Contingency Plan Update,
+nist_800_53_v4,nist_800_53_v4:cp-6,CP-6,Control,1,6,Alternate Storage Site,
+nist_800_53_v4,nist_800_53_v4:cp-6(1),CP-6 (1),Enhancement,2,1,Separation From Primary Site,The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
+nist_800_53_v4,nist_800_53_v4:cp-6(2),CP-6 (2),Enhancement,2,2,Recovery Time / Point Objectives,The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
+nist_800_53_v4,nist_800_53_v4:cp-6(3),CP-6 (3),Enhancement,2,3,Accessibility,The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
+nist_800_53_v4,nist_800_53_v4:cp-6a.,CP-6a.,Statement,2,1,,The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
+nist_800_53_v4,nist_800_53_v4:cp-6b.,CP-6b.,Statement,2,2,,The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
+nist_800_53_v4,nist_800_53_v4:cp-7,CP-7,Control,1,7,Alternate Processing Site,
+nist_800_53_v4,nist_800_53_v4:cp-7(1),CP-7 (1),Enhancement,2,1,Separation From Primary Site,The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
+nist_800_53_v4,nist_800_53_v4:cp-7(2),CP-7 (2),Enhancement,2,2,Accessibility,The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
+nist_800_53_v4,nist_800_53_v4:cp-7(3),CP-7 (3),Enhancement,2,3,Priority Of Service,The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).
+nist_800_53_v4,nist_800_53_v4:cp-7(4),CP-7 (4),Enhancement,2,4,Preparation For Use,The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.
+nist_800_53_v4,nist_800_53_v4:cp-7(6),CP-7 (6),Enhancement,2,6,Inability To Return To Primary Site,The organization plans and prepares for circumstances that preclude returning to the primary processing site.
+nist_800_53_v4,nist_800_53_v4:cp-7a.,CP-7a.,Statement,2,1,,The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
+nist_800_53_v4,nist_800_53_v4:cp-7b.,CP-7b.,Statement,2,2,,The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
+nist_800_53_v4,nist_800_53_v4:cp-7c.,CP-7c.,Statement,2,3,,The organization: Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.
+nist_800_53_v4,nist_800_53_v4:cp-8,CP-8,Control,1,8,Telecommunications Services,
+nist_800_53_v4,nist_800_53_v4:cp-8(1),CP-8 (1),Enhancement,2,1,Priority Of Service Provisions,The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
+nist_800_53_v4,nist_800_53_v4:cp-8(2),CP-8 (2),Enhancement,2,2,Single Points Of Failure,The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
+nist_800_53_v4,nist_800_53_v4:cp-8(3),CP-8 (3),Enhancement,2,3,Separation Of Primary / Alternate Providers,The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
+nist_800_53_v4,nist_800_53_v4:cp-8(4),CP-8 (4),Enhancement,2,4,Provider Contingency Plan,The organization: Requires primary and alternate telecommunications service providers to have contingency plans; Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cp-8(5),CP-8 (5),Enhancement,2,5,Alternate Telecommunication Service Testing,The organization tests alternate telecommunication services [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:cp-9,CP-9,Control,1,9,Information System Backup,
+nist_800_53_v4,nist_800_53_v4:cp-9(1),CP-9 (1),Enhancement,2,1,Testing For Reliability / Integrity,The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
+nist_800_53_v4,nist_800_53_v4:cp-9(2),CP-9 (2),Enhancement,2,2,Test Restoration Using Sampling,The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
+nist_800_53_v4,nist_800_53_v4:cp-9(3),CP-9 (3),Enhancement,2,3,Separate Storage For Critical Information,The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
+nist_800_53_v4,nist_800_53_v4:cp-9(5),CP-9 (5),Enhancement,2,5,Transfer To Alternate Storage Site,The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
+nist_800_53_v4,nist_800_53_v4:cp-9(6),CP-9 (6),Enhancement,2,6,Redundant Secondary System,The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
+nist_800_53_v4,nist_800_53_v4:cp-9(7),CP-9 (7),Enhancement,2,7,Dual Authorization,The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
+nist_800_53_v4,nist_800_53_v4:cp-9a.,CP-9a.,Statement,2,1,,The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
+nist_800_53_v4,nist_800_53_v4:cp-9b.,CP-9b.,Statement,2,2,,The organization: Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
+nist_800_53_v4,nist_800_53_v4:cp-9c.,CP-9c.,Statement,2,3,,The organization: Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
+nist_800_53_v4,nist_800_53_v4:cp-9d.,CP-9d.,Statement,2,4,,"The organization: Protects the confidentiality, integrity, and availability of backup information at storage locations."
 nist_800_53_v4,nist_800_53_v4:ia,IA,Family,0,7,Identification and Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-1,IA-1,Control,1,,Identification and Authentication Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ia-10,IA-10,Control,1,,Adaptive Identification and Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-11,IA-11,Control,1,,Re-Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-1a.,IA-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"
-nist_800_53_v4,nist_800_53_v4:ia-1b.,IA-1b.,Statement,2,,,The organization: Reviews and updates the current: Identification and authentication policy [Assignment: organization-defined frequency]; and Identification and authentication procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ia-2,IA-2,Control,1,,Identification and Authentication (Organizational Users),
-nist_800_53_v4,nist_800_53_v4:ia-2(1),IA-2 (1),Enhancement,2,,Network Access To Privileged Accounts,The information system implements multifactor authentication for network access to privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-2(10),IA-2 (10),Enhancement,2,,Single Sign-On,The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services].
-nist_800_53_v4,nist_800_53_v4:ia-2(11),IA-2 (11),Enhancement,2,,Remote Access  - Separate Device,The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
-nist_800_53_v4,nist_800_53_v4:ia-2(12),IA-2 (12),Enhancement,2,,Acceptance Of Piv Credentials,The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
-nist_800_53_v4,nist_800_53_v4:ia-2(13),IA-2 (13),Enhancement,2,,Out-Of-Band Authentication,The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].
-nist_800_53_v4,nist_800_53_v4:ia-2(2),IA-2 (2),Enhancement,2,,Network Access To Non-Privileged Accounts,The information system implements multifactor authentication for network access to non-privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-2(3),IA-2 (3),Enhancement,2,,Local Access To Privileged Accounts,The information system implements multifactor authentication for local access to privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-2(4),IA-2 (4),Enhancement,2,,Local Access To Non-Privileged Accounts,The information system implements multifactor authentication for local access to non-privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-2(5),IA-2 (5),Enhancement,2,,Group Authentication,The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
-nist_800_53_v4,nist_800_53_v4:ia-2(6),IA-2 (6),Enhancement,2,,Network Access To Privileged Accounts - Separate Device,The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
-nist_800_53_v4,nist_800_53_v4:ia-2(7),IA-2 (7),Enhancement,2,,Network Access To Non-Privileged Accounts - Separate Device,The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
-nist_800_53_v4,nist_800_53_v4:ia-2(8),IA-2 (8),Enhancement,2,,Network Access To Privileged Accounts - Replay Resistant,The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-2(9),IA-2 (9),Enhancement,2,,Network Access To Non-Privileged Accounts - Replay Resistant,The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
-nist_800_53_v4,nist_800_53_v4:ia-3,IA-3,Control,1,,Device Identification and Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-3(1),IA-3 (1),Enhancement,2,,Cryptographic Bidirectional Authentication,The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.
-nist_800_53_v4,nist_800_53_v4:ia-3(3),IA-3 (3),Enhancement,2,,Dynamic Address Allocation,The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device.
-nist_800_53_v4,nist_800_53_v4:ia-3(4),IA-3 (4),Enhancement,2,,Device Attestation,The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process].
-nist_800_53_v4,nist_800_53_v4:ia-4,IA-4,Control,1,,Identifier Management,
-nist_800_53_v4,nist_800_53_v4:ia-4(1),IA-4 (1),Enhancement,2,,Prohibit Account Identifiers As Public Identifiers,The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.
-nist_800_53_v4,nist_800_53_v4:ia-4(2),IA-4 (2),Enhancement,2,,Supervisor Authorization,The organization requires that the registration process to receive an individual identifier includes supervisor authorization.
-nist_800_53_v4,nist_800_53_v4:ia-4(3),IA-4 (3),Enhancement,2,,Multiple Forms Of Certification,The organization requires multiple forms of certification of individual identification be presented to the registration authority.
-nist_800_53_v4,nist_800_53_v4:ia-4(4),IA-4 (4),Enhancement,2,,Identify User Status,The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
-nist_800_53_v4,nist_800_53_v4:ia-4(5),IA-4 (5),Enhancement,2,,Dynamic Management,The information system dynamically manages identifiers.
-nist_800_53_v4,nist_800_53_v4:ia-4(6),IA-4 (6),Enhancement,2,,Cross-Organization Management,The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.
-nist_800_53_v4,nist_800_53_v4:ia-4(7),IA-4 (7),Enhancement,2,,In-Person Registration,The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.
-nist_800_53_v4,nist_800_53_v4:ia-4a.,IA-4a.,Statement,2,,,"The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;"
-nist_800_53_v4,nist_800_53_v4:ia-4b.,IA-4b.,Statement,2,,,"The organization manages information system identifiers by: Selecting an identifier that identifies an individual, group, role, or device;"
-nist_800_53_v4,nist_800_53_v4:ia-4c.,IA-4c.,Statement,2,,,"The organization manages information system identifiers by: Assigning the identifier to the intended individual, group, role, or device;"
-nist_800_53_v4,nist_800_53_v4:ia-4d.,IA-4d.,Statement,2,,,The organization manages information system identifiers by: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
-nist_800_53_v4,nist_800_53_v4:ia-4e.,IA-4e.,Statement,2,,,The organization manages information system identifiers by: Disabling the identifier after [Assignment: organization-defined time period of inactivity].
-nist_800_53_v4,nist_800_53_v4:ia-5,IA-5,Control,1,,Authenticator Management,
-nist_800_53_v4,nist_800_53_v4:ia-5(1),IA-5 (1),Enhancement,2,,Password-Based Authentication,"The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and transmits only cryptographically-protected passwords; Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; Prohibits password reuse for [Assignment: organization-defined number] generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password."
-nist_800_53_v4,nist_800_53_v4:ia-5(10),IA-5 (10),Enhancement,2,,Dynamic Credential Association,The information system dynamically provisions identities.
-nist_800_53_v4,nist_800_53_v4:ia-5(11),IA-5 (11),Enhancement,2,,Hardware Token-Based Authentication,"The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."
-nist_800_53_v4,nist_800_53_v4:ia-5(12),IA-5 (12),Enhancement,2,,Biometric-Based Authentication,"The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]."
-nist_800_53_v4,nist_800_53_v4:ia-5(13),IA-5 (13),Enhancement,2,,Expiration Of Cached Authenticators,The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ia-5(14),IA-5 (14),Enhancement,2,,Managing Content Of Pki Trust Stores,"The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications."
-nist_800_53_v4,nist_800_53_v4:ia-5(15),IA-5 (15),Enhancement,2,,Ficam-Approved Products And Services,The organization uses only FICAM-approved path discovery and validation products and services.
-nist_800_53_v4,nist_800_53_v4:ia-5(2),IA-5 (2),Enhancement,2,,Pki-Based Authentication,"The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."
-nist_800_53_v4,nist_800_53_v4:ia-5(3),IA-5 (3),Enhancement,2,,In-Person Or Trusted Third-Party Registration,The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:ia-5(4),IA-5 (4),Enhancement,2,,Automated Support  For Password Strength Determination,The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
-nist_800_53_v4,nist_800_53_v4:ia-5(5),IA-5 (5),Enhancement,2,,Change Authenticators Prior To Delivery,The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
-nist_800_53_v4,nist_800_53_v4:ia-5(6),IA-5 (6),Enhancement,2,,Protection Of Authenticators,The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
-nist_800_53_v4,nist_800_53_v4:ia-5(7),IA-5 (7),Enhancement,2,,No Embedded Unencrypted Static Authenticators,The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
-nist_800_53_v4,nist_800_53_v4:ia-5(8),IA-5 (8),Enhancement,2,,Multiple Information System Accounts,The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
-nist_800_53_v4,nist_800_53_v4:ia-5(9),IA-5 (9),Enhancement,2,,Cross-Organization Credential Management,The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
-nist_800_53_v4,nist_800_53_v4:ia-5a.,IA-5a.,Statement,2,,,"The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"
-nist_800_53_v4,nist_800_53_v4:ia-5b.,IA-5b.,Statement,2,,,The organization manages information system authenticators by: Establishing initial authenticator content for authenticators defined by the organization;
-nist_800_53_v4,nist_800_53_v4:ia-5c.,IA-5c.,Statement,2,,,The organization manages information system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;
-nist_800_53_v4,nist_800_53_v4:ia-5d.,IA-5d.,Statement,2,,,"The organization manages information system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;"
-nist_800_53_v4,nist_800_53_v4:ia-5e.,IA-5e.,Statement,2,,,The organization manages information system authenticators by: Changing default content of authenticators prior to information system installation;
-nist_800_53_v4,nist_800_53_v4:ia-5f.,IA-5f.,Statement,2,,,The organization manages information system authenticators by: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
-nist_800_53_v4,nist_800_53_v4:ia-5g.,IA-5g.,Statement,2,,,The organization manages information system authenticators by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
-nist_800_53_v4,nist_800_53_v4:ia-5h.,IA-5h.,Statement,2,,,The organization manages information system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;
-nist_800_53_v4,nist_800_53_v4:ia-5i.,IA-5i.,Statement,2,,,"The organization manages information system authenticators by: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"
-nist_800_53_v4,nist_800_53_v4:ia-5j.,IA-5j.,Statement,2,,,The organization manages information system authenticators by: Changing authenticators for group/role accounts when membership to those accounts changes.
-nist_800_53_v4,nist_800_53_v4:ia-6,IA-6,Control,1,,Authenticator Feedback,
-nist_800_53_v4,nist_800_53_v4:ia-7,IA-7,Control,1,,Cryptographic Module Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-8,IA-8,Control,1,,Identification and Authentication (Non-Organizational Users),
-nist_800_53_v4,nist_800_53_v4:ia-8(1),IA-8 (1),Enhancement,2,,Acceptance Of Piv Credentials From Other Agencies,The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
-nist_800_53_v4,nist_800_53_v4:ia-8(2),IA-8 (2),Enhancement,2,,Acceptance Of Third-Party Credentials,The information system accepts only FICAM-approved third-party credentials.
-nist_800_53_v4,nist_800_53_v4:ia-8(3),IA-8 (3),Enhancement,2,,Use Of Ficam-Approved Products,The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.
-nist_800_53_v4,nist_800_53_v4:ia-8(4),IA-8 (4),Enhancement,2,,Use Of Ficam-Issued Profiles,The information system conforms to FICAM-issued profiles.
-nist_800_53_v4,nist_800_53_v4:ia-8(5),IA-8 (5),Enhancement,2,,Acceptance Of Piv-I Credentials,The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.
-nist_800_53_v4,nist_800_53_v4:ia-9,IA-9,Control,1,,Service Identification and Authentication,
-nist_800_53_v4,nist_800_53_v4:ia-9(1),IA-9 (1),Enhancement,2,,Information Exchange,"The organization ensures that service providers receive, validate, and transmit identification and authentication information."
-nist_800_53_v4,nist_800_53_v4:ia-9(2),IA-9 (2),Enhancement,2,,Transmission Of Decisions,The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.
+nist_800_53_v4,nist_800_53_v4:ia-1,IA-1,Control,1,1,Identification and Authentication Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ia-10,IA-10,Control,1,10,Adaptive Identification and Authentication,
+nist_800_53_v4,nist_800_53_v4:ia-11,IA-11,Control,1,11,Re-Authentication,
+nist_800_53_v4,nist_800_53_v4:ia-1a.,IA-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"
+nist_800_53_v4,nist_800_53_v4:ia-1b.,IA-1b.,Statement,2,2,,The organization: Reviews and updates the current: Identification and authentication policy [Assignment: organization-defined frequency]; and Identification and authentication procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ia-2,IA-2,Control,1,2,Identification and Authentication (Organizational Users),
+nist_800_53_v4,nist_800_53_v4:ia-2(1),IA-2 (1),Enhancement,2,1,Network Access To Privileged Accounts,The information system implements multifactor authentication for network access to privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-2(10),IA-2 (10),Enhancement,2,10,Single Sign-On,The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services].
+nist_800_53_v4,nist_800_53_v4:ia-2(11),IA-2 (11),Enhancement,2,11,Remote Access  - Separate Device,The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
+nist_800_53_v4,nist_800_53_v4:ia-2(12),IA-2 (12),Enhancement,2,12,Acceptance Of Piv Credentials,The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
+nist_800_53_v4,nist_800_53_v4:ia-2(13),IA-2 (13),Enhancement,2,13,Out-Of-Band Authentication,The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].
+nist_800_53_v4,nist_800_53_v4:ia-2(2),IA-2 (2),Enhancement,2,2,Network Access To Non-Privileged Accounts,The information system implements multifactor authentication for network access to non-privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-2(3),IA-2 (3),Enhancement,2,3,Local Access To Privileged Accounts,The information system implements multifactor authentication for local access to privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-2(4),IA-2 (4),Enhancement,2,4,Local Access To Non-Privileged Accounts,The information system implements multifactor authentication for local access to non-privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-2(5),IA-2 (5),Enhancement,2,5,Group Authentication,The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
+nist_800_53_v4,nist_800_53_v4:ia-2(6),IA-2 (6),Enhancement,2,6,Network Access To Privileged Accounts - Separate Device,The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
+nist_800_53_v4,nist_800_53_v4:ia-2(7),IA-2 (7),Enhancement,2,7,Network Access To Non-Privileged Accounts - Separate Device,The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
+nist_800_53_v4,nist_800_53_v4:ia-2(8),IA-2 (8),Enhancement,2,8,Network Access To Privileged Accounts - Replay Resistant,The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-2(9),IA-2 (9),Enhancement,2,9,Network Access To Non-Privileged Accounts - Replay Resistant,The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
+nist_800_53_v4,nist_800_53_v4:ia-3,IA-3,Control,1,3,Device Identification and Authentication,
+nist_800_53_v4,nist_800_53_v4:ia-3(1),IA-3 (1),Enhancement,2,1,Cryptographic Bidirectional Authentication,The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.
+nist_800_53_v4,nist_800_53_v4:ia-3(3),IA-3 (3),Enhancement,2,3,Dynamic Address Allocation,The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device.
+nist_800_53_v4,nist_800_53_v4:ia-3(4),IA-3 (4),Enhancement,2,4,Device Attestation,The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process].
+nist_800_53_v4,nist_800_53_v4:ia-4,IA-4,Control,1,4,Identifier Management,
+nist_800_53_v4,nist_800_53_v4:ia-4(1),IA-4 (1),Enhancement,2,1,Prohibit Account Identifiers As Public Identifiers,The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.
+nist_800_53_v4,nist_800_53_v4:ia-4(2),IA-4 (2),Enhancement,2,2,Supervisor Authorization,The organization requires that the registration process to receive an individual identifier includes supervisor authorization.
+nist_800_53_v4,nist_800_53_v4:ia-4(3),IA-4 (3),Enhancement,2,3,Multiple Forms Of Certification,The organization requires multiple forms of certification of individual identification be presented to the registration authority.
+nist_800_53_v4,nist_800_53_v4:ia-4(4),IA-4 (4),Enhancement,2,4,Identify User Status,The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
+nist_800_53_v4,nist_800_53_v4:ia-4(5),IA-4 (5),Enhancement,2,5,Dynamic Management,The information system dynamically manages identifiers.
+nist_800_53_v4,nist_800_53_v4:ia-4(6),IA-4 (6),Enhancement,2,6,Cross-Organization Management,The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.
+nist_800_53_v4,nist_800_53_v4:ia-4(7),IA-4 (7),Enhancement,2,7,In-Person Registration,The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.
+nist_800_53_v4,nist_800_53_v4:ia-4a.,IA-4a.,Statement,2,1,,"The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;"
+nist_800_53_v4,nist_800_53_v4:ia-4b.,IA-4b.,Statement,2,2,,"The organization manages information system identifiers by: Selecting an identifier that identifies an individual, group, role, or device;"
+nist_800_53_v4,nist_800_53_v4:ia-4c.,IA-4c.,Statement,2,3,,"The organization manages information system identifiers by: Assigning the identifier to the intended individual, group, role, or device;"
+nist_800_53_v4,nist_800_53_v4:ia-4d.,IA-4d.,Statement,2,4,,The organization manages information system identifiers by: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
+nist_800_53_v4,nist_800_53_v4:ia-4e.,IA-4e.,Statement,2,5,,The organization manages information system identifiers by: Disabling the identifier after [Assignment: organization-defined time period of inactivity].
+nist_800_53_v4,nist_800_53_v4:ia-5,IA-5,Control,1,5,Authenticator Management,
+nist_800_53_v4,nist_800_53_v4:ia-5(1),IA-5 (1),Enhancement,2,1,Password-Based Authentication,"The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and transmits only cryptographically-protected passwords; Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; Prohibits password reuse for [Assignment: organization-defined number] generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password."
+nist_800_53_v4,nist_800_53_v4:ia-5(10),IA-5 (10),Enhancement,2,10,Dynamic Credential Association,The information system dynamically provisions identities.
+nist_800_53_v4,nist_800_53_v4:ia-5(11),IA-5 (11),Enhancement,2,11,Hardware Token-Based Authentication,"The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."
+nist_800_53_v4,nist_800_53_v4:ia-5(12),IA-5 (12),Enhancement,2,12,Biometric-Based Authentication,"The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]."
+nist_800_53_v4,nist_800_53_v4:ia-5(13),IA-5 (13),Enhancement,2,13,Expiration Of Cached Authenticators,The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ia-5(14),IA-5 (14),Enhancement,2,14,Managing Content Of Pki Trust Stores,"The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications."
+nist_800_53_v4,nist_800_53_v4:ia-5(15),IA-5 (15),Enhancement,2,15,Ficam-Approved Products And Services,The organization uses only FICAM-approved path discovery and validation products and services.
+nist_800_53_v4,nist_800_53_v4:ia-5(2),IA-5 (2),Enhancement,2,2,Pki-Based Authentication,"The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."
+nist_800_53_v4,nist_800_53_v4:ia-5(3),IA-5 (3),Enhancement,2,3,In-Person Or Trusted Third-Party Registration,The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:ia-5(4),IA-5 (4),Enhancement,2,4,Automated Support  For Password Strength Determination,The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
+nist_800_53_v4,nist_800_53_v4:ia-5(5),IA-5 (5),Enhancement,2,5,Change Authenticators Prior To Delivery,The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
+nist_800_53_v4,nist_800_53_v4:ia-5(6),IA-5 (6),Enhancement,2,6,Protection Of Authenticators,The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
+nist_800_53_v4,nist_800_53_v4:ia-5(7),IA-5 (7),Enhancement,2,7,No Embedded Unencrypted Static Authenticators,The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
+nist_800_53_v4,nist_800_53_v4:ia-5(8),IA-5 (8),Enhancement,2,8,Multiple Information System Accounts,The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
+nist_800_53_v4,nist_800_53_v4:ia-5(9),IA-5 (9),Enhancement,2,9,Cross-Organization Credential Management,The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
+nist_800_53_v4,nist_800_53_v4:ia-5a.,IA-5a.,Statement,2,1,,"The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"
+nist_800_53_v4,nist_800_53_v4:ia-5b.,IA-5b.,Statement,2,2,,The organization manages information system authenticators by: Establishing initial authenticator content for authenticators defined by the organization;
+nist_800_53_v4,nist_800_53_v4:ia-5c.,IA-5c.,Statement,2,3,,The organization manages information system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;
+nist_800_53_v4,nist_800_53_v4:ia-5d.,IA-5d.,Statement,2,4,,"The organization manages information system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;"
+nist_800_53_v4,nist_800_53_v4:ia-5e.,IA-5e.,Statement,2,5,,The organization manages information system authenticators by: Changing default content of authenticators prior to information system installation;
+nist_800_53_v4,nist_800_53_v4:ia-5f.,IA-5f.,Statement,2,6,,The organization manages information system authenticators by: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
+nist_800_53_v4,nist_800_53_v4:ia-5g.,IA-5g.,Statement,2,7,,The organization manages information system authenticators by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
+nist_800_53_v4,nist_800_53_v4:ia-5h.,IA-5h.,Statement,2,8,,The organization manages information system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;
+nist_800_53_v4,nist_800_53_v4:ia-5i.,IA-5i.,Statement,2,9,,"The organization manages information system authenticators by: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"
+nist_800_53_v4,nist_800_53_v4:ia-5j.,IA-5j.,Statement,2,10,,The organization manages information system authenticators by: Changing authenticators for group/role accounts when membership to those accounts changes.
+nist_800_53_v4,nist_800_53_v4:ia-6,IA-6,Control,1,6,Authenticator Feedback,
+nist_800_53_v4,nist_800_53_v4:ia-7,IA-7,Control,1,7,Cryptographic Module Authentication,
+nist_800_53_v4,nist_800_53_v4:ia-8,IA-8,Control,1,8,Identification and Authentication (Non-Organizational Users),
+nist_800_53_v4,nist_800_53_v4:ia-8(1),IA-8 (1),Enhancement,2,1,Acceptance Of Piv Credentials From Other Agencies,The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
+nist_800_53_v4,nist_800_53_v4:ia-8(2),IA-8 (2),Enhancement,2,2,Acceptance Of Third-Party Credentials,The information system accepts only FICAM-approved third-party credentials.
+nist_800_53_v4,nist_800_53_v4:ia-8(3),IA-8 (3),Enhancement,2,3,Use Of Ficam-Approved Products,The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.
+nist_800_53_v4,nist_800_53_v4:ia-8(4),IA-8 (4),Enhancement,2,4,Use Of Ficam-Issued Profiles,The information system conforms to FICAM-issued profiles.
+nist_800_53_v4,nist_800_53_v4:ia-8(5),IA-8 (5),Enhancement,2,5,Acceptance Of Piv-I Credentials,The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.
+nist_800_53_v4,nist_800_53_v4:ia-9,IA-9,Control,1,9,Service Identification and Authentication,
+nist_800_53_v4,nist_800_53_v4:ia-9(1),IA-9 (1),Enhancement,2,1,Information Exchange,"The organization ensures that service providers receive, validate, and transmit identification and authentication information."
+nist_800_53_v4,nist_800_53_v4:ia-9(2),IA-9 (2),Enhancement,2,2,Transmission Of Decisions,The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.
 nist_800_53_v4,nist_800_53_v4:ir,IR,Family,0,8,Incident Response,
-nist_800_53_v4,nist_800_53_v4:ir-1,IR-1,Control,1,,Incident Response Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ir-10,IR-10,Control,1,,Integrated Information Security Analysis Team,
-nist_800_53_v4,nist_800_53_v4:ir-1a.,IR-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"
-nist_800_53_v4,nist_800_53_v4:ir-1b.,IR-1b.,Statement,2,,,The organization: Reviews and updates the current: Incident response policy [Assignment: organization-defined frequency]; and Incident response procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ir-2,IR-2,Control,1,,Incident Response Training,
-nist_800_53_v4,nist_800_53_v4:ir-2(1),IR-2 (1),Enhancement,2,,Simulated Events,The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
-nist_800_53_v4,nist_800_53_v4:ir-2(2),IR-2 (2),Enhancement,2,,Automated Training Environments,The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
-nist_800_53_v4,nist_800_53_v4:ir-2a.,IR-2a.,Statement,2,,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
-nist_800_53_v4,nist_800_53_v4:ir-2b.,IR-2b.,Statement,2,,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and
-nist_800_53_v4,nist_800_53_v4:ir-2c.,IR-2c.,Statement,2,,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
-nist_800_53_v4,nist_800_53_v4:ir-3,IR-3,Control,1,,Incident Response Testing,
-nist_800_53_v4,nist_800_53_v4:ir-3(1),IR-3 (1),Enhancement,2,,Automated Testing,The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
-nist_800_53_v4,nist_800_53_v4:ir-3(2),IR-3 (2),Enhancement,2,,Coordination With Related Plans,The organization coordinates incident response testing with organizational elements responsible for related plans.
-nist_800_53_v4,nist_800_53_v4:ir-4,IR-4,Control,1,,Incident Handling,
-nist_800_53_v4,nist_800_53_v4:ir-4(1),IR-4 (1),Enhancement,2,,Automated Incident Handling Processes,The organization employs automated mechanisms to support the incident handling process.
-nist_800_53_v4,nist_800_53_v4:ir-4(10),IR-4 (10),Enhancement,2,,Supply Chain Coordination,The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
-nist_800_53_v4,nist_800_53_v4:ir-4(2),IR-4 (2),Enhancement,2,,Dynamic Reconfiguration,The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
-nist_800_53_v4,nist_800_53_v4:ir-4(3),IR-4 (3),Enhancement,2,,Continuity Of Operations,The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
-nist_800_53_v4,nist_800_53_v4:ir-4(4),IR-4 (4),Enhancement,2,,Information Correlation,The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
-nist_800_53_v4,nist_800_53_v4:ir-4(5),IR-4 (5),Enhancement,2,,Automatic Disabling Of Information System,The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
-nist_800_53_v4,nist_800_53_v4:ir-4(6),IR-4 (6),Enhancement,2,,Insider Threats - Specific Capabilities,The organization implements incident handling capability for insider threats.
-nist_800_53_v4,nist_800_53_v4:ir-4(7),IR-4 (7),Enhancement,2,,Insider Threats - Intra-Organization Coordination,The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
-nist_800_53_v4,nist_800_53_v4:ir-4(8),IR-4 (8),Enhancement,2,,Correlation With External Organizations,The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
-nist_800_53_v4,nist_800_53_v4:ir-4(9),IR-4 (9),Enhancement,2,,Dynamic Response Capability,The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
-nist_800_53_v4,nist_800_53_v4:ir-4a.,IR-4a.,Statement,2,,,"The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"
-nist_800_53_v4,nist_800_53_v4:ir-4b.,IR-4b.,Statement,2,,,The organization: Coordinates incident handling activities with contingency planning activities; and
-nist_800_53_v4,nist_800_53_v4:ir-4c.,IR-4c.,Statement,2,,,"The organization: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."
-nist_800_53_v4,nist_800_53_v4:ir-5,IR-5,Control,1,,Incident Monitoring,
-nist_800_53_v4,nist_800_53_v4:ir-5(1),IR-5 (1),Enhancement,2,,Automated Tracking / Data Collection / Analysis,The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
-nist_800_53_v4,nist_800_53_v4:ir-6,IR-6,Control,1,,Incident Reporting,
-nist_800_53_v4,nist_800_53_v4:ir-6(1),IR-6 (1),Enhancement,2,,Automated Reporting,The organization employs automated mechanisms to assist in the reporting of security incidents.
-nist_800_53_v4,nist_800_53_v4:ir-6(2),IR-6 (2),Enhancement,2,,Vulnerabilities Related To Incidents,The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:ir-6(3),IR-6 (3),Enhancement,2,,Coordination With Supply Chain,The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.
-nist_800_53_v4,nist_800_53_v4:ir-6a.,IR-6a.,Statement,2,,,The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
-nist_800_53_v4,nist_800_53_v4:ir-6b.,IR-6b.,Statement,2,,,The organization: Reports security incident information to [Assignment: organization-defined authorities].
-nist_800_53_v4,nist_800_53_v4:ir-7,IR-7,Control,1,,Incident Response Assistance,
-nist_800_53_v4,nist_800_53_v4:ir-7(1),IR-7 (1),Enhancement,2,,Automation Support For Availability Of Information / Support,The organization employs automated mechanisms to increase the availability of incident response-related information and support.
-nist_800_53_v4,nist_800_53_v4:ir-7(2),IR-7 (2),Enhancement,2,,Coordination With External Providers,"The organization: Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and Identifies organizational incident response team members to the external providers."
-nist_800_53_v4,nist_800_53_v4:ir-8,IR-8,Control,1,,Incident Response Plan,
-nist_800_53_v4,nist_800_53_v4:ir-8a.,IR-8a.,Statement,2,,,"The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
-nist_800_53_v4,nist_800_53_v4:ir-8b.,IR-8b.,Statement,2,,,The organization: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
-nist_800_53_v4,nist_800_53_v4:ir-8c.,IR-8c.,Statement,2,,,The organization: Reviews the incident response plan [Assignment: organization-defined frequency];
-nist_800_53_v4,nist_800_53_v4:ir-8d.,IR-8d.,Statement,2,,,"The organization: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;"
-nist_800_53_v4,nist_800_53_v4:ir-8e.,IR-8e.,Statement,2,,,The organization: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
-nist_800_53_v4,nist_800_53_v4:ir-8f.,IR-8f.,Statement,2,,,The organization: Protects the incident response plan from unauthorized disclosure and modification.
-nist_800_53_v4,nist_800_53_v4:ir-9,IR-9,Control,1,,Information Spillage Response,
-nist_800_53_v4,nist_800_53_v4:ir-9(1),IR-9 (1),Enhancement,2,,Responsible Personnel,The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
-nist_800_53_v4,nist_800_53_v4:ir-9(2),IR-9 (2),Enhancement,2,,Training,The organization provides information spillage response training [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ir-9(3),IR-9 (3),Enhancement,2,,Post-Spill Operations,The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
-nist_800_53_v4,nist_800_53_v4:ir-9(4),IR-9 (4),Enhancement,2,,Exposure To Unauthorized Personnel,The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.
-nist_800_53_v4,nist_800_53_v4:ir-9a.,IR-9a.,Statement,2,,,The organization responds to information spills by: Identifying the specific information involved in the information system contamination;
-nist_800_53_v4,nist_800_53_v4:ir-9b.,IR-9b.,Statement,2,,,The organization responds to information spills by: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
-nist_800_53_v4,nist_800_53_v4:ir-9c.,IR-9c.,Statement,2,,,The organization responds to information spills by: Isolating the contaminated information system or system component;
-nist_800_53_v4,nist_800_53_v4:ir-9d.,IR-9d.,Statement,2,,,The organization responds to information spills by: Eradicating the information from the contaminated information system or component;
-nist_800_53_v4,nist_800_53_v4:ir-9e.,IR-9e.,Statement,2,,,The organization responds to information spills by: Identifying other information systems or system components that may have been subsequently contaminated; and
-nist_800_53_v4,nist_800_53_v4:ir-9f.,IR-9f.,Statement,2,,,The organization responds to information spills by: Performing other [Assignment: organization-defined actions].
+nist_800_53_v4,nist_800_53_v4:ir-1,IR-1,Control,1,1,Incident Response Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ir-10,IR-10,Control,1,10,Integrated Information Security Analysis Team,
+nist_800_53_v4,nist_800_53_v4:ir-1a.,IR-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"
+nist_800_53_v4,nist_800_53_v4:ir-1b.,IR-1b.,Statement,2,2,,The organization: Reviews and updates the current: Incident response policy [Assignment: organization-defined frequency]; and Incident response procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ir-2,IR-2,Control,1,2,Incident Response Training,
+nist_800_53_v4,nist_800_53_v4:ir-2(1),IR-2 (1),Enhancement,2,1,Simulated Events,The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
+nist_800_53_v4,nist_800_53_v4:ir-2(2),IR-2 (2),Enhancement,2,2,Automated Training Environments,The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
+nist_800_53_v4,nist_800_53_v4:ir-2a.,IR-2a.,Statement,2,1,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
+nist_800_53_v4,nist_800_53_v4:ir-2b.,IR-2b.,Statement,2,2,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and
+nist_800_53_v4,nist_800_53_v4:ir-2c.,IR-2c.,Statement,2,3,,The organization provides incident response training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter.
+nist_800_53_v4,nist_800_53_v4:ir-3,IR-3,Control,1,3,Incident Response Testing,
+nist_800_53_v4,nist_800_53_v4:ir-3(1),IR-3 (1),Enhancement,2,1,Automated Testing,The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
+nist_800_53_v4,nist_800_53_v4:ir-3(2),IR-3 (2),Enhancement,2,2,Coordination With Related Plans,The organization coordinates incident response testing with organizational elements responsible for related plans.
+nist_800_53_v4,nist_800_53_v4:ir-4,IR-4,Control,1,4,Incident Handling,
+nist_800_53_v4,nist_800_53_v4:ir-4(1),IR-4 (1),Enhancement,2,1,Automated Incident Handling Processes,The organization employs automated mechanisms to support the incident handling process.
+nist_800_53_v4,nist_800_53_v4:ir-4(10),IR-4 (10),Enhancement,2,10,Supply Chain Coordination,The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
+nist_800_53_v4,nist_800_53_v4:ir-4(2),IR-4 (2),Enhancement,2,2,Dynamic Reconfiguration,The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.
+nist_800_53_v4,nist_800_53_v4:ir-4(3),IR-4 (3),Enhancement,2,3,Continuity Of Operations,The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
+nist_800_53_v4,nist_800_53_v4:ir-4(4),IR-4 (4),Enhancement,2,4,Information Correlation,The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
+nist_800_53_v4,nist_800_53_v4:ir-4(5),IR-4 (5),Enhancement,2,5,Automatic Disabling Of Information System,The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
+nist_800_53_v4,nist_800_53_v4:ir-4(6),IR-4 (6),Enhancement,2,6,Insider Threats - Specific Capabilities,The organization implements incident handling capability for insider threats.
+nist_800_53_v4,nist_800_53_v4:ir-4(7),IR-4 (7),Enhancement,2,7,Insider Threats - Intra-Organization Coordination,The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].
+nist_800_53_v4,nist_800_53_v4:ir-4(8),IR-4 (8),Enhancement,2,8,Correlation With External Organizations,The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
+nist_800_53_v4,nist_800_53_v4:ir-4(9),IR-4 (9),Enhancement,2,9,Dynamic Response Capability,The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.
+nist_800_53_v4,nist_800_53_v4:ir-4a.,IR-4a.,Statement,2,1,,"The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"
+nist_800_53_v4,nist_800_53_v4:ir-4b.,IR-4b.,Statement,2,2,,The organization: Coordinates incident handling activities with contingency planning activities; and
+nist_800_53_v4,nist_800_53_v4:ir-4c.,IR-4c.,Statement,2,3,,"The organization: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."
+nist_800_53_v4,nist_800_53_v4:ir-5,IR-5,Control,1,5,Incident Monitoring,
+nist_800_53_v4,nist_800_53_v4:ir-5(1),IR-5 (1),Enhancement,2,1,Automated Tracking / Data Collection / Analysis,The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
+nist_800_53_v4,nist_800_53_v4:ir-6,IR-6,Control,1,6,Incident Reporting,
+nist_800_53_v4,nist_800_53_v4:ir-6(1),IR-6 (1),Enhancement,2,1,Automated Reporting,The organization employs automated mechanisms to assist in the reporting of security incidents.
+nist_800_53_v4,nist_800_53_v4:ir-6(2),IR-6 (2),Enhancement,2,2,Vulnerabilities Related To Incidents,The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:ir-6(3),IR-6 (3),Enhancement,2,3,Coordination With Supply Chain,The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.
+nist_800_53_v4,nist_800_53_v4:ir-6a.,IR-6a.,Statement,2,1,,The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
+nist_800_53_v4,nist_800_53_v4:ir-6b.,IR-6b.,Statement,2,2,,The organization: Reports security incident information to [Assignment: organization-defined authorities].
+nist_800_53_v4,nist_800_53_v4:ir-7,IR-7,Control,1,7,Incident Response Assistance,
+nist_800_53_v4,nist_800_53_v4:ir-7(1),IR-7 (1),Enhancement,2,1,Automation Support For Availability Of Information / Support,The organization employs automated mechanisms to increase the availability of incident response-related information and support.
+nist_800_53_v4,nist_800_53_v4:ir-7(2),IR-7 (2),Enhancement,2,2,Coordination With External Providers,"The organization: Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and Identifies organizational incident response team members to the external providers."
+nist_800_53_v4,nist_800_53_v4:ir-8,IR-8,Control,1,8,Incident Response Plan,
+nist_800_53_v4,nist_800_53_v4:ir-8a.,IR-8a.,Statement,2,1,,"The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
+nist_800_53_v4,nist_800_53_v4:ir-8b.,IR-8b.,Statement,2,2,,The organization: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
+nist_800_53_v4,nist_800_53_v4:ir-8c.,IR-8c.,Statement,2,3,,The organization: Reviews the incident response plan [Assignment: organization-defined frequency];
+nist_800_53_v4,nist_800_53_v4:ir-8d.,IR-8d.,Statement,2,4,,"The organization: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;"
+nist_800_53_v4,nist_800_53_v4:ir-8e.,IR-8e.,Statement,2,5,,The organization: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
+nist_800_53_v4,nist_800_53_v4:ir-8f.,IR-8f.,Statement,2,6,,The organization: Protects the incident response plan from unauthorized disclosure and modification.
+nist_800_53_v4,nist_800_53_v4:ir-9,IR-9,Control,1,9,Information Spillage Response,
+nist_800_53_v4,nist_800_53_v4:ir-9(1),IR-9 (1),Enhancement,2,1,Responsible Personnel,The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
+nist_800_53_v4,nist_800_53_v4:ir-9(2),IR-9 (2),Enhancement,2,2,Training,The organization provides information spillage response training [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ir-9(3),IR-9 (3),Enhancement,2,3,Post-Spill Operations,The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
+nist_800_53_v4,nist_800_53_v4:ir-9(4),IR-9 (4),Enhancement,2,4,Exposure To Unauthorized Personnel,The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.
+nist_800_53_v4,nist_800_53_v4:ir-9a.,IR-9a.,Statement,2,1,,The organization responds to information spills by: Identifying the specific information involved in the information system contamination;
+nist_800_53_v4,nist_800_53_v4:ir-9b.,IR-9b.,Statement,2,2,,The organization responds to information spills by: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
+nist_800_53_v4,nist_800_53_v4:ir-9c.,IR-9c.,Statement,2,3,,The organization responds to information spills by: Isolating the contaminated information system or system component;
+nist_800_53_v4,nist_800_53_v4:ir-9d.,IR-9d.,Statement,2,4,,The organization responds to information spills by: Eradicating the information from the contaminated information system or component;
+nist_800_53_v4,nist_800_53_v4:ir-9e.,IR-9e.,Statement,2,5,,The organization responds to information spills by: Identifying other information systems or system components that may have been subsequently contaminated; and
+nist_800_53_v4,nist_800_53_v4:ir-9f.,IR-9f.,Statement,2,6,,The organization responds to information spills by: Performing other [Assignment: organization-defined actions].
 nist_800_53_v4,nist_800_53_v4:ma,MA,Family,0,9,Maintenance,
-nist_800_53_v4,nist_800_53_v4:ma-1,MA-1,Control,1,,System Maintenance Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ma-1a.,MA-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"
-nist_800_53_v4,nist_800_53_v4:ma-1b.,MA-1b.,Statement,2,,,The organization: Reviews and updates the current: System maintenance policy [Assignment: organization-defined frequency]; and System maintenance procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ma-2,MA-2,Control,1,,Controlled Maintenance,
-nist_800_53_v4,nist_800_53_v4:ma-2(2),MA-2 (2),Enhancement,2,,Automated Maintenance Activities,"The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."
-nist_800_53_v4,nist_800_53_v4:ma-2a.,MA-2a.,Statement,2,,,"The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"
-nist_800_53_v4,nist_800_53_v4:ma-2b.,MA-2b.,Statement,2,,,"The organization: Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"
-nist_800_53_v4,nist_800_53_v4:ma-2c.,MA-2c.,Statement,2,,,The organization: Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
-nist_800_53_v4,nist_800_53_v4:ma-2d.,MA-2d.,Statement,2,,,The organization: Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
-nist_800_53_v4,nist_800_53_v4:ma-2e.,MA-2e.,Statement,2,,,The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
-nist_800_53_v4,nist_800_53_v4:ma-2f.,MA-2f.,Statement,2,,,The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
-nist_800_53_v4,nist_800_53_v4:ma-3,MA-3,Control,1,,Maintenance Tools,
-nist_800_53_v4,nist_800_53_v4:ma-3(1),MA-3 (1),Enhancement,2,,Inspect Tools,The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
-nist_800_53_v4,nist_800_53_v4:ma-3(2),MA-3 (2),Enhancement,2,,Inspect Media,The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
-nist_800_53_v4,nist_800_53_v4:ma-3(3),MA-3 (3),Enhancement,2,,Prevent Unauthorized Removal,The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
-nist_800_53_v4,nist_800_53_v4:ma-3(4),MA-3 (4),Enhancement,2,,Restricted Tool Use,The information system restricts the use of maintenance tools to authorized personnel only.
-nist_800_53_v4,nist_800_53_v4:ma-4,MA-4,Control,1,,Nonlocal Maintenance,
-nist_800_53_v4,nist_800_53_v4:ma-4(1),MA-4 (1),Enhancement,2,,Auditing And Review,The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions.
-nist_800_53_v4,nist_800_53_v4:ma-4(2),MA-4 (2),Enhancement,2,,Document Nonlocal Maintenance,"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."
-nist_800_53_v4,nist_800_53_v4:ma-4(3),MA-4 (3),Enhancement,2,,Comparable Security / Sanitization,"The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."
-nist_800_53_v4,nist_800_53_v4:ma-4(4),MA-4 (4),Enhancement,2,,Authentication / Separation Of Maintenance Sessions,The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption.
-nist_800_53_v4,nist_800_53_v4:ma-4(5),MA-4 (5),Enhancement,2,,Approvals And Notifications,The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
-nist_800_53_v4,nist_800_53_v4:ma-4(6),MA-4 (6),Enhancement,2,,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
-nist_800_53_v4,nist_800_53_v4:ma-4(7),MA-4 (7),Enhancement,2,,Remote Disconnect Verification,The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
-nist_800_53_v4,nist_800_53_v4:ma-4a.,MA-4a.,Statement,2,,,The organization: Approves and monitors nonlocal maintenance and diagnostic activities;
-nist_800_53_v4,nist_800_53_v4:ma-4b.,MA-4b.,Statement,2,,,The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
-nist_800_53_v4,nist_800_53_v4:ma-4c.,MA-4c.,Statement,2,,,The organization: Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
-nist_800_53_v4,nist_800_53_v4:ma-4d.,MA-4d.,Statement,2,,,The organization: Maintains records for nonlocal maintenance and diagnostic activities; and
-nist_800_53_v4,nist_800_53_v4:ma-4e.,MA-4e.,Statement,2,,,The organization: Terminates session and network connections when nonlocal maintenance is completed.
-nist_800_53_v4,nist_800_53_v4:ma-5,MA-5,Control,1,,Maintenance Personnel,
-nist_800_53_v4,nist_800_53_v4:ma-5(1),MA-5 (1),Enhancement,2,,Individuals Without Appropriate Access,"The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."
-nist_800_53_v4,nist_800_53_v4:ma-5(2),MA-5 (2),Enhancement,2,,Security Clearances For Classified Systems,"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system."
-nist_800_53_v4,nist_800_53_v4:ma-5(3),MA-5 (3),Enhancement,2,,Citizenship Requirements For Classified Systems,"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens."
-nist_800_53_v4,nist_800_53_v4:ma-5(4),MA-5 (4),Enhancement,2,,Foreign Nationals,"The organization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements."
-nist_800_53_v4,nist_800_53_v4:ma-5(5),MA-5 (5),Enhancement,2,,Nonsystem-Related Maintenance,"The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations."
-nist_800_53_v4,nist_800_53_v4:ma-5a.,MA-5a.,Statement,2,,,The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
-nist_800_53_v4,nist_800_53_v4:ma-5b.,MA-5b.,Statement,2,,,The organization: Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
-nist_800_53_v4,nist_800_53_v4:ma-5c.,MA-5c.,Statement,2,,,The organization: Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
-nist_800_53_v4,nist_800_53_v4:ma-6,MA-6,Control,1,,Timely Maintenance,
-nist_800_53_v4,nist_800_53_v4:ma-6(1),MA-6 (1),Enhancement,2,,Preventive Maintenance,The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
-nist_800_53_v4,nist_800_53_v4:ma-6(2),MA-6 (2),Enhancement,2,,Predictive Maintenance,The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
-nist_800_53_v4,nist_800_53_v4:ma-6(3),MA-6 (3),Enhancement,2,,Automated Support For Predictive Maintenance,The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.
+nist_800_53_v4,nist_800_53_v4:ma-1,MA-1,Control,1,1,System Maintenance Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ma-1a.,MA-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"
+nist_800_53_v4,nist_800_53_v4:ma-1b.,MA-1b.,Statement,2,2,,The organization: Reviews and updates the current: System maintenance policy [Assignment: organization-defined frequency]; and System maintenance procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ma-2,MA-2,Control,1,2,Controlled Maintenance,
+nist_800_53_v4,nist_800_53_v4:ma-2(2),MA-2 (2),Enhancement,2,2,Automated Maintenance Activities,"The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."
+nist_800_53_v4,nist_800_53_v4:ma-2a.,MA-2a.,Statement,2,1,,"The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+nist_800_53_v4,nist_800_53_v4:ma-2b.,MA-2b.,Statement,2,2,,"The organization: Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"
+nist_800_53_v4,nist_800_53_v4:ma-2c.,MA-2c.,Statement,2,3,,The organization: Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
+nist_800_53_v4,nist_800_53_v4:ma-2d.,MA-2d.,Statement,2,4,,The organization: Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
+nist_800_53_v4,nist_800_53_v4:ma-2e.,MA-2e.,Statement,2,5,,The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
+nist_800_53_v4,nist_800_53_v4:ma-2f.,MA-2f.,Statement,2,6,,The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
+nist_800_53_v4,nist_800_53_v4:ma-3,MA-3,Control,1,3,Maintenance Tools,
+nist_800_53_v4,nist_800_53_v4:ma-3(1),MA-3 (1),Enhancement,2,1,Inspect Tools,The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
+nist_800_53_v4,nist_800_53_v4:ma-3(2),MA-3 (2),Enhancement,2,2,Inspect Media,The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
+nist_800_53_v4,nist_800_53_v4:ma-3(3),MA-3 (3),Enhancement,2,3,Prevent Unauthorized Removal,The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
+nist_800_53_v4,nist_800_53_v4:ma-3(4),MA-3 (4),Enhancement,2,4,Restricted Tool Use,The information system restricts the use of maintenance tools to authorized personnel only.
+nist_800_53_v4,nist_800_53_v4:ma-4,MA-4,Control,1,4,Nonlocal Maintenance,
+nist_800_53_v4,nist_800_53_v4:ma-4(1),MA-4 (1),Enhancement,2,1,Auditing And Review,The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions.
+nist_800_53_v4,nist_800_53_v4:ma-4(2),MA-4 (2),Enhancement,2,2,Document Nonlocal Maintenance,"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."
+nist_800_53_v4,nist_800_53_v4:ma-4(3),MA-4 (3),Enhancement,2,3,Comparable Security / Sanitization,"The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."
+nist_800_53_v4,nist_800_53_v4:ma-4(4),MA-4 (4),Enhancement,2,4,Authentication / Separation Of Maintenance Sessions,The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption.
+nist_800_53_v4,nist_800_53_v4:ma-4(5),MA-4 (5),Enhancement,2,5,Approvals And Notifications,The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
+nist_800_53_v4,nist_800_53_v4:ma-4(6),MA-4 (6),Enhancement,2,6,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
+nist_800_53_v4,nist_800_53_v4:ma-4(7),MA-4 (7),Enhancement,2,7,Remote Disconnect Verification,The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
+nist_800_53_v4,nist_800_53_v4:ma-4a.,MA-4a.,Statement,2,1,,The organization: Approves and monitors nonlocal maintenance and diagnostic activities;
+nist_800_53_v4,nist_800_53_v4:ma-4b.,MA-4b.,Statement,2,2,,The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
+nist_800_53_v4,nist_800_53_v4:ma-4c.,MA-4c.,Statement,2,3,,The organization: Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
+nist_800_53_v4,nist_800_53_v4:ma-4d.,MA-4d.,Statement,2,4,,The organization: Maintains records for nonlocal maintenance and diagnostic activities; and
+nist_800_53_v4,nist_800_53_v4:ma-4e.,MA-4e.,Statement,2,5,,The organization: Terminates session and network connections when nonlocal maintenance is completed.
+nist_800_53_v4,nist_800_53_v4:ma-5,MA-5,Control,1,5,Maintenance Personnel,
+nist_800_53_v4,nist_800_53_v4:ma-5(1),MA-5 (1),Enhancement,2,1,Individuals Without Appropriate Access,"The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."
+nist_800_53_v4,nist_800_53_v4:ma-5(2),MA-5 (2),Enhancement,2,2,Security Clearances For Classified Systems,"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system."
+nist_800_53_v4,nist_800_53_v4:ma-5(3),MA-5 (3),Enhancement,2,3,Citizenship Requirements For Classified Systems,"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens."
+nist_800_53_v4,nist_800_53_v4:ma-5(4),MA-5 (4),Enhancement,2,4,Foreign Nationals,"The organization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements."
+nist_800_53_v4,nist_800_53_v4:ma-5(5),MA-5 (5),Enhancement,2,5,Nonsystem-Related Maintenance,"The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations."
+nist_800_53_v4,nist_800_53_v4:ma-5a.,MA-5a.,Statement,2,1,,The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
+nist_800_53_v4,nist_800_53_v4:ma-5b.,MA-5b.,Statement,2,2,,The organization: Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
+nist_800_53_v4,nist_800_53_v4:ma-5c.,MA-5c.,Statement,2,3,,The organization: Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+nist_800_53_v4,nist_800_53_v4:ma-6,MA-6,Control,1,6,Timely Maintenance,
+nist_800_53_v4,nist_800_53_v4:ma-6(1),MA-6 (1),Enhancement,2,1,Preventive Maintenance,The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
+nist_800_53_v4,nist_800_53_v4:ma-6(2),MA-6 (2),Enhancement,2,2,Predictive Maintenance,The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
+nist_800_53_v4,nist_800_53_v4:ma-6(3),MA-6 (3),Enhancement,2,3,Automated Support For Predictive Maintenance,The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.
 nist_800_53_v4,nist_800_53_v4:mp,MP,Family,0,10,Media Protection,
-nist_800_53_v4,nist_800_53_v4:mp-1,MP-1,Control,1,,Media Protection Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:mp-1a.,MP-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"
-nist_800_53_v4,nist_800_53_v4:mp-1b.,MP-1b.,Statement,2,,,The organization: Reviews and updates the current: Media protection policy [Assignment: organization-defined frequency]; and Media protection procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:mp-2,MP-2,Control,1,,Media Access,
-nist_800_53_v4,nist_800_53_v4:mp-3,MP-3,Control,1,,Media Marking,
-nist_800_53_v4,nist_800_53_v4:mp-3a.,MP-3a.,Statement,2,,,"The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"
-nist_800_53_v4,nist_800_53_v4:mp-3b.,MP-3b.,Statement,2,,,The organization: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
-nist_800_53_v4,nist_800_53_v4:mp-4,MP-4,Control,1,,Media Storage,
-nist_800_53_v4,nist_800_53_v4:mp-4(2),MP-4 (2),Enhancement,2,,Automated Restricted Access,The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
-nist_800_53_v4,nist_800_53_v4:mp-4a.,MP-4a.,Statement,2,,,The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
-nist_800_53_v4,nist_800_53_v4:mp-4b.,MP-4b.,Statement,2,,,"The organization: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
-nist_800_53_v4,nist_800_53_v4:mp-5,MP-5,Control,1,,Media Transport,
-nist_800_53_v4,nist_800_53_v4:mp-5(3),MP-5 (3),Enhancement,2,,Custodians,The organization employs an identified custodian during transport of information system media outside of controlled areas.
-nist_800_53_v4,nist_800_53_v4:mp-5(4),MP-5 (4),Enhancement,2,,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
-nist_800_53_v4,nist_800_53_v4:mp-5a.,MP-5a.,Statement,2,,,The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
-nist_800_53_v4,nist_800_53_v4:mp-5b.,MP-5b.,Statement,2,,,The organization: Maintains accountability for information system media during transport outside of controlled areas;
-nist_800_53_v4,nist_800_53_v4:mp-5c.,MP-5c.,Statement,2,,,The organization: Documents activities associated with the transport of information system media; and
-nist_800_53_v4,nist_800_53_v4:mp-5d.,MP-5d.,Statement,2,,,The organization: Restricts the activities associated with the transport of information system media to authorized personnel.
-nist_800_53_v4,nist_800_53_v4:mp-6,MP-6,Control,1,,Media Sanitization,
-nist_800_53_v4,nist_800_53_v4:mp-6(1),MP-6 (1),Enhancement,2,,Review / Approve / Track / Document / Verify,"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."
-nist_800_53_v4,nist_800_53_v4:mp-6(2),MP-6 (2),Enhancement,2,,Equipment Testing,The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved.
-nist_800_53_v4,nist_800_53_v4:mp-6(3),MP-6 (3),Enhancement,2,,Nondestructive Techniques,The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
-nist_800_53_v4,nist_800_53_v4:mp-6(7),MP-6 (7),Enhancement,2,,Dual Authorization,The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media].
-nist_800_53_v4,nist_800_53_v4:mp-6(8),MP-6 (8),Enhancement,2,,Remote Purging / Wiping Of Information,"The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]."
-nist_800_53_v4,nist_800_53_v4:mp-6a.,MP-6a.,Statement,2,,,"The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and"
-nist_800_53_v4,nist_800_53_v4:mp-6b.,MP-6b.,Statement,2,,,The organization: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
-nist_800_53_v4,nist_800_53_v4:mp-7,MP-7,Control,1,,Media Use,
-nist_800_53_v4,nist_800_53_v4:mp-7(1),MP-7 (1),Enhancement,2,,Prohibit Use Without Owner,The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
-nist_800_53_v4,nist_800_53_v4:mp-7(2),MP-7 (2),Enhancement,2,,Prohibit Use Of Sanitization-Resistant Media,The organization prohibits the use of sanitization-resistant media in organizational information systems.
-nist_800_53_v4,nist_800_53_v4:mp-8,MP-8,Control,1,,Media Downgrading,
-nist_800_53_v4,nist_800_53_v4:mp-8(1),MP-8 (1),Enhancement,2,,Documentation Of Process,The organization documents information system media downgrading actions.
-nist_800_53_v4,nist_800_53_v4:mp-8(2),MP-8 (2),Enhancement,2,,Equipment Testing,The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:mp-8(3),MP-8 (3),Enhancement,2,,Controlled Unclassified Information,The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies.
-nist_800_53_v4,nist_800_53_v4:mp-8(4),MP-8 (4),Enhancement,2,,Classified Information,The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
-nist_800_53_v4,nist_800_53_v4:mp-8a.,MP-8a.,Statement,2,,,The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
-nist_800_53_v4,nist_800_53_v4:mp-8b.,MP-8b.,Statement,2,,,The organization: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
-nist_800_53_v4,nist_800_53_v4:mp-8c.,MP-8c.,Statement,2,,,The organization: Identifies [Assignment: organization-defined information system media requiring downgrading]; and
-nist_800_53_v4,nist_800_53_v4:mp-8d.,MP-8d.,Statement,2,,,The organization: Downgrades the identified information system media using the established process.
+nist_800_53_v4,nist_800_53_v4:mp-1,MP-1,Control,1,1,Media Protection Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:mp-1a.,MP-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"
+nist_800_53_v4,nist_800_53_v4:mp-1b.,MP-1b.,Statement,2,2,,The organization: Reviews and updates the current: Media protection policy [Assignment: organization-defined frequency]; and Media protection procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:mp-2,MP-2,Control,1,2,Media Access,
+nist_800_53_v4,nist_800_53_v4:mp-3,MP-3,Control,1,3,Media Marking,
+nist_800_53_v4,nist_800_53_v4:mp-3a.,MP-3a.,Statement,2,1,,"The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"
+nist_800_53_v4,nist_800_53_v4:mp-3b.,MP-3b.,Statement,2,2,,The organization: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
+nist_800_53_v4,nist_800_53_v4:mp-4,MP-4,Control,1,4,Media Storage,
+nist_800_53_v4,nist_800_53_v4:mp-4(2),MP-4 (2),Enhancement,2,2,Automated Restricted Access,The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
+nist_800_53_v4,nist_800_53_v4:mp-4a.,MP-4a.,Statement,2,1,,The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
+nist_800_53_v4,nist_800_53_v4:mp-4b.,MP-4b.,Statement,2,2,,"The organization: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
+nist_800_53_v4,nist_800_53_v4:mp-5,MP-5,Control,1,5,Media Transport,
+nist_800_53_v4,nist_800_53_v4:mp-5(3),MP-5 (3),Enhancement,2,3,Custodians,The organization employs an identified custodian during transport of information system media outside of controlled areas.
+nist_800_53_v4,nist_800_53_v4:mp-5(4),MP-5 (4),Enhancement,2,4,Cryptographic Protection,The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
+nist_800_53_v4,nist_800_53_v4:mp-5a.,MP-5a.,Statement,2,1,,The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
+nist_800_53_v4,nist_800_53_v4:mp-5b.,MP-5b.,Statement,2,2,,The organization: Maintains accountability for information system media during transport outside of controlled areas;
+nist_800_53_v4,nist_800_53_v4:mp-5c.,MP-5c.,Statement,2,3,,The organization: Documents activities associated with the transport of information system media; and
+nist_800_53_v4,nist_800_53_v4:mp-5d.,MP-5d.,Statement,2,4,,The organization: Restricts the activities associated with the transport of information system media to authorized personnel.
+nist_800_53_v4,nist_800_53_v4:mp-6,MP-6,Control,1,6,Media Sanitization,
+nist_800_53_v4,nist_800_53_v4:mp-6(1),MP-6 (1),Enhancement,2,1,Review / Approve / Track / Document / Verify,"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."
+nist_800_53_v4,nist_800_53_v4:mp-6(2),MP-6 (2),Enhancement,2,2,Equipment Testing,The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved.
+nist_800_53_v4,nist_800_53_v4:mp-6(3),MP-6 (3),Enhancement,2,3,Nondestructive Techniques,The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
+nist_800_53_v4,nist_800_53_v4:mp-6(7),MP-6 (7),Enhancement,2,7,Dual Authorization,The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media].
+nist_800_53_v4,nist_800_53_v4:mp-6(8),MP-6 (8),Enhancement,2,8,Remote Purging / Wiping Of Information,"The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]."
+nist_800_53_v4,nist_800_53_v4:mp-6a.,MP-6a.,Statement,2,1,,"The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and"
+nist_800_53_v4,nist_800_53_v4:mp-6b.,MP-6b.,Statement,2,2,,The organization: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
+nist_800_53_v4,nist_800_53_v4:mp-7,MP-7,Control,1,7,Media Use,
+nist_800_53_v4,nist_800_53_v4:mp-7(1),MP-7 (1),Enhancement,2,1,Prohibit Use Without Owner,The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
+nist_800_53_v4,nist_800_53_v4:mp-7(2),MP-7 (2),Enhancement,2,2,Prohibit Use Of Sanitization-Resistant Media,The organization prohibits the use of sanitization-resistant media in organizational information systems.
+nist_800_53_v4,nist_800_53_v4:mp-8,MP-8,Control,1,8,Media Downgrading,
+nist_800_53_v4,nist_800_53_v4:mp-8(1),MP-8 (1),Enhancement,2,1,Documentation Of Process,The organization documents information system media downgrading actions.
+nist_800_53_v4,nist_800_53_v4:mp-8(2),MP-8 (2),Enhancement,2,2,Equipment Testing,The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:mp-8(3),MP-8 (3),Enhancement,2,3,Controlled Unclassified Information,The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies.
+nist_800_53_v4,nist_800_53_v4:mp-8(4),MP-8 (4),Enhancement,2,4,Classified Information,The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
+nist_800_53_v4,nist_800_53_v4:mp-8a.,MP-8a.,Statement,2,1,,The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
+nist_800_53_v4,nist_800_53_v4:mp-8b.,MP-8b.,Statement,2,2,,The organization: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
+nist_800_53_v4,nist_800_53_v4:mp-8c.,MP-8c.,Statement,2,3,,The organization: Identifies [Assignment: organization-defined information system media requiring downgrading]; and
+nist_800_53_v4,nist_800_53_v4:mp-8d.,MP-8d.,Statement,2,4,,The organization: Downgrades the identified information system media using the established process.
 nist_800_53_v4,nist_800_53_v4:pe,PE,Family,0,11,Physical and Environmental Protection,
-nist_800_53_v4,nist_800_53_v4:pe-1,PE-1,Control,1,,Physical and Environmental Protection Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:pe-10,PE-10,Control,1,,Emergency Shutoff,
-nist_800_53_v4,nist_800_53_v4:pe-10a.,PE-10a.,Statement,2,,,The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations;
-nist_800_53_v4,nist_800_53_v4:pe-10b.,PE-10b.,Statement,2,,,The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
-nist_800_53_v4,nist_800_53_v4:pe-10c.,PE-10c.,Statement,2,,,The organization: Protects emergency power shutoff capability from unauthorized activation.
-nist_800_53_v4,nist_800_53_v4:pe-11,PE-11,Control,1,,Emergency Power,
-nist_800_53_v4,nist_800_53_v4:pe-11(1),PE-11 (1),Enhancement,2,,Long-Term Alternate Power Supply - Minimal Operational Capability,The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
-nist_800_53_v4,nist_800_53_v4:pe-11(2),PE-11 (2),Enhancement,2,,Long-Term Alternate Power Supply - Self-Contained,The organization provides a long-term alternate power supply for the information system that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
-nist_800_53_v4,nist_800_53_v4:pe-12,PE-12,Control,1,,Emergency Lighting,
-nist_800_53_v4,nist_800_53_v4:pe-12(1),PE-12 (1),Enhancement,2,,Essential Missions / Business Functions,The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
-nist_800_53_v4,nist_800_53_v4:pe-13,PE-13,Control,1,,Fire Protection,
-nist_800_53_v4,nist_800_53_v4:pe-13(1),PE-13 (1),Enhancement,2,,Detection Devices / Systems,The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
-nist_800_53_v4,nist_800_53_v4:pe-13(2),PE-13 (2),Enhancement,2,,Suppression Devices / Systems,The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
-nist_800_53_v4,nist_800_53_v4:pe-13(3),PE-13 (3),Enhancement,2,,Automatic Fire Suppression,The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
-nist_800_53_v4,nist_800_53_v4:pe-13(4),PE-13 (4),Enhancement,2,,Inspections,The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:pe-14,PE-14,Control,1,,Temperature and Humidity Controls,
-nist_800_53_v4,nist_800_53_v4:pe-14(1),PE-14 (1),Enhancement,2,,Automatic Controls,The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
-nist_800_53_v4,nist_800_53_v4:pe-14(2),PE-14 (2),Enhancement,2,,Monitoring With Alarms / Notifications,The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
-nist_800_53_v4,nist_800_53_v4:pe-14a.,PE-14a.,Statement,2,,,The organization: Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
-nist_800_53_v4,nist_800_53_v4:pe-14b.,PE-14b.,Statement,2,,,The organization: Monitors temperature and humidity levels [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:pe-15,PE-15,Control,1,,Water Damage Protection,
-nist_800_53_v4,nist_800_53_v4:pe-15(1),PE-15 (1),Enhancement,2,,Automation Support,The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:pe-16,PE-16,Control,1,,Delivery and Removal,
-nist_800_53_v4,nist_800_53_v4:pe-17,PE-17,Control,1,,Alternate Work Site,
-nist_800_53_v4,nist_800_53_v4:pe-17a.,PE-17a.,Statement,2,,,The organization: Employs [Assignment: organization-defined security controls] at alternate work sites;
-nist_800_53_v4,nist_800_53_v4:pe-17b.,PE-17b.,Statement,2,,,"The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and"
-nist_800_53_v4,nist_800_53_v4:pe-17c.,PE-17c.,Statement,2,,,The organization: Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
-nist_800_53_v4,nist_800_53_v4:pe-18,PE-18,Control,1,,Location Of Information System Components,
-nist_800_53_v4,nist_800_53_v4:pe-18(1),PE-18 (1),Enhancement,2,,Facility Site,"The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy."
-nist_800_53_v4,nist_800_53_v4:pe-19,PE-19,Control,1,,Information Leakage,
-nist_800_53_v4,nist_800_53_v4:pe-19(1),PE-19 (1),Enhancement,2,,National Emissions / Tempest Policies And Procedures,"The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information."
-nist_800_53_v4,nist_800_53_v4:pe-1a.,PE-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"
-nist_800_53_v4,nist_800_53_v4:pe-1b.,PE-1b.,Statement,2,,,The organization: Reviews and updates the current: Physical and environmental protection policy [Assignment: organization-defined frequency]; and Physical and environmental protection procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:pe-2,PE-2,Control,1,,Physical Access Authorizations,
-nist_800_53_v4,nist_800_53_v4:pe-2(1),PE-2 (1),Enhancement,2,,Access By Position / Role,The organization authorizes physical access to the facility where the information system resides based on position or role.
-nist_800_53_v4,nist_800_53_v4:pe-2(2),PE-2 (2),Enhancement,2,,Two Forms Of Identification,The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.
-nist_800_53_v4,nist_800_53_v4:pe-2(3),PE-2 (3),Enhancement,2,,Restrict Unescorted Access,The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
-nist_800_53_v4,nist_800_53_v4:pe-20,PE-20,Control,1,,Asset Monitoring and Tracking,
-nist_800_53_v4,nist_800_53_v4:pe-20a.,PE-20a.,Statement,2,,,The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
-nist_800_53_v4,nist_800_53_v4:pe-20b.,PE-20b.,Statement,2,,,"The organization: Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance."
-nist_800_53_v4,nist_800_53_v4:pe-3,PE-3,Control,1,,Physical Access Control,
-nist_800_53_v4,nist_800_53_v4:pe-3(1),PE-3 (1),Enhancement,2,,Information System Access,The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
-nist_800_53_v4,nist_800_53_v4:pe-3(2),PE-3 (2),Enhancement,2,,Facility / Information System Boundaries,The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
-nist_800_53_v4,nist_800_53_v4:pe-3(3),PE-3 (3),Enhancement,2,,Continuous Guards / Alarms / Monitoring,"The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week."
-nist_800_53_v4,nist_800_53_v4:pe-3(4),PE-3 (4),Enhancement,2,,Lockable Casings,The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.
-nist_800_53_v4,nist_800_53_v4:pe-3(5),PE-3 (5),Enhancement,2,,Tamper Protection,The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.
-nist_800_53_v4,nist_800_53_v4:pe-3(6),PE-3 (6),Enhancement,2,,Facility Penetration Testing,"The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility."
-nist_800_53_v4,nist_800_53_v4:pe-3a.,PE-3a.,Statement,2,,,The organization: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
-nist_800_53_v4,nist_800_53_v4:pe-3b.,PE-3b.,Statement,2,,,The organization: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
-nist_800_53_v4,nist_800_53_v4:pe-3c.,PE-3c.,Statement,2,,,The organization: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
-nist_800_53_v4,nist_800_53_v4:pe-3d.,PE-3d.,Statement,2,,,The organization: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
-nist_800_53_v4,nist_800_53_v4:pe-3e.,PE-3e.,Statement,2,,,"The organization: Secures keys, combinations, and other physical access devices;"
-nist_800_53_v4,nist_800_53_v4:pe-3f.,PE-3f.,Statement,2,,,The organization: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
-nist_800_53_v4,nist_800_53_v4:pe-3g.,PE-3g.,Statement,2,,,"The organization: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."
-nist_800_53_v4,nist_800_53_v4:pe-4,PE-4,Control,1,,Access Control For Transmission Medium,
-nist_800_53_v4,nist_800_53_v4:pe-5,PE-5,Control,1,,Access Control For Output Devices,
-nist_800_53_v4,nist_800_53_v4:pe-5(1),PE-5 (1),Enhancement,2,,Access To Output By Authorized Individuals,The organization: Controls physical access to output from [Assignment: organization-defined output devices]; and Ensures that only authorized individuals receive output from the device.
-nist_800_53_v4,nist_800_53_v4:pe-5(2),PE-5 (2),Enhancement,2,,Access To Output By Individual Identity,The information system: Controls physical access to output from [Assignment: organization-defined output devices]; and Links individual identity to receipt of the output from the device.
-nist_800_53_v4,nist_800_53_v4:pe-5(3),PE-5 (3),Enhancement,2,,Marking Output Devices,The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.
-nist_800_53_v4,nist_800_53_v4:pe-6,PE-6,Control,1,,Monitoring Physical Access,
-nist_800_53_v4,nist_800_53_v4:pe-6(1),PE-6 (1),Enhancement,2,,Intrusion Alarms / Surveillance Equipment,The organization monitors physical intrusion alarms and surveillance equipment.
-nist_800_53_v4,nist_800_53_v4:pe-6(2),PE-6 (2),Enhancement,2,,Automated Intrusion Recognition / Responses,The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
-nist_800_53_v4,nist_800_53_v4:pe-6(3),PE-6 (3),Enhancement,2,,Video Surveillance,The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:pe-6(4),PE-6 (4),Enhancement,2,,Monitoring Physical Access To Information Systems,The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].
-nist_800_53_v4,nist_800_53_v4:pe-6a.,PE-6a.,Statement,2,,,The organization: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
-nist_800_53_v4,nist_800_53_v4:pe-6b.,PE-6b.,Statement,2,,,The organization: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
-nist_800_53_v4,nist_800_53_v4:pe-6c.,PE-6c.,Statement,2,,,The organization: Coordinates results of reviews and investigations with the organizational incident response capability.
-nist_800_53_v4,nist_800_53_v4:pe-7,PE-7,Control,1,,Visitor Control,
-nist_800_53_v4,nist_800_53_v4:pe-8,PE-8,Control,1,,Visitor Access Records,
-nist_800_53_v4,nist_800_53_v4:pe-8(1),PE-8 (1),Enhancement,2,,Automated Records Maintenance / Review,The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.
-nist_800_53_v4,nist_800_53_v4:pe-8a.,PE-8a.,Statement,2,,,The organization: Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
-nist_800_53_v4,nist_800_53_v4:pe-8b.,PE-8b.,Statement,2,,,The organization: Reviews visitor access records [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:pe-9,PE-9,Control,1,,Power Equipment and Cabling,
-nist_800_53_v4,nist_800_53_v4:pe-9(1),PE-9 (1),Enhancement,2,,Redundant Cabling,The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
-nist_800_53_v4,nist_800_53_v4:pe-9(2),PE-9 (2),Enhancement,2,,Automatic Voltage Controls,The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].
+nist_800_53_v4,nist_800_53_v4:pe-1,PE-1,Control,1,1,Physical and Environmental Protection Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:pe-10,PE-10,Control,1,10,Emergency Shutoff,
+nist_800_53_v4,nist_800_53_v4:pe-10a.,PE-10a.,Statement,2,1,,The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations;
+nist_800_53_v4,nist_800_53_v4:pe-10b.,PE-10b.,Statement,2,2,,The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
+nist_800_53_v4,nist_800_53_v4:pe-10c.,PE-10c.,Statement,2,3,,The organization: Protects emergency power shutoff capability from unauthorized activation.
+nist_800_53_v4,nist_800_53_v4:pe-11,PE-11,Control,1,11,Emergency Power,
+nist_800_53_v4,nist_800_53_v4:pe-11(1),PE-11 (1),Enhancement,2,1,Long-Term Alternate Power Supply - Minimal Operational Capability,The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
+nist_800_53_v4,nist_800_53_v4:pe-11(2),PE-11 (2),Enhancement,2,2,Long-Term Alternate Power Supply - Self-Contained,The organization provides a long-term alternate power supply for the information system that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
+nist_800_53_v4,nist_800_53_v4:pe-12,PE-12,Control,1,12,Emergency Lighting,
+nist_800_53_v4,nist_800_53_v4:pe-12(1),PE-12 (1),Enhancement,2,1,Essential Missions / Business Functions,The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
+nist_800_53_v4,nist_800_53_v4:pe-13,PE-13,Control,1,13,Fire Protection,
+nist_800_53_v4,nist_800_53_v4:pe-13(1),PE-13 (1),Enhancement,2,1,Detection Devices / Systems,The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
+nist_800_53_v4,nist_800_53_v4:pe-13(2),PE-13 (2),Enhancement,2,2,Suppression Devices / Systems,The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
+nist_800_53_v4,nist_800_53_v4:pe-13(3),PE-13 (3),Enhancement,2,3,Automatic Fire Suppression,The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
+nist_800_53_v4,nist_800_53_v4:pe-13(4),PE-13 (4),Enhancement,2,4,Inspections,The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:pe-14,PE-14,Control,1,14,Temperature and Humidity Controls,
+nist_800_53_v4,nist_800_53_v4:pe-14(1),PE-14 (1),Enhancement,2,1,Automatic Controls,The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
+nist_800_53_v4,nist_800_53_v4:pe-14(2),PE-14 (2),Enhancement,2,2,Monitoring With Alarms / Notifications,The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
+nist_800_53_v4,nist_800_53_v4:pe-14a.,PE-14a.,Statement,2,1,,The organization: Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
+nist_800_53_v4,nist_800_53_v4:pe-14b.,PE-14b.,Statement,2,2,,The organization: Monitors temperature and humidity levels [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:pe-15,PE-15,Control,1,15,Water Damage Protection,
+nist_800_53_v4,nist_800_53_v4:pe-15(1),PE-15 (1),Enhancement,2,1,Automation Support,The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:pe-16,PE-16,Control,1,16,Delivery and Removal,
+nist_800_53_v4,nist_800_53_v4:pe-17,PE-17,Control,1,17,Alternate Work Site,
+nist_800_53_v4,nist_800_53_v4:pe-17a.,PE-17a.,Statement,2,1,,The organization: Employs [Assignment: organization-defined security controls] at alternate work sites;
+nist_800_53_v4,nist_800_53_v4:pe-17b.,PE-17b.,Statement,2,2,,"The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and"
+nist_800_53_v4,nist_800_53_v4:pe-17c.,PE-17c.,Statement,2,3,,The organization: Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
+nist_800_53_v4,nist_800_53_v4:pe-18,PE-18,Control,1,18,Location Of Information System Components,
+nist_800_53_v4,nist_800_53_v4:pe-18(1),PE-18 (1),Enhancement,2,1,Facility Site,"The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy."
+nist_800_53_v4,nist_800_53_v4:pe-19,PE-19,Control,1,19,Information Leakage,
+nist_800_53_v4,nist_800_53_v4:pe-19(1),PE-19 (1),Enhancement,2,1,National Emissions / Tempest Policies And Procedures,"The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information."
+nist_800_53_v4,nist_800_53_v4:pe-1a.,PE-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"
+nist_800_53_v4,nist_800_53_v4:pe-1b.,PE-1b.,Statement,2,2,,The organization: Reviews and updates the current: Physical and environmental protection policy [Assignment: organization-defined frequency]; and Physical and environmental protection procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:pe-2,PE-2,Control,1,2,Physical Access Authorizations,
+nist_800_53_v4,nist_800_53_v4:pe-2(1),PE-2 (1),Enhancement,2,1,Access By Position / Role,The organization authorizes physical access to the facility where the information system resides based on position or role.
+nist_800_53_v4,nist_800_53_v4:pe-2(2),PE-2 (2),Enhancement,2,2,Two Forms Of Identification,The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.
+nist_800_53_v4,nist_800_53_v4:pe-2(3),PE-2 (3),Enhancement,2,3,Restrict Unescorted Access,The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
+nist_800_53_v4,nist_800_53_v4:pe-20,PE-20,Control,1,20,Asset Monitoring and Tracking,
+nist_800_53_v4,nist_800_53_v4:pe-20a.,PE-20a.,Statement,2,1,,The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
+nist_800_53_v4,nist_800_53_v4:pe-20b.,PE-20b.,Statement,2,2,,"The organization: Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance."
+nist_800_53_v4,nist_800_53_v4:pe-3,PE-3,Control,1,3,Physical Access Control,
+nist_800_53_v4,nist_800_53_v4:pe-3(1),PE-3 (1),Enhancement,2,1,Information System Access,The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
+nist_800_53_v4,nist_800_53_v4:pe-3(2),PE-3 (2),Enhancement,2,2,Facility / Information System Boundaries,The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
+nist_800_53_v4,nist_800_53_v4:pe-3(3),PE-3 (3),Enhancement,2,3,Continuous Guards / Alarms / Monitoring,"The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week."
+nist_800_53_v4,nist_800_53_v4:pe-3(4),PE-3 (4),Enhancement,2,4,Lockable Casings,The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.
+nist_800_53_v4,nist_800_53_v4:pe-3(5),PE-3 (5),Enhancement,2,5,Tamper Protection,The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.
+nist_800_53_v4,nist_800_53_v4:pe-3(6),PE-3 (6),Enhancement,2,6,Facility Penetration Testing,"The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility."
+nist_800_53_v4,nist_800_53_v4:pe-3a.,PE-3a.,Statement,2,1,,The organization: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
+nist_800_53_v4,nist_800_53_v4:pe-3b.,PE-3b.,Statement,2,2,,The organization: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
+nist_800_53_v4,nist_800_53_v4:pe-3c.,PE-3c.,Statement,2,3,,The organization: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
+nist_800_53_v4,nist_800_53_v4:pe-3d.,PE-3d.,Statement,2,4,,The organization: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
+nist_800_53_v4,nist_800_53_v4:pe-3e.,PE-3e.,Statement,2,5,,"The organization: Secures keys, combinations, and other physical access devices;"
+nist_800_53_v4,nist_800_53_v4:pe-3f.,PE-3f.,Statement,2,6,,The organization: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
+nist_800_53_v4,nist_800_53_v4:pe-3g.,PE-3g.,Statement,2,7,,"The organization: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."
+nist_800_53_v4,nist_800_53_v4:pe-4,PE-4,Control,1,4,Access Control For Transmission Medium,
+nist_800_53_v4,nist_800_53_v4:pe-5,PE-5,Control,1,5,Access Control For Output Devices,
+nist_800_53_v4,nist_800_53_v4:pe-5(1),PE-5 (1),Enhancement,2,1,Access To Output By Authorized Individuals,The organization: Controls physical access to output from [Assignment: organization-defined output devices]; and Ensures that only authorized individuals receive output from the device.
+nist_800_53_v4,nist_800_53_v4:pe-5(2),PE-5 (2),Enhancement,2,2,Access To Output By Individual Identity,The information system: Controls physical access to output from [Assignment: organization-defined output devices]; and Links individual identity to receipt of the output from the device.
+nist_800_53_v4,nist_800_53_v4:pe-5(3),PE-5 (3),Enhancement,2,3,Marking Output Devices,The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.
+nist_800_53_v4,nist_800_53_v4:pe-6,PE-6,Control,1,6,Monitoring Physical Access,
+nist_800_53_v4,nist_800_53_v4:pe-6(1),PE-6 (1),Enhancement,2,1,Intrusion Alarms / Surveillance Equipment,The organization monitors physical intrusion alarms and surveillance equipment.
+nist_800_53_v4,nist_800_53_v4:pe-6(2),PE-6 (2),Enhancement,2,2,Automated Intrusion Recognition / Responses,The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
+nist_800_53_v4,nist_800_53_v4:pe-6(3),PE-6 (3),Enhancement,2,3,Video Surveillance,The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:pe-6(4),PE-6 (4),Enhancement,2,4,Monitoring Physical Access To Information Systems,The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].
+nist_800_53_v4,nist_800_53_v4:pe-6a.,PE-6a.,Statement,2,1,,The organization: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
+nist_800_53_v4,nist_800_53_v4:pe-6b.,PE-6b.,Statement,2,2,,The organization: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
+nist_800_53_v4,nist_800_53_v4:pe-6c.,PE-6c.,Statement,2,3,,The organization: Coordinates results of reviews and investigations with the organizational incident response capability.
+nist_800_53_v4,nist_800_53_v4:pe-7,PE-7,Control,1,7,Visitor Control,
+nist_800_53_v4,nist_800_53_v4:pe-8,PE-8,Control,1,8,Visitor Access Records,
+nist_800_53_v4,nist_800_53_v4:pe-8(1),PE-8 (1),Enhancement,2,1,Automated Records Maintenance / Review,The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.
+nist_800_53_v4,nist_800_53_v4:pe-8a.,PE-8a.,Statement,2,1,,The organization: Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
+nist_800_53_v4,nist_800_53_v4:pe-8b.,PE-8b.,Statement,2,2,,The organization: Reviews visitor access records [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:pe-9,PE-9,Control,1,9,Power Equipment and Cabling,
+nist_800_53_v4,nist_800_53_v4:pe-9(1),PE-9 (1),Enhancement,2,1,Redundant Cabling,The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
+nist_800_53_v4,nist_800_53_v4:pe-9(2),PE-9 (2),Enhancement,2,2,Automatic Voltage Controls,The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].
 nist_800_53_v4,nist_800_53_v4:pl,PL,Family,0,12,Planning,
-nist_800_53_v4,nist_800_53_v4:pl-1,PL-1,Control,1,,Security Planning Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:pl-1a.,PL-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"
-nist_800_53_v4,nist_800_53_v4:pl-1b.,PL-1b.,Statement,2,,,The organization: Reviews and updates the current: Security planning policy [Assignment: organization-defined frequency]; and Security planning procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:pl-2,PL-2,Control,1,,System Security Plan,
-nist_800_53_v4,nist_800_53_v4:pl-2(3),PL-2 (3),Enhancement,2,,Plan / Coordinate With Other Organizational Entities,The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
-nist_800_53_v4,nist_800_53_v4:pl-2a.,PL-2a.,Statement,2,,,"The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
-nist_800_53_v4,nist_800_53_v4:pl-2b.,PL-2b.,Statement,2,,,The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
-nist_800_53_v4,nist_800_53_v4:pl-2c.,PL-2c.,Statement,2,,,The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency];
-nist_800_53_v4,nist_800_53_v4:pl-2d.,PL-2d.,Statement,2,,,The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
-nist_800_53_v4,nist_800_53_v4:pl-2e.,PL-2e.,Statement,2,,,The organization: Protects the security plan from unauthorized disclosure and modification.
-nist_800_53_v4,nist_800_53_v4:pl-3,PL-3,Control,1,,System Security Plan Update,
-nist_800_53_v4,nist_800_53_v4:pl-4,PL-4,Control,1,,Rules Of Behavior,
-nist_800_53_v4,nist_800_53_v4:pl-4(1),PL-4 (1),Enhancement,2,,Social Media And Networking Restrictions,"The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."
-nist_800_53_v4,nist_800_53_v4:pl-4a.,PL-4a.,Statement,2,,,"The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"
-nist_800_53_v4,nist_800_53_v4:pl-4b.,PL-4b.,Statement,2,,,"The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"
-nist_800_53_v4,nist_800_53_v4:pl-4c.,PL-4c.,Statement,2,,,The organization: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
-nist_800_53_v4,nist_800_53_v4:pl-4d.,PL-4d.,Statement,2,,,The organization: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
-nist_800_53_v4,nist_800_53_v4:pl-5,PL-5,Control,1,,Privacy Impact Assessment,
-nist_800_53_v4,nist_800_53_v4:pl-6,PL-6,Control,1,,Security-Related Activity Planning,
-nist_800_53_v4,nist_800_53_v4:pl-7,PL-7,Control,1,,Security Concept Of Operations,
-nist_800_53_v4,nist_800_53_v4:pl-7a.,PL-7a.,Statement,2,,,"The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and"
-nist_800_53_v4,nist_800_53_v4:pl-7b.,PL-7b.,Statement,2,,,The organization: Reviews and updates the CONOPS [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:pl-8,PL-8,Control,1,,Information Security Architecture,
-nist_800_53_v4,nist_800_53_v4:pl-8(1),PL-8 (1),Enhancement,2,,Defense-In-Depth,The organization designs its security architecture using a defense-in-depth approach that: Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
-nist_800_53_v4,nist_800_53_v4:pl-8(2),PL-8 (2),Enhancement,2,,Supplier Diversity,The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.
-nist_800_53_v4,nist_800_53_v4:pl-8a.,PL-8a.,Statement,2,,,"The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services;"
-nist_800_53_v4,nist_800_53_v4:pl-8b.,PL-8b.,Statement,2,,,The organization: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
-nist_800_53_v4,nist_800_53_v4:pl-8c.,PL-8c.,Statement,2,,,"The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."
-nist_800_53_v4,nist_800_53_v4:pl-9,PL-9,Control,1,,Central Management,
+nist_800_53_v4,nist_800_53_v4:pl-1,PL-1,Control,1,1,Security Planning Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:pl-1a.,PL-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"
+nist_800_53_v4,nist_800_53_v4:pl-1b.,PL-1b.,Statement,2,2,,The organization: Reviews and updates the current: Security planning policy [Assignment: organization-defined frequency]; and Security planning procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:pl-2,PL-2,Control,1,2,System Security Plan,
+nist_800_53_v4,nist_800_53_v4:pl-2(3),PL-2 (3),Enhancement,2,3,Plan / Coordinate With Other Organizational Entities,The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
+nist_800_53_v4,nist_800_53_v4:pl-2a.,PL-2a.,Statement,2,1,,"The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+nist_800_53_v4,nist_800_53_v4:pl-2b.,PL-2b.,Statement,2,2,,The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
+nist_800_53_v4,nist_800_53_v4:pl-2c.,PL-2c.,Statement,2,3,,The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency];
+nist_800_53_v4,nist_800_53_v4:pl-2d.,PL-2d.,Statement,2,4,,The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
+nist_800_53_v4,nist_800_53_v4:pl-2e.,PL-2e.,Statement,2,5,,The organization: Protects the security plan from unauthorized disclosure and modification.
+nist_800_53_v4,nist_800_53_v4:pl-3,PL-3,Control,1,3,System Security Plan Update,
+nist_800_53_v4,nist_800_53_v4:pl-4,PL-4,Control,1,4,Rules Of Behavior,
+nist_800_53_v4,nist_800_53_v4:pl-4(1),PL-4 (1),Enhancement,2,1,Social Media And Networking Restrictions,"The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."
+nist_800_53_v4,nist_800_53_v4:pl-4a.,PL-4a.,Statement,2,1,,"The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"
+nist_800_53_v4,nist_800_53_v4:pl-4b.,PL-4b.,Statement,2,2,,"The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"
+nist_800_53_v4,nist_800_53_v4:pl-4c.,PL-4c.,Statement,2,3,,The organization: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
+nist_800_53_v4,nist_800_53_v4:pl-4d.,PL-4d.,Statement,2,4,,The organization: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
+nist_800_53_v4,nist_800_53_v4:pl-5,PL-5,Control,1,5,Privacy Impact Assessment,
+nist_800_53_v4,nist_800_53_v4:pl-6,PL-6,Control,1,6,Security-Related Activity Planning,
+nist_800_53_v4,nist_800_53_v4:pl-7,PL-7,Control,1,7,Security Concept Of Operations,
+nist_800_53_v4,nist_800_53_v4:pl-7a.,PL-7a.,Statement,2,1,,"The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and"
+nist_800_53_v4,nist_800_53_v4:pl-7b.,PL-7b.,Statement,2,2,,The organization: Reviews and updates the CONOPS [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:pl-8,PL-8,Control,1,8,Information Security Architecture,
+nist_800_53_v4,nist_800_53_v4:pl-8(1),PL-8 (1),Enhancement,2,1,Defense-In-Depth,The organization designs its security architecture using a defense-in-depth approach that: Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
+nist_800_53_v4,nist_800_53_v4:pl-8(2),PL-8 (2),Enhancement,2,2,Supplier Diversity,The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.
+nist_800_53_v4,nist_800_53_v4:pl-8a.,PL-8a.,Statement,2,1,,"The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services;"
+nist_800_53_v4,nist_800_53_v4:pl-8b.,PL-8b.,Statement,2,2,,The organization: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
+nist_800_53_v4,nist_800_53_v4:pl-8c.,PL-8c.,Statement,2,3,,"The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."
+nist_800_53_v4,nist_800_53_v4:pl-9,PL-9,Control,1,9,Central Management,
 nist_800_53_v4,nist_800_53_v4:pm,PM,Family,0,13,Program Management,
-nist_800_53_v4,nist_800_53_v4:pm-1,PM-1,Control,1,,Information Security Program Plan,
-nist_800_53_v4,nist_800_53_v4:pm-10,PM-10,Control,1,,Security Authorization Process,
-nist_800_53_v4,nist_800_53_v4:pm-10a.,PM-10a.,Statement,2,,,"The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;"
-nist_800_53_v4,nist_800_53_v4:pm-10b.,PM-10b.,Statement,2,,,The organization: Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
-nist_800_53_v4,nist_800_53_v4:pm-10c.,PM-10c.,Statement,2,,,The organization: Fully integrates the security authorization processes into an organization-wide risk management program.
-nist_800_53_v4,nist_800_53_v4:pm-11,PM-11,Control,1,,Mission/Business Process Definition,
-nist_800_53_v4,nist_800_53_v4:pm-11a.,PM-11a.,Statement,2,,,"The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"
-nist_800_53_v4,nist_800_53_v4:pm-11b.,PM-11b.,Statement,2,,,"The organization: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained."
-nist_800_53_v4,nist_800_53_v4:pm-12,PM-12,Control,1,,Insider Threat Program,
-nist_800_53_v4,nist_800_53_v4:pm-13,PM-13,Control,1,,Information Security Workforce,
-nist_800_53_v4,nist_800_53_v4:pm-14,PM-14,Control,1,,"Testing, Training, and Monitoring",
-nist_800_53_v4,nist_800_53_v4:pm-14a.,PM-14a.,Statement,2,,,"The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner;"
-nist_800_53_v4,nist_800_53_v4:pm-14b.,PM-14b.,Statement,2,,,"The organization: Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."
-nist_800_53_v4,nist_800_53_v4:pm-15,PM-15,Control,1,,Contacts With Security Groups and Associations,
-nist_800_53_v4,nist_800_53_v4:pm-15a.,PM-15a.,Statement,2,,,The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel;
-nist_800_53_v4,nist_800_53_v4:pm-15b.,PM-15b.,Statement,2,,,"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To maintain currency with recommended security practices, techniques, and technologies; and"
-nist_800_53_v4,nist_800_53_v4:pm-15c.,PM-15c.,Statement,2,,,"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To share current security-related information including threats, vulnerabilities, and incidents."
-nist_800_53_v4,nist_800_53_v4:pm-16,PM-16,Control,1,,Threat Awareness Program,
-nist_800_53_v4,nist_800_53_v4:pm-1a.,PM-1a.,Statement,2,,,"The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
-nist_800_53_v4,nist_800_53_v4:pm-1b.,PM-1b.,Statement,2,,,The organization: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
-nist_800_53_v4,nist_800_53_v4:pm-1c.,PM-1c.,Statement,2,,,The organization: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
-nist_800_53_v4,nist_800_53_v4:pm-1d.,PM-1d.,Statement,2,,,The organization: Protects the information security program plan from unauthorized disclosure and modification.
-nist_800_53_v4,nist_800_53_v4:pm-2,PM-2,Control,1,,Senior Information Security Officer,
-nist_800_53_v4,nist_800_53_v4:pm-3,PM-3,Control,1,,Information Security Resources,
-nist_800_53_v4,nist_800_53_v4:pm-3a.,PM-3a.,Statement,2,,,The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
-nist_800_53_v4,nist_800_53_v4:pm-3b.,PM-3b.,Statement,2,,,The organization: Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
-nist_800_53_v4,nist_800_53_v4:pm-3c.,PM-3c.,Statement,2,,,The organization: Ensures that information security resources are available for expenditure as planned.
-nist_800_53_v4,nist_800_53_v4:pm-4,PM-4,Control,1,,Plan Of Action and Milestones Process,
-nist_800_53_v4,nist_800_53_v4:pm-4a.,PM-4a.,Statement,2,,,"The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB FISMA reporting requirements."
-nist_800_53_v4,nist_800_53_v4:pm-4b.,PM-4b.,Statement,2,,,The organization: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
-nist_800_53_v4,nist_800_53_v4:pm-5,PM-5,Control,1,,Information System Inventory,
-nist_800_53_v4,nist_800_53_v4:pm-6,PM-6,Control,1,,Information Security Measures Of Performance,
-nist_800_53_v4,nist_800_53_v4:pm-7,PM-7,Control,1,,Enterprise Architecture,
-nist_800_53_v4,nist_800_53_v4:pm-8,PM-8,Control,1,,Critical Infrastructure Plan,
-nist_800_53_v4,nist_800_53_v4:pm-9,PM-9,Control,1,,Risk Management Strategy,
-nist_800_53_v4,nist_800_53_v4:pm-9a.,PM-9a.,Statement,2,,,"The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;"
-nist_800_53_v4,nist_800_53_v4:pm-9b.,PM-9b.,Statement,2,,,The organization: Implements the risk management strategy consistently across the organization; and
-nist_800_53_v4,nist_800_53_v4:pm-9c.,PM-9c.,Statement,2,,,"The organization: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes."
+nist_800_53_v4,nist_800_53_v4:pm-1,PM-1,Control,1,1,Information Security Program Plan,
+nist_800_53_v4,nist_800_53_v4:pm-10,PM-10,Control,1,10,Security Authorization Process,
+nist_800_53_v4,nist_800_53_v4:pm-10a.,PM-10a.,Statement,2,1,,"The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;"
+nist_800_53_v4,nist_800_53_v4:pm-10b.,PM-10b.,Statement,2,2,,The organization: Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
+nist_800_53_v4,nist_800_53_v4:pm-10c.,PM-10c.,Statement,2,3,,The organization: Fully integrates the security authorization processes into an organization-wide risk management program.
+nist_800_53_v4,nist_800_53_v4:pm-11,PM-11,Control,1,11,Mission/Business Process Definition,
+nist_800_53_v4,nist_800_53_v4:pm-11a.,PM-11a.,Statement,2,1,,"The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"
+nist_800_53_v4,nist_800_53_v4:pm-11b.,PM-11b.,Statement,2,2,,"The organization: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained."
+nist_800_53_v4,nist_800_53_v4:pm-12,PM-12,Control,1,12,Insider Threat Program,
+nist_800_53_v4,nist_800_53_v4:pm-13,PM-13,Control,1,13,Information Security Workforce,
+nist_800_53_v4,nist_800_53_v4:pm-14,PM-14,Control,1,14,"Testing, Training, and Monitoring",
+nist_800_53_v4,nist_800_53_v4:pm-14a.,PM-14a.,Statement,2,1,,"The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner;"
+nist_800_53_v4,nist_800_53_v4:pm-14b.,PM-14b.,Statement,2,2,,"The organization: Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."
+nist_800_53_v4,nist_800_53_v4:pm-15,PM-15,Control,1,15,Contacts With Security Groups and Associations,
+nist_800_53_v4,nist_800_53_v4:pm-15a.,PM-15a.,Statement,2,1,,The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel;
+nist_800_53_v4,nist_800_53_v4:pm-15b.,PM-15b.,Statement,2,2,,"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To maintain currency with recommended security practices, techniques, and technologies; and"
+nist_800_53_v4,nist_800_53_v4:pm-15c.,PM-15c.,Statement,2,3,,"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To share current security-related information including threats, vulnerabilities, and incidents."
+nist_800_53_v4,nist_800_53_v4:pm-16,PM-16,Control,1,16,Threat Awareness Program,
+nist_800_53_v4,nist_800_53_v4:pm-1a.,PM-1a.,Statement,2,1,,"The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
+nist_800_53_v4,nist_800_53_v4:pm-1b.,PM-1b.,Statement,2,2,,The organization: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
+nist_800_53_v4,nist_800_53_v4:pm-1c.,PM-1c.,Statement,2,3,,The organization: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
+nist_800_53_v4,nist_800_53_v4:pm-1d.,PM-1d.,Statement,2,4,,The organization: Protects the information security program plan from unauthorized disclosure and modification.
+nist_800_53_v4,nist_800_53_v4:pm-2,PM-2,Control,1,2,Senior Information Security Officer,
+nist_800_53_v4,nist_800_53_v4:pm-3,PM-3,Control,1,3,Information Security Resources,
+nist_800_53_v4,nist_800_53_v4:pm-3a.,PM-3a.,Statement,2,1,,The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
+nist_800_53_v4,nist_800_53_v4:pm-3b.,PM-3b.,Statement,2,2,,The organization: Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
+nist_800_53_v4,nist_800_53_v4:pm-3c.,PM-3c.,Statement,2,3,,The organization: Ensures that information security resources are available for expenditure as planned.
+nist_800_53_v4,nist_800_53_v4:pm-4,PM-4,Control,1,4,Plan Of Action and Milestones Process,
+nist_800_53_v4,nist_800_53_v4:pm-4a.,PM-4a.,Statement,2,1,,"The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB FISMA reporting requirements."
+nist_800_53_v4,nist_800_53_v4:pm-4b.,PM-4b.,Statement,2,2,,The organization: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
+nist_800_53_v4,nist_800_53_v4:pm-5,PM-5,Control,1,5,Information System Inventory,
+nist_800_53_v4,nist_800_53_v4:pm-6,PM-6,Control,1,6,Information Security Measures Of Performance,
+nist_800_53_v4,nist_800_53_v4:pm-7,PM-7,Control,1,7,Enterprise Architecture,
+nist_800_53_v4,nist_800_53_v4:pm-8,PM-8,Control,1,8,Critical Infrastructure Plan,
+nist_800_53_v4,nist_800_53_v4:pm-9,PM-9,Control,1,9,Risk Management Strategy,
+nist_800_53_v4,nist_800_53_v4:pm-9a.,PM-9a.,Statement,2,1,,"The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;"
+nist_800_53_v4,nist_800_53_v4:pm-9b.,PM-9b.,Statement,2,2,,The organization: Implements the risk management strategy consistently across the organization; and
+nist_800_53_v4,nist_800_53_v4:pm-9c.,PM-9c.,Statement,2,3,,"The organization: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes."
 nist_800_53_v4,nist_800_53_v4:ps,PS,Family,0,14,Personnel Security,
-nist_800_53_v4,nist_800_53_v4:ps-1,PS-1,Control,1,,Personnel Security Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ps-1a.,PS-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"
-nist_800_53_v4,nist_800_53_v4:ps-1b.,PS-1b.,Statement,2,,,The organization: Reviews and updates the current: Personnel security policy [Assignment: organization-defined frequency]; and Personnel security procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ps-2,PS-2,Control,1,,Position Risk Designation,
-nist_800_53_v4,nist_800_53_v4:ps-2a.,PS-2a.,Statement,2,,,The organization: Assigns a risk designation to all organizational positions;
-nist_800_53_v4,nist_800_53_v4:ps-2b.,PS-2b.,Statement,2,,,The organization: Establishes screening criteria for individuals filling those positions; and
-nist_800_53_v4,nist_800_53_v4:ps-2c.,PS-2c.,Statement,2,,,The organization: Reviews and updates position risk designations [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ps-3,PS-3,Control,1,,Personnel Screening,
-nist_800_53_v4,nist_800_53_v4:ps-3(1),PS-3 (1),Enhancement,2,,Classified Information,"The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."
-nist_800_53_v4,nist_800_53_v4:ps-3(2),PS-3 (2),Enhancement,2,,Formal Indoctrination,"The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system."
-nist_800_53_v4,nist_800_53_v4:ps-3(3),PS-3 (3),Enhancement,2,,Information With Special Protection Measures,"The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria]."
-nist_800_53_v4,nist_800_53_v4:ps-3a.,PS-3a.,Statement,2,,,The organization: Screens individuals prior to authorizing access to the information system; and
-nist_800_53_v4,nist_800_53_v4:ps-3b.,PS-3b.,Statement,2,,,"The organization: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."
-nist_800_53_v4,nist_800_53_v4:ps-4,PS-4,Control,1,,Personnel Termination,
-nist_800_53_v4,nist_800_53_v4:ps-4(1),PS-4 (1),Enhancement,2,,Post-Employment Requirements,"The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."
-nist_800_53_v4,nist_800_53_v4:ps-4(2),PS-4 (2),Enhancement,2,,Automated Notification,The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.
-nist_800_53_v4,nist_800_53_v4:ps-4a.,PS-4a.,Statement,2,,,"The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period];"
-nist_800_53_v4,nist_800_53_v4:ps-4b.,PS-4b.,Statement,2,,,"The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual;"
-nist_800_53_v4,nist_800_53_v4:ps-4c.,PS-4c.,Statement,2,,,"The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];"
-nist_800_53_v4,nist_800_53_v4:ps-4d.,PS-4d.,Statement,2,,,"The organization, upon termination of individual employment: Retrieves all security-related organizational information system-related property;"
-nist_800_53_v4,nist_800_53_v4:ps-4e.,PS-4e.,Statement,2,,,"The organization, upon termination of individual employment: Retains access to organizational information and information systems formerly controlled by terminated individual; and"
-nist_800_53_v4,nist_800_53_v4:ps-4f.,PS-4f.,Statement,2,,,"The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
-nist_800_53_v4,nist_800_53_v4:ps-5,PS-5,Control,1,,Personnel Transfer,
-nist_800_53_v4,nist_800_53_v4:ps-5a.,PS-5a.,Statement,2,,,The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
-nist_800_53_v4,nist_800_53_v4:ps-5b.,PS-5b.,Statement,2,,,The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
-nist_800_53_v4,nist_800_53_v4:ps-5c.,PS-5c.,Statement,2,,,The organization: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
-nist_800_53_v4,nist_800_53_v4:ps-5d.,PS-5d.,Statement,2,,,The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:ps-6,PS-6,Control,1,,Access Agreements,
-nist_800_53_v4,nist_800_53_v4:ps-6(2),PS-6 (2),Enhancement,2,,Classified Information Requiring Special Protection,"The organization ensures that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties; Satisfy associated personnel security criteria; and Have read, understood, and signed a nondisclosure agreement."
-nist_800_53_v4,nist_800_53_v4:ps-6(3),PS-6 (3),Enhancement,2,,Post-Employment Requirements,"The organization: Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."
-nist_800_53_v4,nist_800_53_v4:ps-6a.,PS-6a.,Statement,2,,,The organization: Develops and documents access agreements for organizational information systems;
-nist_800_53_v4,nist_800_53_v4:ps-6b.,PS-6b.,Statement,2,,,The organization: Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
-nist_800_53_v4,nist_800_53_v4:ps-6c.,PS-6c.,Statement,2,,,The organization: Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ps-7,PS-7,Control,1,,Third-Party Personnel Security,
-nist_800_53_v4,nist_800_53_v4:ps-7a.,PS-7a.,Statement,2,,,The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers;
-nist_800_53_v4,nist_800_53_v4:ps-7b.,PS-7b.,Statement,2,,,The organization: Requires third-party providers to comply with personnel security policies and procedures established by the organization;
-nist_800_53_v4,nist_800_53_v4:ps-7c.,PS-7c.,Statement,2,,,The organization: Documents personnel security requirements;
-nist_800_53_v4,nist_800_53_v4:ps-7d.,PS-7d.,Statement,2,,,"The organization: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and"
-nist_800_53_v4,nist_800_53_v4:ps-7e.,PS-7e.,Statement,2,,,The organization: Monitors provider compliance.
-nist_800_53_v4,nist_800_53_v4:ps-8,PS-8,Control,1,,Personnel Sanctions,
-nist_800_53_v4,nist_800_53_v4:ps-8a.,PS-8a.,Statement,2,,,The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
-nist_800_53_v4,nist_800_53_v4:ps-8b.,PS-8b.,Statement,2,,,"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
+nist_800_53_v4,nist_800_53_v4:ps-1,PS-1,Control,1,1,Personnel Security Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ps-1a.,PS-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"
+nist_800_53_v4,nist_800_53_v4:ps-1b.,PS-1b.,Statement,2,2,,The organization: Reviews and updates the current: Personnel security policy [Assignment: organization-defined frequency]; and Personnel security procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ps-2,PS-2,Control,1,2,Position Risk Designation,
+nist_800_53_v4,nist_800_53_v4:ps-2a.,PS-2a.,Statement,2,1,,The organization: Assigns a risk designation to all organizational positions;
+nist_800_53_v4,nist_800_53_v4:ps-2b.,PS-2b.,Statement,2,2,,The organization: Establishes screening criteria for individuals filling those positions; and
+nist_800_53_v4,nist_800_53_v4:ps-2c.,PS-2c.,Statement,2,3,,The organization: Reviews and updates position risk designations [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ps-3,PS-3,Control,1,3,Personnel Screening,
+nist_800_53_v4,nist_800_53_v4:ps-3(1),PS-3 (1),Enhancement,2,1,Classified Information,"The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."
+nist_800_53_v4,nist_800_53_v4:ps-3(2),PS-3 (2),Enhancement,2,2,Formal Indoctrination,"The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system."
+nist_800_53_v4,nist_800_53_v4:ps-3(3),PS-3 (3),Enhancement,2,3,Information With Special Protection Measures,"The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria]."
+nist_800_53_v4,nist_800_53_v4:ps-3a.,PS-3a.,Statement,2,1,,The organization: Screens individuals prior to authorizing access to the information system; and
+nist_800_53_v4,nist_800_53_v4:ps-3b.,PS-3b.,Statement,2,2,,"The organization: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."
+nist_800_53_v4,nist_800_53_v4:ps-4,PS-4,Control,1,4,Personnel Termination,
+nist_800_53_v4,nist_800_53_v4:ps-4(1),PS-4 (1),Enhancement,2,1,Post-Employment Requirements,"The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."
+nist_800_53_v4,nist_800_53_v4:ps-4(2),PS-4 (2),Enhancement,2,2,Automated Notification,The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.
+nist_800_53_v4,nist_800_53_v4:ps-4a.,PS-4a.,Statement,2,1,,"The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period];"
+nist_800_53_v4,nist_800_53_v4:ps-4b.,PS-4b.,Statement,2,2,,"The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual;"
+nist_800_53_v4,nist_800_53_v4:ps-4c.,PS-4c.,Statement,2,3,,"The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];"
+nist_800_53_v4,nist_800_53_v4:ps-4d.,PS-4d.,Statement,2,4,,"The organization, upon termination of individual employment: Retrieves all security-related organizational information system-related property;"
+nist_800_53_v4,nist_800_53_v4:ps-4e.,PS-4e.,Statement,2,5,,"The organization, upon termination of individual employment: Retains access to organizational information and information systems formerly controlled by terminated individual; and"
+nist_800_53_v4,nist_800_53_v4:ps-4f.,PS-4f.,Statement,2,6,,"The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
+nist_800_53_v4,nist_800_53_v4:ps-5,PS-5,Control,1,5,Personnel Transfer,
+nist_800_53_v4,nist_800_53_v4:ps-5a.,PS-5a.,Statement,2,1,,The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
+nist_800_53_v4,nist_800_53_v4:ps-5b.,PS-5b.,Statement,2,2,,The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
+nist_800_53_v4,nist_800_53_v4:ps-5c.,PS-5c.,Statement,2,3,,The organization: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
+nist_800_53_v4,nist_800_53_v4:ps-5d.,PS-5d.,Statement,2,4,,The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:ps-6,PS-6,Control,1,6,Access Agreements,
+nist_800_53_v4,nist_800_53_v4:ps-6(2),PS-6 (2),Enhancement,2,2,Classified Information Requiring Special Protection,"The organization ensures that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties; Satisfy associated personnel security criteria; and Have read, understood, and signed a nondisclosure agreement."
+nist_800_53_v4,nist_800_53_v4:ps-6(3),PS-6 (3),Enhancement,2,3,Post-Employment Requirements,"The organization: Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."
+nist_800_53_v4,nist_800_53_v4:ps-6a.,PS-6a.,Statement,2,1,,The organization: Develops and documents access agreements for organizational information systems;
+nist_800_53_v4,nist_800_53_v4:ps-6b.,PS-6b.,Statement,2,2,,The organization: Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
+nist_800_53_v4,nist_800_53_v4:ps-6c.,PS-6c.,Statement,2,3,,The organization: Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ps-7,PS-7,Control,1,7,Third-Party Personnel Security,
+nist_800_53_v4,nist_800_53_v4:ps-7a.,PS-7a.,Statement,2,1,,The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers;
+nist_800_53_v4,nist_800_53_v4:ps-7b.,PS-7b.,Statement,2,2,,The organization: Requires third-party providers to comply with personnel security policies and procedures established by the organization;
+nist_800_53_v4,nist_800_53_v4:ps-7c.,PS-7c.,Statement,2,3,,The organization: Documents personnel security requirements;
+nist_800_53_v4,nist_800_53_v4:ps-7d.,PS-7d.,Statement,2,4,,"The organization: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and"
+nist_800_53_v4,nist_800_53_v4:ps-7e.,PS-7e.,Statement,2,5,,The organization: Monitors provider compliance.
+nist_800_53_v4,nist_800_53_v4:ps-8,PS-8,Control,1,8,Personnel Sanctions,
+nist_800_53_v4,nist_800_53_v4:ps-8a.,PS-8a.,Statement,2,1,,The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
+nist_800_53_v4,nist_800_53_v4:ps-8b.,PS-8b.,Statement,2,2,,"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
 nist_800_53_v4,nist_800_53_v4:ra,RA,Family,0,15,Risk Assessment,
-nist_800_53_v4,nist_800_53_v4:ra-1,RA-1,Control,1,,Risk Assessment Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:ra-1a.,RA-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"
-nist_800_53_v4,nist_800_53_v4:ra-1b.,RA-1b.,Statement,2,,,The organization: Reviews and updates the current: Risk assessment policy [Assignment: organization-defined frequency]; and Risk assessment procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:ra-2,RA-2,Control,1,,Security Categorization,
-nist_800_53_v4,nist_800_53_v4:ra-2a.,RA-2a.,Statement,2,,,"The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
-nist_800_53_v4,nist_800_53_v4:ra-2b.,RA-2b.,Statement,2,,,The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
-nist_800_53_v4,nist_800_53_v4:ra-2c.,RA-2c.,Statement,2,,,The organization: Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
-nist_800_53_v4,nist_800_53_v4:ra-3,RA-3,Control,1,,Risk Assessment,
-nist_800_53_v4,nist_800_53_v4:ra-3a.,RA-3a.,Statement,2,,,"The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"
-nist_800_53_v4,nist_800_53_v4:ra-3b.,RA-3b.,Statement,2,,,The organization: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
-nist_800_53_v4,nist_800_53_v4:ra-3c.,RA-3c.,Statement,2,,,The organization: Reviews risk assessment results [Assignment: organization-defined frequency];
-nist_800_53_v4,nist_800_53_v4:ra-3d.,RA-3d.,Statement,2,,,The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
-nist_800_53_v4,nist_800_53_v4:ra-3e.,RA-3e.,Statement,2,,,"The organization: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."
-nist_800_53_v4,nist_800_53_v4:ra-4,RA-4,Control,1,,Risk Assessment Update,
-nist_800_53_v4,nist_800_53_v4:ra-5,RA-5,Control,1,,Vulnerability Scanning,
-nist_800_53_v4,nist_800_53_v4:ra-5(1),RA-5 (1),Enhancement,2,,Update Tool Capability,The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
-nist_800_53_v4,nist_800_53_v4:ra-5(10),RA-5 (10),Enhancement,2,,Correlate Scanning Information,The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
-nist_800_53_v4,nist_800_53_v4:ra-5(2),RA-5 (2),Enhancement,2,,Update By Frequency / Prior To New Scan / When Identified,The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
-nist_800_53_v4,nist_800_53_v4:ra-5(3),RA-5 (3),Enhancement,2,,Breadth / Depth Of Coverage,"The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."
-nist_800_53_v4,nist_800_53_v4:ra-5(4),RA-5 (4),Enhancement,2,,Discoverable Information,The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].
-nist_800_53_v4,nist_800_53_v4:ra-5(5),RA-5 (5),Enhancement,2,,Privileged Access,The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].
-nist_800_53_v4,nist_800_53_v4:ra-5(6),RA-5 (6),Enhancement,2,,Automated Trend Analyses,The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
-nist_800_53_v4,nist_800_53_v4:ra-5(8),RA-5 (8),Enhancement,2,,Review Historic Audit Logs,The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
-nist_800_53_v4,nist_800_53_v4:ra-5a.,RA-5a.,Statement,2,,,The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
-nist_800_53_v4,nist_800_53_v4:ra-5b.,RA-5b.,Statement,2,,,"The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact;"
-nist_800_53_v4,nist_800_53_v4:ra-5c.,RA-5c.,Statement,2,,,The organization: Analyzes vulnerability scan reports and results from security control assessments;
-nist_800_53_v4,nist_800_53_v4:ra-5d.,RA-5d.,Statement,2,,,The organization: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
-nist_800_53_v4,nist_800_53_v4:ra-5e.,RA-5e.,Statement,2,,,"The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."
-nist_800_53_v4,nist_800_53_v4:ra-6,RA-6,Control,1,,Technical Surveillance Countermeasures Survey,
+nist_800_53_v4,nist_800_53_v4:ra-1,RA-1,Control,1,1,Risk Assessment Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:ra-1a.,RA-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"
+nist_800_53_v4,nist_800_53_v4:ra-1b.,RA-1b.,Statement,2,2,,The organization: Reviews and updates the current: Risk assessment policy [Assignment: organization-defined frequency]; and Risk assessment procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:ra-2,RA-2,Control,1,2,Security Categorization,
+nist_800_53_v4,nist_800_53_v4:ra-2a.,RA-2a.,Statement,2,1,,"The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
+nist_800_53_v4,nist_800_53_v4:ra-2b.,RA-2b.,Statement,2,2,,The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
+nist_800_53_v4,nist_800_53_v4:ra-2c.,RA-2c.,Statement,2,3,,The organization: Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+nist_800_53_v4,nist_800_53_v4:ra-3,RA-3,Control,1,3,Risk Assessment,
+nist_800_53_v4,nist_800_53_v4:ra-3a.,RA-3a.,Statement,2,1,,"The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"
+nist_800_53_v4,nist_800_53_v4:ra-3b.,RA-3b.,Statement,2,2,,The organization: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
+nist_800_53_v4,nist_800_53_v4:ra-3c.,RA-3c.,Statement,2,3,,The organization: Reviews risk assessment results [Assignment: organization-defined frequency];
+nist_800_53_v4,nist_800_53_v4:ra-3d.,RA-3d.,Statement,2,4,,The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
+nist_800_53_v4,nist_800_53_v4:ra-3e.,RA-3e.,Statement,2,5,,"The organization: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."
+nist_800_53_v4,nist_800_53_v4:ra-4,RA-4,Control,1,4,Risk Assessment Update,
+nist_800_53_v4,nist_800_53_v4:ra-5,RA-5,Control,1,5,Vulnerability Scanning,
+nist_800_53_v4,nist_800_53_v4:ra-5(1),RA-5 (1),Enhancement,2,1,Update Tool Capability,The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
+nist_800_53_v4,nist_800_53_v4:ra-5(10),RA-5 (10),Enhancement,2,10,Correlate Scanning Information,The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
+nist_800_53_v4,nist_800_53_v4:ra-5(2),RA-5 (2),Enhancement,2,2,Update By Frequency / Prior To New Scan / When Identified,The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
+nist_800_53_v4,nist_800_53_v4:ra-5(3),RA-5 (3),Enhancement,2,3,Breadth / Depth Of Coverage,"The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."
+nist_800_53_v4,nist_800_53_v4:ra-5(4),RA-5 (4),Enhancement,2,4,Discoverable Information,The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].
+nist_800_53_v4,nist_800_53_v4:ra-5(5),RA-5 (5),Enhancement,2,5,Privileged Access,The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].
+nist_800_53_v4,nist_800_53_v4:ra-5(6),RA-5 (6),Enhancement,2,6,Automated Trend Analyses,The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
+nist_800_53_v4,nist_800_53_v4:ra-5(8),RA-5 (8),Enhancement,2,8,Review Historic Audit Logs,The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
+nist_800_53_v4,nist_800_53_v4:ra-5a.,RA-5a.,Statement,2,1,,The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
+nist_800_53_v4,nist_800_53_v4:ra-5b.,RA-5b.,Statement,2,2,,"The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact;"
+nist_800_53_v4,nist_800_53_v4:ra-5c.,RA-5c.,Statement,2,3,,The organization: Analyzes vulnerability scan reports and results from security control assessments;
+nist_800_53_v4,nist_800_53_v4:ra-5d.,RA-5d.,Statement,2,4,,The organization: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
+nist_800_53_v4,nist_800_53_v4:ra-5e.,RA-5e.,Statement,2,5,,"The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."
+nist_800_53_v4,nist_800_53_v4:ra-6,RA-6,Control,1,6,Technical Surveillance Countermeasures Survey,
 nist_800_53_v4,nist_800_53_v4:sa,SA,Family,0,16,System and Services Acquisition,
-nist_800_53_v4,nist_800_53_v4:sa-1,SA-1,Control,1,,System and Services Acquisition Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:sa-10,SA-10,Control,1,,Developer Configuration Management,
-nist_800_53_v4,nist_800_53_v4:sa-10(1),SA-10 (1),Enhancement,2,,Software / Firmware Integrity Verification,"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."
-nist_800_53_v4,nist_800_53_v4:sa-10(2),SA-10 (2),Enhancement,2,,Alternative Configuration Management Processes,The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
-nist_800_53_v4,nist_800_53_v4:sa-10(3),SA-10 (3),Enhancement,2,,Hardware Integrity Verification,"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components."
-nist_800_53_v4,nist_800_53_v4:sa-10(4),SA-10 (4),Enhancement,2,,Trusted Generation,"The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions."
-nist_800_53_v4,nist_800_53_v4:sa-10(5),SA-10 (5),Enhancement,2,,Mapping Integrity For Version Control,"The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."
-nist_800_53_v4,nist_800_53_v4:sa-10(6),SA-10 (6),Enhancement,2,,Trusted Distribution,"The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."
-nist_800_53_v4,nist_800_53_v4:sa-10a.,SA-10a.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];"
-nist_800_53_v4,nist_800_53_v4:sa-10b.,SA-10b.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];"
-nist_800_53_v4,nist_800_53_v4:sa-10c.,SA-10c.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Implement only organization-approved changes to the system, component, or service;"
-nist_800_53_v4,nist_800_53_v4:sa-10d.,SA-10d.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Document approved changes to the system, component, or service and the potential security impacts of such changes; and"
-nist_800_53_v4,nist_800_53_v4:sa-10e.,SA-10e.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."
-nist_800_53_v4,nist_800_53_v4:sa-11,SA-11,Control,1,,Developer Security Testing and Evaluation,
-nist_800_53_v4,nist_800_53_v4:sa-11(1),SA-11 (1),Enhancement,2,,Static Code Analysis,"The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."
-nist_800_53_v4,nist_800_53_v4:sa-11(2),SA-11 (2),Enhancement,2,,Threat And Vulnerability Analyses,"The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."
-nist_800_53_v4,nist_800_53_v4:sa-11(3),SA-11 (3),Enhancement,2,,Independent Verification Of Assessment Plans / Evidence,The organization: Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
-nist_800_53_v4,nist_800_53_v4:sa-11(4),SA-11 (4),Enhancement,2,,Manual Code Reviews,"The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]."
-nist_800_53_v4,nist_800_53_v4:sa-11(5),SA-11 (5),Enhancement,2,,Penetration Testing,"The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]."
-nist_800_53_v4,nist_800_53_v4:sa-11(6),SA-11 (6),Enhancement,2,,Attack Surface Reviews,"The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews."
-nist_800_53_v4,nist_800_53_v4:sa-11(7),SA-11 (7),Enhancement,2,,Verify Scope Of Testing / Evaluation,"The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]."
-nist_800_53_v4,nist_800_53_v4:sa-11(8),SA-11 (8),Enhancement,2,,Dynamic Code Analysis,"The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."
-nist_800_53_v4,nist_800_53_v4:sa-11a.,SA-11a.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan;"
-nist_800_53_v4,nist_800_53_v4:sa-11b.,SA-11b.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];"
-nist_800_53_v4,nist_800_53_v4:sa-11c.,SA-11c.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;"
-nist_800_53_v4,nist_800_53_v4:sa-11d.,SA-11d.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and"
-nist_800_53_v4,nist_800_53_v4:sa-11e.,SA-11e.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation."
-nist_800_53_v4,nist_800_53_v4:sa-12,SA-12,Control,1,,Supply Chain Protection,
-nist_800_53_v4,nist_800_53_v4:sa-12(1),SA-12 (1),Enhancement,2,,Acquisition Strategies / Tools / Methods,"The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers."
-nist_800_53_v4,nist_800_53_v4:sa-12(10),SA-12 (10),Enhancement,2,,Validate As Genuine And Not Altered,The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.
-nist_800_53_v4,nist_800_53_v4:sa-12(11),SA-12 (11),Enhancement,2,,"Penetration Testing / Analysis Of Elements, Processes, And Actors","The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-12(12),SA-12 (12),Enhancement,2,,Inter-Organizational Agreements,"The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-12(13),SA-12 (13),Enhancement,2,,Critical Information System Components,The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].
-nist_800_53_v4,nist_800_53_v4:sa-12(14),SA-12 (14),Enhancement,2,,Identity And Traceability,"The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-12(15),SA-12 (15),Enhancement,2,,Processes To Address Weaknesses Or Deficiencies,The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
-nist_800_53_v4,nist_800_53_v4:sa-12(2),SA-12 (2),Enhancement,2,,Supplier Reviews,"The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-12(5),SA-12 (5),Enhancement,2,,Limitation Of Harm,The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.
-nist_800_53_v4,nist_800_53_v4:sa-12(7),SA-12 (7),Enhancement,2,,Assessments Prior To Selection / Acceptance / Update,"The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update."
-nist_800_53_v4,nist_800_53_v4:sa-12(8),SA-12 (8),Enhancement,2,,Use Of All-Source Intelligence,"The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-12(9),SA-12 (9),Enhancement,2,,Operations Security,"The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-13,SA-13,Control,1,,Trustworthiness,
-nist_800_53_v4,nist_800_53_v4:sa-13a.,SA-13a.,Statement,2,,,"The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and"
-nist_800_53_v4,nist_800_53_v4:sa-13b.,SA-13b.,Statement,2,,,The organization: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.
-nist_800_53_v4,nist_800_53_v4:sa-14,SA-14,Control,1,,Criticality Analysis,
-nist_800_53_v4,nist_800_53_v4:sa-15,SA-15,Control,1,,"Development Process, Standards, and Tools",
-nist_800_53_v4,nist_800_53_v4:sa-15(1),SA-15 (1),Enhancement,2,,Quality Metrics,"The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]."
-nist_800_53_v4,nist_800_53_v4:sa-15(10),SA-15 (10),Enhancement,2,,Incident Response Plan,"The organization requires the developer of the information system, system component, or information system service to provide an incident response plan."
-nist_800_53_v4,nist_800_53_v4:sa-15(11),SA-15 (11),Enhancement,2,,Archive Information System / Component,The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
-nist_800_53_v4,nist_800_53_v4:sa-15(2),SA-15 (2),Enhancement,2,,Security Tracking Tools,"The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process."
-nist_800_53_v4,nist_800_53_v4:sa-15(3),SA-15 (3),Enhancement,2,,Criticality Analysis,"The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]."
-nist_800_53_v4,nist_800_53_v4:sa-15(4),SA-15 (4),Enhancement,2,,Threat Modeling / Vulnerability Analysis,"The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria]."
-nist_800_53_v4,nist_800_53_v4:sa-15(5),SA-15 (5),Enhancement,2,,Attack Surface Reduction,"The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]."
-nist_800_53_v4,nist_800_53_v4:sa-15(6),SA-15 (6),Enhancement,2,,Continuous Improvement,"The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process."
-nist_800_53_v4,nist_800_53_v4:sa-15(7),SA-15 (7),Enhancement,2,,Automated Vulnerability Analysis,"The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]."
-nist_800_53_v4,nist_800_53_v4:sa-15(8),SA-15 (8),Enhancement,2,,Reuse Of Threat / Vulnerability Information,"The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."
-nist_800_53_v4,nist_800_53_v4:sa-15(9),SA-15 (9),Enhancement,2,,Use Of Live Data,"The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service."
-nist_800_53_v4,nist_800_53_v4:sa-15a.,SA-15a.,Statement,2,,,"The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"
-nist_800_53_v4,nist_800_53_v4:sa-15b.,SA-15b.,Statement,2,,,"The organization: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]."
-nist_800_53_v4,nist_800_53_v4:sa-16,SA-16,Control,1,,Developer-Provided Training,
-nist_800_53_v4,nist_800_53_v4:sa-17,SA-17,Control,1,,Developer Security Architecture and Design,
-nist_800_53_v4,nist_800_53_v4:sa-17(1),SA-17 (1),Enhancement,2,,Formal Policy Model,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented."
-nist_800_53_v4,nist_800_53_v4:sa-17(2),SA-17 (2),Enhancement,2,,Security-Relevant Components,"The organization requires the developer of the information system, system component, or information system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."
-nist_800_53_v4,nist_800_53_v4:sa-17(3),SA-17 (3),Enhancement,2,,Formal Correspondence,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
-nist_800_53_v4,nist_800_53_v4:sa-17(4),SA-17 (4),Enhancement,2,,Informal Correspondence,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
-nist_800_53_v4,nist_800_53_v4:sa-17(5),SA-17 (5),Enhancement,2,,Conceptually Simple Design,"The organization requires the developer of the information system, system component, or information system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."
-nist_800_53_v4,nist_800_53_v4:sa-17(6),SA-17 (6),Enhancement,2,,Structure For Testing,"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing."
-nist_800_53_v4,nist_800_53_v4:sa-17(7),SA-17 (7),Enhancement,2,,Structure For Least Privilege,"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."
-nist_800_53_v4,nist_800_53_v4:sa-17a.,SA-17a.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;"
-nist_800_53_v4,nist_800_53_v4:sa-17b.,SA-17b.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"
-nist_800_53_v4,nist_800_53_v4:sa-17c.,SA-17c.,Statement,2,,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."
-nist_800_53_v4,nist_800_53_v4:sa-18,SA-18,Control,1,,Tamper Resistance and Detection,
-nist_800_53_v4,nist_800_53_v4:sa-18(1),SA-18 (1),Enhancement,2,,Multiple Phases Of Sdlc,"The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance."
-nist_800_53_v4,nist_800_53_v4:sa-18(2),SA-18 (2),Enhancement,2,,"Inspection Of Information Systems, Components, Or Devices","The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering."
-nist_800_53_v4,nist_800_53_v4:sa-19,SA-19,Control,1,,Component Authenticity,
-nist_800_53_v4,nist_800_53_v4:sa-19(1),SA-19 (1),Enhancement,2,,Anti-Counterfeit Training,"The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware)."
-nist_800_53_v4,nist_800_53_v4:sa-19(2),SA-19 (2),Enhancement,2,,Configuration Control For Component Service / Repair,The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
-nist_800_53_v4,nist_800_53_v4:sa-19(3),SA-19 (3),Enhancement,2,,Component Disposal,The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
-nist_800_53_v4,nist_800_53_v4:sa-19(4),SA-19 (4),Enhancement,2,,Anti-Counterfeit Scanning,The organization scans for counterfeit information system components [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:sa-19a.,SA-19a.,Statement,2,,,The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
-nist_800_53_v4,nist_800_53_v4:sa-19b.,SA-19b.,Statement,2,,,The organization: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
-nist_800_53_v4,nist_800_53_v4:sa-1a.,SA-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"
-nist_800_53_v4,nist_800_53_v4:sa-1b.,SA-1b.,Statement,2,,,The organization: Reviews and updates the current: System and services acquisition policy [Assignment: organization-defined frequency]; and System and services acquisition procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:sa-2,SA-2,Control,1,,Allocation Of Resources,
-nist_800_53_v4,nist_800_53_v4:sa-20,SA-20,Control,1,,Customized Development Of Critical Components,
-nist_800_53_v4,nist_800_53_v4:sa-21,SA-21,Control,1,,Developer Screening,
-nist_800_53_v4,nist_800_53_v4:sa-21(1),SA-21 (1),Enhancement,2,,Validation Of Screening,"The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied."
-nist_800_53_v4,nist_800_53_v4:sa-21a.,SA-21a.,Statement,2,,,"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and"
-nist_800_53_v4,nist_800_53_v4:sa-21b.,SA-21b.,Statement,2,,,"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Satisfy [Assignment: organization-defined additional personnel screening criteria]."
-nist_800_53_v4,nist_800_53_v4:sa-22,SA-22,Control,1,,Unsupported System Components,
-nist_800_53_v4,nist_800_53_v4:sa-22(1),SA-22 (1),Enhancement,2,,Alternative Sources For Continued Support,The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.
-nist_800_53_v4,nist_800_53_v4:sa-22a.,SA-22a.,Statement,2,,,"The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and"
-nist_800_53_v4,nist_800_53_v4:sa-22b.,SA-22b.,Statement,2,,,The organization: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
-nist_800_53_v4,nist_800_53_v4:sa-2a.,SA-2a.,Statement,2,,,The organization: Determines information security requirements for the information system or information system service in mission/business process planning;
-nist_800_53_v4,nist_800_53_v4:sa-2b.,SA-2b.,Statement,2,,,"The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"
-nist_800_53_v4,nist_800_53_v4:sa-2c.,SA-2c.,Statement,2,,,The organization: Establishes a discrete line item for information security in organizational programming and budgeting documentation.
-nist_800_53_v4,nist_800_53_v4:sa-3,SA-3,Control,1,,System Development Life Cycle,
-nist_800_53_v4,nist_800_53_v4:sa-3a.,SA-3a.,Statement,2,,,The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
-nist_800_53_v4,nist_800_53_v4:sa-3b.,SA-3b.,Statement,2,,,The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;
-nist_800_53_v4,nist_800_53_v4:sa-3c.,SA-3c.,Statement,2,,,The organization: Identifies individuals having information security roles and responsibilities; and
-nist_800_53_v4,nist_800_53_v4:sa-3d.,SA-3d.,Statement,2,,,The organization: Integrates the organizational information security risk management process into system development life cycle activities.
-nist_800_53_v4,nist_800_53_v4:sa-4,SA-4,Control,1,,Acquisition Process,
-nist_800_53_v4,nist_800_53_v4:sa-4(1),SA-4 (1),Enhancement,2,,Functional Properties Of Security Controls,"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."
-nist_800_53_v4,nist_800_53_v4:sa-4(10),SA-4 (10),Enhancement,2,,Use Of Approved Piv Products,The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.
-nist_800_53_v4,nist_800_53_v4:sa-4(2),SA-4 (2),Enhancement,2,,Design / Implementation Information For Security Controls,"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]."
-nist_800_53_v4,nist_800_53_v4:sa-4(3),SA-4 (3),Enhancement,2,,Development Methods / Techniques / Practices,"The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]."
-nist_800_53_v4,nist_800_53_v4:sa-4(5),SA-4 (5),Enhancement,2,,System / Component / Service Configurations,"The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."
-nist_800_53_v4,nist_800_53_v4:sa-4(6),SA-4 (6),Enhancement,2,,Use Of Information Assurance Products,The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
-nist_800_53_v4,nist_800_53_v4:sa-4(7),SA-4 (7),Enhancement,2,,Niap-Approved  Protection Profiles,"The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated."
-nist_800_53_v4,nist_800_53_v4:sa-4(8),SA-4 (8),Enhancement,2,,Continuous Monitoring Plan,"The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]."
-nist_800_53_v4,nist_800_53_v4:sa-4(9),SA-4 (9),Enhancement,2,,Functions / Ports / Protocols / Services In Use,"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."
-nist_800_53_v4,nist_800_53_v4:sa-4a.,SA-4a.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements;"
-nist_800_53_v4,nist_800_53_v4:sa-4b.,SA-4b.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;"
-nist_800_53_v4,nist_800_53_v4:sa-4c.,SA-4c.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements;"
-nist_800_53_v4,nist_800_53_v4:sa-4d.,SA-4d.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;"
-nist_800_53_v4,nist_800_53_v4:sa-4e.,SA-4e.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation;"
-nist_800_53_v4,nist_800_53_v4:sa-4f.,SA-4f.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and"
-nist_800_53_v4,nist_800_53_v4:sa-4g.,SA-4g.,Statement,2,,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria."
-nist_800_53_v4,nist_800_53_v4:sa-5,SA-5,Control,1,,Information System Documentation,
-nist_800_53_v4,nist_800_53_v4:sa-5a.,SA-5a.,Statement,2,,,"The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"
-nist_800_53_v4,nist_800_53_v4:sa-5b.,SA-5b.,Statement,2,,,"The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and User responsibilities in maintaining the security of the system, component, or service;"
-nist_800_53_v4,nist_800_53_v4:sa-5c.,SA-5c.,Statement,2,,,"The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;"
-nist_800_53_v4,nist_800_53_v4:sa-5d.,SA-5d.,Statement,2,,,"The organization: Protects documentation as required, in accordance with the risk management strategy; and"
-nist_800_53_v4,nist_800_53_v4:sa-5e.,SA-5e.,Statement,2,,,The organization: Distributes documentation to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:sa-6,SA-6,Control,1,,Software Usage Restrictions,
-nist_800_53_v4,nist_800_53_v4:sa-7,SA-7,Control,1,,User-Installed Software,
-nist_800_53_v4,nist_800_53_v4:sa-8,SA-8,Control,1,,Security Engineering Principles,
-nist_800_53_v4,nist_800_53_v4:sa-9,SA-9,Control,1,,External Information System Services,
-nist_800_53_v4,nist_800_53_v4:sa-9(1),SA-9 (1),Enhancement,2,,Risk Assessments / Organizational Approvals,The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:sa-9(2),SA-9 (2),Enhancement,2,,Identification Of Functions / Ports / Protocols / Services,"The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services."
-nist_800_53_v4,nist_800_53_v4:sa-9(3),SA-9 (3),Enhancement,2,,Establish / Maintain Trust Relationship With Providers,"The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]."
-nist_800_53_v4,nist_800_53_v4:sa-9(4),SA-9 (4),Enhancement,2,,Consistent Interests Of Consumers And Providers,The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
-nist_800_53_v4,nist_800_53_v4:sa-9(5),SA-9 (5),Enhancement,2,,"Processing, Storage, And Service Location",The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
-nist_800_53_v4,nist_800_53_v4:sa-9a.,SA-9a.,Statement,2,,,"The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
-nist_800_53_v4,nist_800_53_v4:sa-9b.,SA-9b.,Statement,2,,,The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
-nist_800_53_v4,nist_800_53_v4:sa-9c.,SA-9c.,Statement,2,,,"The organization: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis."
+nist_800_53_v4,nist_800_53_v4:sa-1,SA-1,Control,1,1,System and Services Acquisition Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:sa-10,SA-10,Control,1,10,Developer Configuration Management,
+nist_800_53_v4,nist_800_53_v4:sa-10(1),SA-10 (1),Enhancement,2,1,Software / Firmware Integrity Verification,"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."
+nist_800_53_v4,nist_800_53_v4:sa-10(2),SA-10 (2),Enhancement,2,2,Alternative Configuration Management Processes,The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
+nist_800_53_v4,nist_800_53_v4:sa-10(3),SA-10 (3),Enhancement,2,3,Hardware Integrity Verification,"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components."
+nist_800_53_v4,nist_800_53_v4:sa-10(4),SA-10 (4),Enhancement,2,4,Trusted Generation,"The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions."
+nist_800_53_v4,nist_800_53_v4:sa-10(5),SA-10 (5),Enhancement,2,5,Mapping Integrity For Version Control,"The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."
+nist_800_53_v4,nist_800_53_v4:sa-10(6),SA-10 (6),Enhancement,2,6,Trusted Distribution,"The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."
+nist_800_53_v4,nist_800_53_v4:sa-10a.,SA-10a.,Statement,2,1,,"The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];"
+nist_800_53_v4,nist_800_53_v4:sa-10b.,SA-10b.,Statement,2,2,,"The organization requires the developer of the information system, system component, or information system service to: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];"
+nist_800_53_v4,nist_800_53_v4:sa-10c.,SA-10c.,Statement,2,3,,"The organization requires the developer of the information system, system component, or information system service to: Implement only organization-approved changes to the system, component, or service;"
+nist_800_53_v4,nist_800_53_v4:sa-10d.,SA-10d.,Statement,2,4,,"The organization requires the developer of the information system, system component, or information system service to: Document approved changes to the system, component, or service and the potential security impacts of such changes; and"
+nist_800_53_v4,nist_800_53_v4:sa-10e.,SA-10e.,Statement,2,5,,"The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."
+nist_800_53_v4,nist_800_53_v4:sa-11,SA-11,Control,1,11,Developer Security Testing and Evaluation,
+nist_800_53_v4,nist_800_53_v4:sa-11(1),SA-11 (1),Enhancement,2,1,Static Code Analysis,"The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."
+nist_800_53_v4,nist_800_53_v4:sa-11(2),SA-11 (2),Enhancement,2,2,Threat And Vulnerability Analyses,"The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."
+nist_800_53_v4,nist_800_53_v4:sa-11(3),SA-11 (3),Enhancement,2,3,Independent Verification Of Assessment Plans / Evidence,The organization: Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
+nist_800_53_v4,nist_800_53_v4:sa-11(4),SA-11 (4),Enhancement,2,4,Manual Code Reviews,"The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]."
+nist_800_53_v4,nist_800_53_v4:sa-11(5),SA-11 (5),Enhancement,2,5,Penetration Testing,"The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]."
+nist_800_53_v4,nist_800_53_v4:sa-11(6),SA-11 (6),Enhancement,2,6,Attack Surface Reviews,"The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews."
+nist_800_53_v4,nist_800_53_v4:sa-11(7),SA-11 (7),Enhancement,2,7,Verify Scope Of Testing / Evaluation,"The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]."
+nist_800_53_v4,nist_800_53_v4:sa-11(8),SA-11 (8),Enhancement,2,8,Dynamic Code Analysis,"The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."
+nist_800_53_v4,nist_800_53_v4:sa-11a.,SA-11a.,Statement,2,1,,"The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan;"
+nist_800_53_v4,nist_800_53_v4:sa-11b.,SA-11b.,Statement,2,2,,"The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];"
+nist_800_53_v4,nist_800_53_v4:sa-11c.,SA-11c.,Statement,2,3,,"The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;"
+nist_800_53_v4,nist_800_53_v4:sa-11d.,SA-11d.,Statement,2,4,,"The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and"
+nist_800_53_v4,nist_800_53_v4:sa-11e.,SA-11e.,Statement,2,5,,"The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation."
+nist_800_53_v4,nist_800_53_v4:sa-12,SA-12,Control,1,12,Supply Chain Protection,
+nist_800_53_v4,nist_800_53_v4:sa-12(1),SA-12 (1),Enhancement,2,1,Acquisition Strategies / Tools / Methods,"The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers."
+nist_800_53_v4,nist_800_53_v4:sa-12(10),SA-12 (10),Enhancement,2,10,Validate As Genuine And Not Altered,The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.
+nist_800_53_v4,nist_800_53_v4:sa-12(11),SA-12 (11),Enhancement,2,11,"Penetration Testing / Analysis Of Elements, Processes, And Actors","The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-12(12),SA-12 (12),Enhancement,2,12,Inter-Organizational Agreements,"The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-12(13),SA-12 (13),Enhancement,2,13,Critical Information System Components,The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].
+nist_800_53_v4,nist_800_53_v4:sa-12(14),SA-12 (14),Enhancement,2,14,Identity And Traceability,"The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-12(15),SA-12 (15),Enhancement,2,15,Processes To Address Weaknesses Or Deficiencies,The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
+nist_800_53_v4,nist_800_53_v4:sa-12(2),SA-12 (2),Enhancement,2,2,Supplier Reviews,"The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-12(5),SA-12 (5),Enhancement,2,5,Limitation Of Harm,The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.
+nist_800_53_v4,nist_800_53_v4:sa-12(7),SA-12 (7),Enhancement,2,7,Assessments Prior To Selection / Acceptance / Update,"The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update."
+nist_800_53_v4,nist_800_53_v4:sa-12(8),SA-12 (8),Enhancement,2,8,Use Of All-Source Intelligence,"The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-12(9),SA-12 (9),Enhancement,2,9,Operations Security,"The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-13,SA-13,Control,1,13,Trustworthiness,
+nist_800_53_v4,nist_800_53_v4:sa-13a.,SA-13a.,Statement,2,1,,"The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and"
+nist_800_53_v4,nist_800_53_v4:sa-13b.,SA-13b.,Statement,2,2,,The organization: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.
+nist_800_53_v4,nist_800_53_v4:sa-14,SA-14,Control,1,14,Criticality Analysis,
+nist_800_53_v4,nist_800_53_v4:sa-15,SA-15,Control,1,15,"Development Process, Standards, and Tools",
+nist_800_53_v4,nist_800_53_v4:sa-15(1),SA-15 (1),Enhancement,2,1,Quality Metrics,"The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]."
+nist_800_53_v4,nist_800_53_v4:sa-15(10),SA-15 (10),Enhancement,2,10,Incident Response Plan,"The organization requires the developer of the information system, system component, or information system service to provide an incident response plan."
+nist_800_53_v4,nist_800_53_v4:sa-15(11),SA-15 (11),Enhancement,2,11,Archive Information System / Component,The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
+nist_800_53_v4,nist_800_53_v4:sa-15(2),SA-15 (2),Enhancement,2,2,Security Tracking Tools,"The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process."
+nist_800_53_v4,nist_800_53_v4:sa-15(3),SA-15 (3),Enhancement,2,3,Criticality Analysis,"The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]."
+nist_800_53_v4,nist_800_53_v4:sa-15(4),SA-15 (4),Enhancement,2,4,Threat Modeling / Vulnerability Analysis,"The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria]."
+nist_800_53_v4,nist_800_53_v4:sa-15(5),SA-15 (5),Enhancement,2,5,Attack Surface Reduction,"The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]."
+nist_800_53_v4,nist_800_53_v4:sa-15(6),SA-15 (6),Enhancement,2,6,Continuous Improvement,"The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process."
+nist_800_53_v4,nist_800_53_v4:sa-15(7),SA-15 (7),Enhancement,2,7,Automated Vulnerability Analysis,"The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]."
+nist_800_53_v4,nist_800_53_v4:sa-15(8),SA-15 (8),Enhancement,2,8,Reuse Of Threat / Vulnerability Information,"The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."
+nist_800_53_v4,nist_800_53_v4:sa-15(9),SA-15 (9),Enhancement,2,9,Use Of Live Data,"The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service."
+nist_800_53_v4,nist_800_53_v4:sa-15a.,SA-15a.,Statement,2,1,,"The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"
+nist_800_53_v4,nist_800_53_v4:sa-15b.,SA-15b.,Statement,2,2,,"The organization: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]."
+nist_800_53_v4,nist_800_53_v4:sa-16,SA-16,Control,1,16,Developer-Provided Training,
+nist_800_53_v4,nist_800_53_v4:sa-17,SA-17,Control,1,17,Developer Security Architecture and Design,
+nist_800_53_v4,nist_800_53_v4:sa-17(1),SA-17 (1),Enhancement,2,1,Formal Policy Model,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented."
+nist_800_53_v4,nist_800_53_v4:sa-17(2),SA-17 (2),Enhancement,2,2,Security-Relevant Components,"The organization requires the developer of the information system, system component, or information system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."
+nist_800_53_v4,nist_800_53_v4:sa-17(3),SA-17 (3),Enhancement,2,3,Formal Correspondence,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
+nist_800_53_v4,nist_800_53_v4:sa-17(4),SA-17 (4),Enhancement,2,4,Informal Correspondence,"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
+nist_800_53_v4,nist_800_53_v4:sa-17(5),SA-17 (5),Enhancement,2,5,Conceptually Simple Design,"The organization requires the developer of the information system, system component, or information system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."
+nist_800_53_v4,nist_800_53_v4:sa-17(6),SA-17 (6),Enhancement,2,6,Structure For Testing,"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing."
+nist_800_53_v4,nist_800_53_v4:sa-17(7),SA-17 (7),Enhancement,2,7,Structure For Least Privilege,"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."
+nist_800_53_v4,nist_800_53_v4:sa-17a.,SA-17a.,Statement,2,1,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;"
+nist_800_53_v4,nist_800_53_v4:sa-17b.,SA-17b.,Statement,2,2,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"
+nist_800_53_v4,nist_800_53_v4:sa-17c.,SA-17c.,Statement,2,3,,"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."
+nist_800_53_v4,nist_800_53_v4:sa-18,SA-18,Control,1,18,Tamper Resistance and Detection,
+nist_800_53_v4,nist_800_53_v4:sa-18(1),SA-18 (1),Enhancement,2,1,Multiple Phases Of Sdlc,"The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance."
+nist_800_53_v4,nist_800_53_v4:sa-18(2),SA-18 (2),Enhancement,2,2,"Inspection Of Information Systems, Components, Or Devices","The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering."
+nist_800_53_v4,nist_800_53_v4:sa-19,SA-19,Control,1,19,Component Authenticity,
+nist_800_53_v4,nist_800_53_v4:sa-19(1),SA-19 (1),Enhancement,2,1,Anti-Counterfeit Training,"The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware)."
+nist_800_53_v4,nist_800_53_v4:sa-19(2),SA-19 (2),Enhancement,2,2,Configuration Control For Component Service / Repair,The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
+nist_800_53_v4,nist_800_53_v4:sa-19(3),SA-19 (3),Enhancement,2,3,Component Disposal,The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
+nist_800_53_v4,nist_800_53_v4:sa-19(4),SA-19 (4),Enhancement,2,4,Anti-Counterfeit Scanning,The organization scans for counterfeit information system components [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:sa-19a.,SA-19a.,Statement,2,1,,The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
+nist_800_53_v4,nist_800_53_v4:sa-19b.,SA-19b.,Statement,2,2,,The organization: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
+nist_800_53_v4,nist_800_53_v4:sa-1a.,SA-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"
+nist_800_53_v4,nist_800_53_v4:sa-1b.,SA-1b.,Statement,2,2,,The organization: Reviews and updates the current: System and services acquisition policy [Assignment: organization-defined frequency]; and System and services acquisition procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:sa-2,SA-2,Control,1,2,Allocation Of Resources,
+nist_800_53_v4,nist_800_53_v4:sa-20,SA-20,Control,1,20,Customized Development Of Critical Components,
+nist_800_53_v4,nist_800_53_v4:sa-21,SA-21,Control,1,21,Developer Screening,
+nist_800_53_v4,nist_800_53_v4:sa-21(1),SA-21 (1),Enhancement,2,1,Validation Of Screening,"The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied."
+nist_800_53_v4,nist_800_53_v4:sa-21a.,SA-21a.,Statement,2,1,,"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and"
+nist_800_53_v4,nist_800_53_v4:sa-21b.,SA-21b.,Statement,2,2,,"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Satisfy [Assignment: organization-defined additional personnel screening criteria]."
+nist_800_53_v4,nist_800_53_v4:sa-22,SA-22,Control,1,22,Unsupported System Components,
+nist_800_53_v4,nist_800_53_v4:sa-22(1),SA-22 (1),Enhancement,2,1,Alternative Sources For Continued Support,The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.
+nist_800_53_v4,nist_800_53_v4:sa-22a.,SA-22a.,Statement,2,1,,"The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and"
+nist_800_53_v4,nist_800_53_v4:sa-22b.,SA-22b.,Statement,2,2,,The organization: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
+nist_800_53_v4,nist_800_53_v4:sa-2a.,SA-2a.,Statement,2,1,,The organization: Determines information security requirements for the information system or information system service in mission/business process planning;
+nist_800_53_v4,nist_800_53_v4:sa-2b.,SA-2b.,Statement,2,2,,"The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"
+nist_800_53_v4,nist_800_53_v4:sa-2c.,SA-2c.,Statement,2,3,,The organization: Establishes a discrete line item for information security in organizational programming and budgeting documentation.
+nist_800_53_v4,nist_800_53_v4:sa-3,SA-3,Control,1,3,System Development Life Cycle,
+nist_800_53_v4,nist_800_53_v4:sa-3a.,SA-3a.,Statement,2,1,,The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
+nist_800_53_v4,nist_800_53_v4:sa-3b.,SA-3b.,Statement,2,2,,The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;
+nist_800_53_v4,nist_800_53_v4:sa-3c.,SA-3c.,Statement,2,3,,The organization: Identifies individuals having information security roles and responsibilities; and
+nist_800_53_v4,nist_800_53_v4:sa-3d.,SA-3d.,Statement,2,4,,The organization: Integrates the organizational information security risk management process into system development life cycle activities.
+nist_800_53_v4,nist_800_53_v4:sa-4,SA-4,Control,1,4,Acquisition Process,
+nist_800_53_v4,nist_800_53_v4:sa-4(1),SA-4 (1),Enhancement,2,1,Functional Properties Of Security Controls,"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."
+nist_800_53_v4,nist_800_53_v4:sa-4(10),SA-4 (10),Enhancement,2,10,Use Of Approved Piv Products,The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.
+nist_800_53_v4,nist_800_53_v4:sa-4(2),SA-4 (2),Enhancement,2,2,Design / Implementation Information For Security Controls,"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]."
+nist_800_53_v4,nist_800_53_v4:sa-4(3),SA-4 (3),Enhancement,2,3,Development Methods / Techniques / Practices,"The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]."
+nist_800_53_v4,nist_800_53_v4:sa-4(5),SA-4 (5),Enhancement,2,5,System / Component / Service Configurations,"The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."
+nist_800_53_v4,nist_800_53_v4:sa-4(6),SA-4 (6),Enhancement,2,6,Use Of Information Assurance Products,The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
+nist_800_53_v4,nist_800_53_v4:sa-4(7),SA-4 (7),Enhancement,2,7,Niap-Approved  Protection Profiles,"The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated."
+nist_800_53_v4,nist_800_53_v4:sa-4(8),SA-4 (8),Enhancement,2,8,Continuous Monitoring Plan,"The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]."
+nist_800_53_v4,nist_800_53_v4:sa-4(9),SA-4 (9),Enhancement,2,9,Functions / Ports / Protocols / Services In Use,"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."
+nist_800_53_v4,nist_800_53_v4:sa-4a.,SA-4a.,Statement,2,1,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements;"
+nist_800_53_v4,nist_800_53_v4:sa-4b.,SA-4b.,Statement,2,2,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;"
+nist_800_53_v4,nist_800_53_v4:sa-4c.,SA-4c.,Statement,2,3,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements;"
+nist_800_53_v4,nist_800_53_v4:sa-4d.,SA-4d.,Statement,2,4,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;"
+nist_800_53_v4,nist_800_53_v4:sa-4e.,SA-4e.,Statement,2,5,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation;"
+nist_800_53_v4,nist_800_53_v4:sa-4f.,SA-4f.,Statement,2,6,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and"
+nist_800_53_v4,nist_800_53_v4:sa-4g.,SA-4g.,Statement,2,7,,"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria."
+nist_800_53_v4,nist_800_53_v4:sa-5,SA-5,Control,1,5,Information System Documentation,
+nist_800_53_v4,nist_800_53_v4:sa-5a.,SA-5a.,Statement,2,1,,"The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"
+nist_800_53_v4,nist_800_53_v4:sa-5b.,SA-5b.,Statement,2,2,,"The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and User responsibilities in maintaining the security of the system, component, or service;"
+nist_800_53_v4,nist_800_53_v4:sa-5c.,SA-5c.,Statement,2,3,,"The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;"
+nist_800_53_v4,nist_800_53_v4:sa-5d.,SA-5d.,Statement,2,4,,"The organization: Protects documentation as required, in accordance with the risk management strategy; and"
+nist_800_53_v4,nist_800_53_v4:sa-5e.,SA-5e.,Statement,2,5,,The organization: Distributes documentation to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:sa-6,SA-6,Control,1,6,Software Usage Restrictions,
+nist_800_53_v4,nist_800_53_v4:sa-7,SA-7,Control,1,7,User-Installed Software,
+nist_800_53_v4,nist_800_53_v4:sa-8,SA-8,Control,1,8,Security Engineering Principles,
+nist_800_53_v4,nist_800_53_v4:sa-9,SA-9,Control,1,9,External Information System Services,
+nist_800_53_v4,nist_800_53_v4:sa-9(1),SA-9 (1),Enhancement,2,1,Risk Assessments / Organizational Approvals,The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:sa-9(2),SA-9 (2),Enhancement,2,2,Identification Of Functions / Ports / Protocols / Services,"The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services."
+nist_800_53_v4,nist_800_53_v4:sa-9(3),SA-9 (3),Enhancement,2,3,Establish / Maintain Trust Relationship With Providers,"The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]."
+nist_800_53_v4,nist_800_53_v4:sa-9(4),SA-9 (4),Enhancement,2,4,Consistent Interests Of Consumers And Providers,The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
+nist_800_53_v4,nist_800_53_v4:sa-9(5),SA-9 (5),Enhancement,2,5,"Processing, Storage, And Service Location",The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
+nist_800_53_v4,nist_800_53_v4:sa-9a.,SA-9a.,Statement,2,1,,"The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
+nist_800_53_v4,nist_800_53_v4:sa-9b.,SA-9b.,Statement,2,2,,The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
+nist_800_53_v4,nist_800_53_v4:sa-9c.,SA-9c.,Statement,2,3,,"The organization: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis."
 nist_800_53_v4,nist_800_53_v4:sc,SC,Family,0,17,System and Communications Protection,
-nist_800_53_v4,nist_800_53_v4:sc-1,SC-1,Control,1,,System and Communications Protection Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:sc-10,SC-10,Control,1,,Network Disconnect,
-nist_800_53_v4,nist_800_53_v4:sc-11,SC-11,Control,1,,Trusted Path,
-nist_800_53_v4,nist_800_53_v4:sc-11(1),SC-11 (1),Enhancement,2,,Logical Isolation,The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.
-nist_800_53_v4,nist_800_53_v4:sc-12,SC-12,Control,1,,Cryptographic Key Establishment and Management,
-nist_800_53_v4,nist_800_53_v4:sc-12(1),SC-12 (1),Enhancement,2,,Availability,The organization maintains availability of information in the event of the loss of cryptographic keys by users.
-nist_800_53_v4,nist_800_53_v4:sc-12(2),SC-12 (2),Enhancement,2,,Symmetric Keys,"The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."
-nist_800_53_v4,nist_800_53_v4:sc-12(3),SC-12 (3),Enhancement,2,,Asymmetric Keys,"The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]."
-nist_800_53_v4,nist_800_53_v4:sc-13,SC-13,Control,1,,Cryptographic Protection,
-nist_800_53_v4,nist_800_53_v4:sc-14,SC-14,Control,1,,Public Access Protections,
-nist_800_53_v4,nist_800_53_v4:sc-15,SC-15,Control,1,,Collaborative Computing Devices,
-nist_800_53_v4,nist_800_53_v4:sc-15(1),SC-15 (1),Enhancement,2,,Physical Disconnect,The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
-nist_800_53_v4,nist_800_53_v4:sc-15(3),SC-15 (3),Enhancement,2,,Disabling / Removal In Secure Work Areas,The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].
-nist_800_53_v4,nist_800_53_v4:sc-15(4),SC-15 (4),Enhancement,2,,Explicitly Indicate Current Participants,The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
-nist_800_53_v4,nist_800_53_v4:sc-15a.,SC-15a.,Statement,2,,,The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
-nist_800_53_v4,nist_800_53_v4:sc-15b.,SC-15b.,Statement,2,,,The information system: Provides an explicit indication of use to users physically present at the devices.
-nist_800_53_v4,nist_800_53_v4:sc-16,SC-16,Control,1,,Transmission Of Security Attributes,
-nist_800_53_v4,nist_800_53_v4:sc-16(1),SC-16 (1),Enhancement,2,,Integrity Validation,The information system validates the integrity of transmitted security attributes.
-nist_800_53_v4,nist_800_53_v4:sc-17,SC-17,Control,1,,Public Key Infrastructure Certificates,
-nist_800_53_v4,nist_800_53_v4:sc-18,SC-18,Control,1,,Mobile Code,
-nist_800_53_v4,nist_800_53_v4:sc-18(1),SC-18 (1),Enhancement,2,,Identify Unacceptable Code / Take Corrective Actions,The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions].
-nist_800_53_v4,nist_800_53_v4:sc-18(2),SC-18 (2),Enhancement,2,,Acquisition / Development / Use,"The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]."
-nist_800_53_v4,nist_800_53_v4:sc-18(3),SC-18 (3),Enhancement,2,,Prevent Downloading / Execution,The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code].
-nist_800_53_v4,nist_800_53_v4:sc-18(4),SC-18 (4),Enhancement,2,,Prevent Automatic Execution,The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.
-nist_800_53_v4,nist_800_53_v4:sc-18(5),SC-18 (5),Enhancement,2,,Allow Execution Only In Confined Environments,The organization allows execution of permitted mobile code only in confined virtual machine environments.
-nist_800_53_v4,nist_800_53_v4:sc-18a.,SC-18a.,Statement,2,,,The organization: Defines acceptable and unacceptable mobile code and mobile code technologies;
-nist_800_53_v4,nist_800_53_v4:sc-18b.,SC-18b.,Statement,2,,,The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
-nist_800_53_v4,nist_800_53_v4:sc-18c.,SC-18c.,Statement,2,,,"The organization: Authorizes, monitors, and controls the use of mobile code within the information system."
-nist_800_53_v4,nist_800_53_v4:sc-19,SC-19,Control,1,,Voice Over Internet Protocol,
-nist_800_53_v4,nist_800_53_v4:sc-19a.,SC-19a.,Statement,2,,,The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
-nist_800_53_v4,nist_800_53_v4:sc-19b.,SC-19b.,Statement,2,,,"The organization: Authorizes, monitors, and controls the use of VoIP within the information system."
-nist_800_53_v4,nist_800_53_v4:sc-1a.,SC-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"
-nist_800_53_v4,nist_800_53_v4:sc-1b.,SC-1b.,Statement,2,,,The organization: Reviews and updates the current: System and communications protection policy [Assignment: organization-defined frequency]; and System and communications protection procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:sc-2,SC-2,Control,1,,Application Partitioning,
-nist_800_53_v4,nist_800_53_v4:sc-2(1),SC-2 (1),Enhancement,2,,Interfaces For Non-Privileged Users,The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
-nist_800_53_v4,nist_800_53_v4:sc-20,SC-20,Control,1,,Secure Name / Address Resolution Service (Authoritative Source),
-nist_800_53_v4,nist_800_53_v4:sc-20(2),SC-20 (2),Enhancement,2,,Data Origin / Integrity,The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.
-nist_800_53_v4,nist_800_53_v4:sc-20a.,SC-20a.,Statement,2,,,The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
-nist_800_53_v4,nist_800_53_v4:sc-20b.,SC-20b.,Statement,2,,,"The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."
-nist_800_53_v4,nist_800_53_v4:sc-21,SC-21,Control,1,,Secure Name / Address Resolution Service (Recursive Or Caching Resolver),
-nist_800_53_v4,nist_800_53_v4:sc-22,SC-22,Control,1,,Architecture and Provisioning For Name / Address Resolution Service,
-nist_800_53_v4,nist_800_53_v4:sc-23,SC-23,Control,1,,Session Authenticity,
-nist_800_53_v4,nist_800_53_v4:sc-23(1),SC-23 (1),Enhancement,2,,Invalidate Session Identifiers At Logout,The information system invalidates session identifiers upon user logout or other session termination.
-nist_800_53_v4,nist_800_53_v4:sc-23(3),SC-23 (3),Enhancement,2,,Unique Session Identifiers With Randomization,The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.
-nist_800_53_v4,nist_800_53_v4:sc-23(5),SC-23 (5),Enhancement,2,,Allowed Certificate Authorities,The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
-nist_800_53_v4,nist_800_53_v4:sc-24,SC-24,Control,1,,Fail In Known State,
-nist_800_53_v4,nist_800_53_v4:sc-25,SC-25,Control,1,,Thin Nodes,
-nist_800_53_v4,nist_800_53_v4:sc-26,SC-26,Control,1,,Honeypots,
-nist_800_53_v4,nist_800_53_v4:sc-27,SC-27,Control,1,,Platform-Independent Applications,
-nist_800_53_v4,nist_800_53_v4:sc-28,SC-28,Control,1,,Protection Of Information At Rest,
-nist_800_53_v4,nist_800_53_v4:sc-28(1),SC-28 (1),Enhancement,2,,Cryptographic Protection,The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:sc-28(2),SC-28 (2),Enhancement,2,,Off-Line Storage,The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].
-nist_800_53_v4,nist_800_53_v4:sc-29,SC-29,Control,1,,Heterogeneity,
-nist_800_53_v4,nist_800_53_v4:sc-29(1),SC-29 (1),Enhancement,2,,Virtualization Techniques,The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:sc-3,SC-3,Control,1,,Security Function Isolation,
-nist_800_53_v4,nist_800_53_v4:sc-3(1),SC-3 (1),Enhancement,2,,Hardware Separation,The information system utilizes underlying hardware separation mechanisms to implement security function isolation.
-nist_800_53_v4,nist_800_53_v4:sc-3(2),SC-3 (2),Enhancement,2,,Access / Flow Control Functions,The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
-nist_800_53_v4,nist_800_53_v4:sc-3(3),SC-3 (3),Enhancement,2,,Minimize Nonsecurity Functionality,The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.
-nist_800_53_v4,nist_800_53_v4:sc-3(4),SC-3 (4),Enhancement,2,,Module Coupling And Cohesiveness,The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
-nist_800_53_v4,nist_800_53_v4:sc-3(5),SC-3 (5),Enhancement,2,,Layered Structures,The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
-nist_800_53_v4,nist_800_53_v4:sc-30,SC-30,Control,1,,Concealment and Misdirection,
-nist_800_53_v4,nist_800_53_v4:sc-30(2),SC-30 (2),Enhancement,2,,Randomness,The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
-nist_800_53_v4,nist_800_53_v4:sc-30(3),SC-30 (3),Enhancement,2,,Change Processing / Storage Locations,The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].
-nist_800_53_v4,nist_800_53_v4:sc-30(4),SC-30 (4),Enhancement,2,,Misleading Information,"The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture."
-nist_800_53_v4,nist_800_53_v4:sc-30(5),SC-30 (5),Enhancement,2,,Concealment Of System Components,The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:sc-31,SC-31,Control,1,,Covert Channel Analysis,
-nist_800_53_v4,nist_800_53_v4:sc-31(1),SC-31 (1),Enhancement,2,,Test Covert Channels For Exploitability,The organization tests a subset of the identified covert channels to determine which channels are exploitable.
-nist_800_53_v4,nist_800_53_v4:sc-31(2),SC-31 (2),Enhancement,2,,Maximum Bandwidth,The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values].
-nist_800_53_v4,nist_800_53_v4:sc-31(3),SC-31 (3),Enhancement,2,,Measure Bandwidth In Operational Environments,The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system.
-nist_800_53_v4,nist_800_53_v4:sc-31a.,SC-31a.,Statement,2,,,The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
-nist_800_53_v4,nist_800_53_v4:sc-31b.,SC-31b.,Statement,2,,,The organization: Estimates the maximum bandwidth of those channels.
-nist_800_53_v4,nist_800_53_v4:sc-32,SC-32,Control,1,,Information System Partitioning,
-nist_800_53_v4,nist_800_53_v4:sc-33,SC-33,Control,1,,Transmission Preparation Integrity,
-nist_800_53_v4,nist_800_53_v4:sc-34,SC-34,Control,1,,Non-Modifiable Executable Programs,
-nist_800_53_v4,nist_800_53_v4:sc-34(1),SC-34 (1),Enhancement,2,,No Writable Storage,The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off.
-nist_800_53_v4,nist_800_53_v4:sc-34(2),SC-34 (2),Enhancement,2,,Integrity Protection / Read-Only Media,The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.
-nist_800_53_v4,nist_800_53_v4:sc-34(3),SC-34 (3),Enhancement,2,,Hardware-Based Protection,"The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."
-nist_800_53_v4,nist_800_53_v4:sc-34a.,SC-34a.,Statement,2,,,"The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and"
-nist_800_53_v4,nist_800_53_v4:sc-34b.,SC-34b.,Statement,2,,,"The information system at [Assignment: organization-defined information system components]: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media."
-nist_800_53_v4,nist_800_53_v4:sc-35,SC-35,Control,1,,Honeyclients,
-nist_800_53_v4,nist_800_53_v4:sc-36,SC-36,Control,1,,Distributed Processing and Storage,
-nist_800_53_v4,nist_800_53_v4:sc-36(1),SC-36 (1),Enhancement,2,,Polling Techniques,"The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]."
-nist_800_53_v4,nist_800_53_v4:sc-37,SC-37,Control,1,,Out-Of-Band Channels,
-nist_800_53_v4,nist_800_53_v4:sc-37(1),SC-37 (1),Enhancement,2,,Ensure Delivery / Transmission,"The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]."
-nist_800_53_v4,nist_800_53_v4:sc-38,SC-38,Control,1,,Operations Security,
-nist_800_53_v4,nist_800_53_v4:sc-39,SC-39,Control,1,,Process Isolation,
-nist_800_53_v4,nist_800_53_v4:sc-39(1),SC-39 (1),Enhancement,2,,Hardware Separation,The information system implements underlying hardware separation mechanisms to facilitate process separation.
-nist_800_53_v4,nist_800_53_v4:sc-39(2),SC-39 (2),Enhancement,2,,Thread Isolation,The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
-nist_800_53_v4,nist_800_53_v4:sc-4,SC-4,Control,1,,Information In Shared Resources,
-nist_800_53_v4,nist_800_53_v4:sc-4(2),SC-4 (2),Enhancement,2,,Periods Processing,The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
-nist_800_53_v4,nist_800_53_v4:sc-40,SC-40,Control,1,,Wireless Link Protection,
-nist_800_53_v4,nist_800_53_v4:sc-40(1),SC-40 (1),Enhancement,2,,Electromagnetic Interference,The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
-nist_800_53_v4,nist_800_53_v4:sc-40(2),SC-40 (2),Enhancement,2,,Reduce Detection Potential,The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
-nist_800_53_v4,nist_800_53_v4:sc-40(3),SC-40 (3),Enhancement,2,,Imitative Or Manipulative Communications Deception,The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
-nist_800_53_v4,nist_800_53_v4:sc-40(4),SC-40 (4),Enhancement,2,,Signal Parameter Identification,The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
-nist_800_53_v4,nist_800_53_v4:sc-41,SC-41,Control,1,,Port and I/O Device Access,
-nist_800_53_v4,nist_800_53_v4:sc-42,SC-42,Control,1,,Sensor Capability and Data,
-nist_800_53_v4,nist_800_53_v4:sc-42(1),SC-42 (1),Enhancement,2,,Reporting To Authorized Individuals Or Roles,The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
-nist_800_53_v4,nist_800_53_v4:sc-42(2),SC-42 (2),Enhancement,2,,Authorized Use,"The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes."
-nist_800_53_v4,nist_800_53_v4:sc-42(3),SC-42 (3),Enhancement,2,,Prohibit Use Of Devices,"The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]."
-nist_800_53_v4,nist_800_53_v4:sc-42a.,SC-42a.,Statement,2,,,The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
-nist_800_53_v4,nist_800_53_v4:sc-42b.,SC-42b.,Statement,2,,,The information system: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].
-nist_800_53_v4,nist_800_53_v4:sc-43,SC-43,Control,1,,Usage Restrictions,
-nist_800_53_v4,nist_800_53_v4:sc-43a.,SC-43a.,Statement,2,,,The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
-nist_800_53_v4,nist_800_53_v4:sc-43b.,SC-43b.,Statement,2,,,"The organization: Authorizes, monitors, and controls the use of such components within the information system."
-nist_800_53_v4,nist_800_53_v4:sc-44,SC-44,Control,1,,Detonation Chambers,
-nist_800_53_v4,nist_800_53_v4:sc-5,SC-5,Control,1,,Denial Of Service Protection,
-nist_800_53_v4,nist_800_53_v4:sc-5(1),SC-5 (1),Enhancement,2,,Restrict Internal Users,The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.
-nist_800_53_v4,nist_800_53_v4:sc-5(2),SC-5 (2),Enhancement,2,,Excess Capacity / Bandwidth / Redundancy,"The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks."
-nist_800_53_v4,nist_800_53_v4:sc-5(3),SC-5 (3),Enhancement,2,,Detection / Monitoring,The organization: Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.
-nist_800_53_v4,nist_800_53_v4:sc-6,SC-6,Control,1,,Resource Availability,
-nist_800_53_v4,nist_800_53_v4:sc-7,SC-7,Control,1,,Boundary Protection,
-nist_800_53_v4,nist_800_53_v4:sc-7(10),SC-7 (10),Enhancement,2,,Prevent Unauthorized Exfiltration,The organization prevents the unauthorized exfiltration of information across managed interfaces.
-nist_800_53_v4,nist_800_53_v4:sc-7(11),SC-7 (11),Enhancement,2,,Restrict Incoming Communications Traffic,The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
-nist_800_53_v4,nist_800_53_v4:sc-7(12),SC-7 (12),Enhancement,2,,Host-Based Protection,The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:sc-7(13),SC-7 (13),Enhancement,2,,Isolation Of Security Tools / Mechanisms / Support Components,"The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."
-nist_800_53_v4,nist_800_53_v4:sc-7(14),SC-7 (14),Enhancement,2,,Protects Against Unauthorized Physical Connections,The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
-nist_800_53_v4,nist_800_53_v4:sc-7(15),SC-7 (15),Enhancement,2,,Route Privileged Network Accesses,"The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."
-nist_800_53_v4,nist_800_53_v4:sc-7(16),SC-7 (16),Enhancement,2,,Prevent Discovery Of Components / Devices,The information system prevents discovery of specific system components composing a managed interface.
-nist_800_53_v4,nist_800_53_v4:sc-7(17),SC-7 (17),Enhancement,2,,Automated Enforcement Of Protocol Formats,The information system enforces adherence to protocol formats.
-nist_800_53_v4,nist_800_53_v4:sc-7(18),SC-7 (18),Enhancement,2,,Fail Secure,The information system fails securely in the event of an operational failure of a boundary protection device.
-nist_800_53_v4,nist_800_53_v4:sc-7(19),SC-7 (19),Enhancement,2,,Blocks Communication From Non-Organizationally Configured Hosts,The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
-nist_800_53_v4,nist_800_53_v4:sc-7(20),SC-7 (20),Enhancement,2,,Dynamic Isolation / Segregation,The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system.
-nist_800_53_v4,nist_800_53_v4:sc-7(21),SC-7 (21),Enhancement,2,,Isolation Of Information System Components,The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
-nist_800_53_v4,nist_800_53_v4:sc-7(22),SC-7 (22),Enhancement,2,,Separate Subnets For Connecting To Different Security Domains,"The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains."
-nist_800_53_v4,nist_800_53_v4:sc-7(23),SC-7 (23),Enhancement,2,,Disable Sender Feedback On Protocol Validation Failure,The information system disables feedback to senders on protocol format validation failure.
-nist_800_53_v4,nist_800_53_v4:sc-7(3),SC-7 (3),Enhancement,2,,Access Points,The organization limits the number of external network connections to the information system.
-nist_800_53_v4,nist_800_53_v4:sc-7(4),SC-7 (4),Enhancement,2,,External Telecommunications Services,The organization: Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
-nist_800_53_v4,nist_800_53_v4:sc-7(5),SC-7 (5),Enhancement,2,,Deny By Default / Allow By Exception,"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."
-nist_800_53_v4,nist_800_53_v4:sc-7(7),SC-7 (7),Enhancement,2,,Prevent Split Tunneling For Remote Devices,"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."
-nist_800_53_v4,nist_800_53_v4:sc-7(8),SC-7 (8),Enhancement,2,,Route Traffic To Authenticated Proxy Servers,The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
-nist_800_53_v4,nist_800_53_v4:sc-7(9),SC-7 (9),Enhancement,2,,Restrict Threatening Outgoing Communications Traffic,The information system: Detects and denies outgoing communications traffic posing a threat to external information systems; and Audits the identity of internal users associated with denied communications.
-nist_800_53_v4,nist_800_53_v4:sc-7a.,SC-7a.,Statement,2,,,The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
-nist_800_53_v4,nist_800_53_v4:sc-7b.,SC-7b.,Statement,2,,,The information system: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
-nist_800_53_v4,nist_800_53_v4:sc-7c.,SC-7c.,Statement,2,,,The information system: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
-nist_800_53_v4,nist_800_53_v4:sc-8,SC-8,Control,1,,Transmission Confidentiality and Integrity,
-nist_800_53_v4,nist_800_53_v4:sc-8(1),SC-8 (1),Enhancement,2,,Cryptographic Or Alternate Physical Protection,The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
-nist_800_53_v4,nist_800_53_v4:sc-8(2),SC-8 (2),Enhancement,2,,Pre / Post Transmission Handling,The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
-nist_800_53_v4,nist_800_53_v4:sc-8(3),SC-8 (3),Enhancement,2,,Cryptographic Protection For Message Externals,The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
-nist_800_53_v4,nist_800_53_v4:sc-8(4),SC-8 (4),Enhancement,2,,Conceal / Randomize Communications,The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
-nist_800_53_v4,nist_800_53_v4:sc-9,SC-9,Control,1,,Transmission Confidentiality,
+nist_800_53_v4,nist_800_53_v4:sc-1,SC-1,Control,1,1,System and Communications Protection Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:sc-10,SC-10,Control,1,10,Network Disconnect,
+nist_800_53_v4,nist_800_53_v4:sc-11,SC-11,Control,1,11,Trusted Path,
+nist_800_53_v4,nist_800_53_v4:sc-11(1),SC-11 (1),Enhancement,2,1,Logical Isolation,The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.
+nist_800_53_v4,nist_800_53_v4:sc-12,SC-12,Control,1,12,Cryptographic Key Establishment and Management,
+nist_800_53_v4,nist_800_53_v4:sc-12(1),SC-12 (1),Enhancement,2,1,Availability,The organization maintains availability of information in the event of the loss of cryptographic keys by users.
+nist_800_53_v4,nist_800_53_v4:sc-12(2),SC-12 (2),Enhancement,2,2,Symmetric Keys,"The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."
+nist_800_53_v4,nist_800_53_v4:sc-12(3),SC-12 (3),Enhancement,2,3,Asymmetric Keys,"The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]."
+nist_800_53_v4,nist_800_53_v4:sc-13,SC-13,Control,1,13,Cryptographic Protection,
+nist_800_53_v4,nist_800_53_v4:sc-14,SC-14,Control,1,14,Public Access Protections,
+nist_800_53_v4,nist_800_53_v4:sc-15,SC-15,Control,1,15,Collaborative Computing Devices,
+nist_800_53_v4,nist_800_53_v4:sc-15(1),SC-15 (1),Enhancement,2,1,Physical Disconnect,The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
+nist_800_53_v4,nist_800_53_v4:sc-15(3),SC-15 (3),Enhancement,2,3,Disabling / Removal In Secure Work Areas,The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].
+nist_800_53_v4,nist_800_53_v4:sc-15(4),SC-15 (4),Enhancement,2,4,Explicitly Indicate Current Participants,The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
+nist_800_53_v4,nist_800_53_v4:sc-15a.,SC-15a.,Statement,2,1,,The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
+nist_800_53_v4,nist_800_53_v4:sc-15b.,SC-15b.,Statement,2,2,,The information system: Provides an explicit indication of use to users physically present at the devices.
+nist_800_53_v4,nist_800_53_v4:sc-16,SC-16,Control,1,16,Transmission Of Security Attributes,
+nist_800_53_v4,nist_800_53_v4:sc-16(1),SC-16 (1),Enhancement,2,1,Integrity Validation,The information system validates the integrity of transmitted security attributes.
+nist_800_53_v4,nist_800_53_v4:sc-17,SC-17,Control,1,17,Public Key Infrastructure Certificates,
+nist_800_53_v4,nist_800_53_v4:sc-18,SC-18,Control,1,18,Mobile Code,
+nist_800_53_v4,nist_800_53_v4:sc-18(1),SC-18 (1),Enhancement,2,1,Identify Unacceptable Code / Take Corrective Actions,The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions].
+nist_800_53_v4,nist_800_53_v4:sc-18(2),SC-18 (2),Enhancement,2,2,Acquisition / Development / Use,"The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]."
+nist_800_53_v4,nist_800_53_v4:sc-18(3),SC-18 (3),Enhancement,2,3,Prevent Downloading / Execution,The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code].
+nist_800_53_v4,nist_800_53_v4:sc-18(4),SC-18 (4),Enhancement,2,4,Prevent Automatic Execution,The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.
+nist_800_53_v4,nist_800_53_v4:sc-18(5),SC-18 (5),Enhancement,2,5,Allow Execution Only In Confined Environments,The organization allows execution of permitted mobile code only in confined virtual machine environments.
+nist_800_53_v4,nist_800_53_v4:sc-18a.,SC-18a.,Statement,2,1,,The organization: Defines acceptable and unacceptable mobile code and mobile code technologies;
+nist_800_53_v4,nist_800_53_v4:sc-18b.,SC-18b.,Statement,2,2,,The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
+nist_800_53_v4,nist_800_53_v4:sc-18c.,SC-18c.,Statement,2,3,,"The organization: Authorizes, monitors, and controls the use of mobile code within the information system."
+nist_800_53_v4,nist_800_53_v4:sc-19,SC-19,Control,1,19,Voice Over Internet Protocol,
+nist_800_53_v4,nist_800_53_v4:sc-19a.,SC-19a.,Statement,2,1,,The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
+nist_800_53_v4,nist_800_53_v4:sc-19b.,SC-19b.,Statement,2,2,,"The organization: Authorizes, monitors, and controls the use of VoIP within the information system."
+nist_800_53_v4,nist_800_53_v4:sc-1a.,SC-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"
+nist_800_53_v4,nist_800_53_v4:sc-1b.,SC-1b.,Statement,2,2,,The organization: Reviews and updates the current: System and communications protection policy [Assignment: organization-defined frequency]; and System and communications protection procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:sc-2,SC-2,Control,1,2,Application Partitioning,
+nist_800_53_v4,nist_800_53_v4:sc-2(1),SC-2 (1),Enhancement,2,1,Interfaces For Non-Privileged Users,The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
+nist_800_53_v4,nist_800_53_v4:sc-20,SC-20,Control,1,20,Secure Name / Address Resolution Service (Authoritative Source),
+nist_800_53_v4,nist_800_53_v4:sc-20(2),SC-20 (2),Enhancement,2,2,Data Origin / Integrity,The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.
+nist_800_53_v4,nist_800_53_v4:sc-20a.,SC-20a.,Statement,2,1,,The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
+nist_800_53_v4,nist_800_53_v4:sc-20b.,SC-20b.,Statement,2,2,,"The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."
+nist_800_53_v4,nist_800_53_v4:sc-21,SC-21,Control,1,21,Secure Name / Address Resolution Service (Recursive Or Caching Resolver),
+nist_800_53_v4,nist_800_53_v4:sc-22,SC-22,Control,1,22,Architecture and Provisioning For Name / Address Resolution Service,
+nist_800_53_v4,nist_800_53_v4:sc-23,SC-23,Control,1,23,Session Authenticity,
+nist_800_53_v4,nist_800_53_v4:sc-23(1),SC-23 (1),Enhancement,2,1,Invalidate Session Identifiers At Logout,The information system invalidates session identifiers upon user logout or other session termination.
+nist_800_53_v4,nist_800_53_v4:sc-23(3),SC-23 (3),Enhancement,2,3,Unique Session Identifiers With Randomization,The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.
+nist_800_53_v4,nist_800_53_v4:sc-23(5),SC-23 (5),Enhancement,2,5,Allowed Certificate Authorities,The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
+nist_800_53_v4,nist_800_53_v4:sc-24,SC-24,Control,1,24,Fail In Known State,
+nist_800_53_v4,nist_800_53_v4:sc-25,SC-25,Control,1,25,Thin Nodes,
+nist_800_53_v4,nist_800_53_v4:sc-26,SC-26,Control,1,26,Honeypots,
+nist_800_53_v4,nist_800_53_v4:sc-27,SC-27,Control,1,27,Platform-Independent Applications,
+nist_800_53_v4,nist_800_53_v4:sc-28,SC-28,Control,1,28,Protection Of Information At Rest,
+nist_800_53_v4,nist_800_53_v4:sc-28(1),SC-28 (1),Enhancement,2,1,Cryptographic Protection,The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:sc-28(2),SC-28 (2),Enhancement,2,2,Off-Line Storage,The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].
+nist_800_53_v4,nist_800_53_v4:sc-29,SC-29,Control,1,29,Heterogeneity,
+nist_800_53_v4,nist_800_53_v4:sc-29(1),SC-29 (1),Enhancement,2,1,Virtualization Techniques,The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:sc-3,SC-3,Control,1,3,Security Function Isolation,
+nist_800_53_v4,nist_800_53_v4:sc-3(1),SC-3 (1),Enhancement,2,1,Hardware Separation,The information system utilizes underlying hardware separation mechanisms to implement security function isolation.
+nist_800_53_v4,nist_800_53_v4:sc-3(2),SC-3 (2),Enhancement,2,2,Access / Flow Control Functions,The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
+nist_800_53_v4,nist_800_53_v4:sc-3(3),SC-3 (3),Enhancement,2,3,Minimize Nonsecurity Functionality,The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.
+nist_800_53_v4,nist_800_53_v4:sc-3(4),SC-3 (4),Enhancement,2,4,Module Coupling And Cohesiveness,The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
+nist_800_53_v4,nist_800_53_v4:sc-3(5),SC-3 (5),Enhancement,2,5,Layered Structures,The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
+nist_800_53_v4,nist_800_53_v4:sc-30,SC-30,Control,1,30,Concealment and Misdirection,
+nist_800_53_v4,nist_800_53_v4:sc-30(2),SC-30 (2),Enhancement,2,2,Randomness,The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
+nist_800_53_v4,nist_800_53_v4:sc-30(3),SC-30 (3),Enhancement,2,3,Change Processing / Storage Locations,The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].
+nist_800_53_v4,nist_800_53_v4:sc-30(4),SC-30 (4),Enhancement,2,4,Misleading Information,"The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture."
+nist_800_53_v4,nist_800_53_v4:sc-30(5),SC-30 (5),Enhancement,2,5,Concealment Of System Components,The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:sc-31,SC-31,Control,1,31,Covert Channel Analysis,
+nist_800_53_v4,nist_800_53_v4:sc-31(1),SC-31 (1),Enhancement,2,1,Test Covert Channels For Exploitability,The organization tests a subset of the identified covert channels to determine which channels are exploitable.
+nist_800_53_v4,nist_800_53_v4:sc-31(2),SC-31 (2),Enhancement,2,2,Maximum Bandwidth,The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values].
+nist_800_53_v4,nist_800_53_v4:sc-31(3),SC-31 (3),Enhancement,2,3,Measure Bandwidth In Operational Environments,The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system.
+nist_800_53_v4,nist_800_53_v4:sc-31a.,SC-31a.,Statement,2,1,,The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
+nist_800_53_v4,nist_800_53_v4:sc-31b.,SC-31b.,Statement,2,2,,The organization: Estimates the maximum bandwidth of those channels.
+nist_800_53_v4,nist_800_53_v4:sc-32,SC-32,Control,1,32,Information System Partitioning,
+nist_800_53_v4,nist_800_53_v4:sc-33,SC-33,Control,1,33,Transmission Preparation Integrity,
+nist_800_53_v4,nist_800_53_v4:sc-34,SC-34,Control,1,34,Non-Modifiable Executable Programs,
+nist_800_53_v4,nist_800_53_v4:sc-34(1),SC-34 (1),Enhancement,2,1,No Writable Storage,The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off.
+nist_800_53_v4,nist_800_53_v4:sc-34(2),SC-34 (2),Enhancement,2,2,Integrity Protection / Read-Only Media,The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.
+nist_800_53_v4,nist_800_53_v4:sc-34(3),SC-34 (3),Enhancement,2,3,Hardware-Based Protection,"The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."
+nist_800_53_v4,nist_800_53_v4:sc-34a.,SC-34a.,Statement,2,1,,"The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and"
+nist_800_53_v4,nist_800_53_v4:sc-34b.,SC-34b.,Statement,2,2,,"The information system at [Assignment: organization-defined information system components]: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media."
+nist_800_53_v4,nist_800_53_v4:sc-35,SC-35,Control,1,35,Honeyclients,
+nist_800_53_v4,nist_800_53_v4:sc-36,SC-36,Control,1,36,Distributed Processing and Storage,
+nist_800_53_v4,nist_800_53_v4:sc-36(1),SC-36 (1),Enhancement,2,1,Polling Techniques,"The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]."
+nist_800_53_v4,nist_800_53_v4:sc-37,SC-37,Control,1,37,Out-Of-Band Channels,
+nist_800_53_v4,nist_800_53_v4:sc-37(1),SC-37 (1),Enhancement,2,1,Ensure Delivery / Transmission,"The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]."
+nist_800_53_v4,nist_800_53_v4:sc-38,SC-38,Control,1,38,Operations Security,
+nist_800_53_v4,nist_800_53_v4:sc-39,SC-39,Control,1,39,Process Isolation,
+nist_800_53_v4,nist_800_53_v4:sc-39(1),SC-39 (1),Enhancement,2,1,Hardware Separation,The information system implements underlying hardware separation mechanisms to facilitate process separation.
+nist_800_53_v4,nist_800_53_v4:sc-39(2),SC-39 (2),Enhancement,2,2,Thread Isolation,The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
+nist_800_53_v4,nist_800_53_v4:sc-4,SC-4,Control,1,4,Information In Shared Resources,
+nist_800_53_v4,nist_800_53_v4:sc-4(2),SC-4 (2),Enhancement,2,2,Periods Processing,The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
+nist_800_53_v4,nist_800_53_v4:sc-40,SC-40,Control,1,40,Wireless Link Protection,
+nist_800_53_v4,nist_800_53_v4:sc-40(1),SC-40 (1),Enhancement,2,1,Electromagnetic Interference,The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
+nist_800_53_v4,nist_800_53_v4:sc-40(2),SC-40 (2),Enhancement,2,2,Reduce Detection Potential,The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
+nist_800_53_v4,nist_800_53_v4:sc-40(3),SC-40 (3),Enhancement,2,3,Imitative Or Manipulative Communications Deception,The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
+nist_800_53_v4,nist_800_53_v4:sc-40(4),SC-40 (4),Enhancement,2,4,Signal Parameter Identification,The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
+nist_800_53_v4,nist_800_53_v4:sc-41,SC-41,Control,1,41,Port and I/O Device Access,
+nist_800_53_v4,nist_800_53_v4:sc-42,SC-42,Control,1,42,Sensor Capability and Data,
+nist_800_53_v4,nist_800_53_v4:sc-42(1),SC-42 (1),Enhancement,2,1,Reporting To Authorized Individuals Or Roles,The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
+nist_800_53_v4,nist_800_53_v4:sc-42(2),SC-42 (2),Enhancement,2,2,Authorized Use,"The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes."
+nist_800_53_v4,nist_800_53_v4:sc-42(3),SC-42 (3),Enhancement,2,3,Prohibit Use Of Devices,"The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]."
+nist_800_53_v4,nist_800_53_v4:sc-42a.,SC-42a.,Statement,2,1,,The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
+nist_800_53_v4,nist_800_53_v4:sc-42b.,SC-42b.,Statement,2,2,,The information system: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].
+nist_800_53_v4,nist_800_53_v4:sc-43,SC-43,Control,1,43,Usage Restrictions,
+nist_800_53_v4,nist_800_53_v4:sc-43a.,SC-43a.,Statement,2,1,,The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
+nist_800_53_v4,nist_800_53_v4:sc-43b.,SC-43b.,Statement,2,2,,"The organization: Authorizes, monitors, and controls the use of such components within the information system."
+nist_800_53_v4,nist_800_53_v4:sc-44,SC-44,Control,1,44,Detonation Chambers,
+nist_800_53_v4,nist_800_53_v4:sc-5,SC-5,Control,1,5,Denial Of Service Protection,
+nist_800_53_v4,nist_800_53_v4:sc-5(1),SC-5 (1),Enhancement,2,1,Restrict Internal Users,The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.
+nist_800_53_v4,nist_800_53_v4:sc-5(2),SC-5 (2),Enhancement,2,2,Excess Capacity / Bandwidth / Redundancy,"The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks."
+nist_800_53_v4,nist_800_53_v4:sc-5(3),SC-5 (3),Enhancement,2,3,Detection / Monitoring,The organization: Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.
+nist_800_53_v4,nist_800_53_v4:sc-6,SC-6,Control,1,6,Resource Availability,
+nist_800_53_v4,nist_800_53_v4:sc-7,SC-7,Control,1,7,Boundary Protection,
+nist_800_53_v4,nist_800_53_v4:sc-7(10),SC-7 (10),Enhancement,2,10,Prevent Unauthorized Exfiltration,The organization prevents the unauthorized exfiltration of information across managed interfaces.
+nist_800_53_v4,nist_800_53_v4:sc-7(11),SC-7 (11),Enhancement,2,11,Restrict Incoming Communications Traffic,The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
+nist_800_53_v4,nist_800_53_v4:sc-7(12),SC-7 (12),Enhancement,2,12,Host-Based Protection,The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:sc-7(13),SC-7 (13),Enhancement,2,13,Isolation Of Security Tools / Mechanisms / Support Components,"The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."
+nist_800_53_v4,nist_800_53_v4:sc-7(14),SC-7 (14),Enhancement,2,14,Protects Against Unauthorized Physical Connections,The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
+nist_800_53_v4,nist_800_53_v4:sc-7(15),SC-7 (15),Enhancement,2,15,Route Privileged Network Accesses,"The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."
+nist_800_53_v4,nist_800_53_v4:sc-7(16),SC-7 (16),Enhancement,2,16,Prevent Discovery Of Components / Devices,The information system prevents discovery of specific system components composing a managed interface.
+nist_800_53_v4,nist_800_53_v4:sc-7(17),SC-7 (17),Enhancement,2,17,Automated Enforcement Of Protocol Formats,The information system enforces adherence to protocol formats.
+nist_800_53_v4,nist_800_53_v4:sc-7(18),SC-7 (18),Enhancement,2,18,Fail Secure,The information system fails securely in the event of an operational failure of a boundary protection device.
+nist_800_53_v4,nist_800_53_v4:sc-7(19),SC-7 (19),Enhancement,2,19,Blocks Communication From Non-Organizationally Configured Hosts,The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
+nist_800_53_v4,nist_800_53_v4:sc-7(20),SC-7 (20),Enhancement,2,20,Dynamic Isolation / Segregation,The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system.
+nist_800_53_v4,nist_800_53_v4:sc-7(21),SC-7 (21),Enhancement,2,21,Isolation Of Information System Components,The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
+nist_800_53_v4,nist_800_53_v4:sc-7(22),SC-7 (22),Enhancement,2,22,Separate Subnets For Connecting To Different Security Domains,"The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains."
+nist_800_53_v4,nist_800_53_v4:sc-7(23),SC-7 (23),Enhancement,2,23,Disable Sender Feedback On Protocol Validation Failure,The information system disables feedback to senders on protocol format validation failure.
+nist_800_53_v4,nist_800_53_v4:sc-7(3),SC-7 (3),Enhancement,2,3,Access Points,The organization limits the number of external network connections to the information system.
+nist_800_53_v4,nist_800_53_v4:sc-7(4),SC-7 (4),Enhancement,2,4,External Telecommunications Services,The organization: Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
+nist_800_53_v4,nist_800_53_v4:sc-7(5),SC-7 (5),Enhancement,2,5,Deny By Default / Allow By Exception,"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."
+nist_800_53_v4,nist_800_53_v4:sc-7(7),SC-7 (7),Enhancement,2,7,Prevent Split Tunneling For Remote Devices,"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."
+nist_800_53_v4,nist_800_53_v4:sc-7(8),SC-7 (8),Enhancement,2,8,Route Traffic To Authenticated Proxy Servers,The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
+nist_800_53_v4,nist_800_53_v4:sc-7(9),SC-7 (9),Enhancement,2,9,Restrict Threatening Outgoing Communications Traffic,The information system: Detects and denies outgoing communications traffic posing a threat to external information systems; and Audits the identity of internal users associated with denied communications.
+nist_800_53_v4,nist_800_53_v4:sc-7a.,SC-7a.,Statement,2,1,,The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
+nist_800_53_v4,nist_800_53_v4:sc-7b.,SC-7b.,Statement,2,2,,The information system: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
+nist_800_53_v4,nist_800_53_v4:sc-7c.,SC-7c.,Statement,2,3,,The information system: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
+nist_800_53_v4,nist_800_53_v4:sc-8,SC-8,Control,1,8,Transmission Confidentiality and Integrity,
+nist_800_53_v4,nist_800_53_v4:sc-8(1),SC-8 (1),Enhancement,2,1,Cryptographic Or Alternate Physical Protection,The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
+nist_800_53_v4,nist_800_53_v4:sc-8(2),SC-8 (2),Enhancement,2,2,Pre / Post Transmission Handling,The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
+nist_800_53_v4,nist_800_53_v4:sc-8(3),SC-8 (3),Enhancement,2,3,Cryptographic Protection For Message Externals,The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
+nist_800_53_v4,nist_800_53_v4:sc-8(4),SC-8 (4),Enhancement,2,4,Conceal / Randomize Communications,The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
+nist_800_53_v4,nist_800_53_v4:sc-9,SC-9,Control,1,9,Transmission Confidentiality,
 nist_800_53_v4,nist_800_53_v4:si,SI,Family,0,18,System and Information Integrity,
-nist_800_53_v4,nist_800_53_v4:si-1,SI-1,Control,1,,System and Information Integrity Policy and Procedures,
-nist_800_53_v4,nist_800_53_v4:si-10,SI-10,Control,1,,Information Input Validation,
-nist_800_53_v4,nist_800_53_v4:si-10(1),SI-10 (1),Enhancement,2,,Manual Override Capability,The information system: Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and Audits the use of the manual override capability.
-nist_800_53_v4,nist_800_53_v4:si-10(2),SI-10 (2),Enhancement,2,,Review / Resolution Of Errors,The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:si-10(3),SI-10 (3),Enhancement,2,,Predictable Behavior,The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
-nist_800_53_v4,nist_800_53_v4:si-10(4),SI-10 (4),Enhancement,2,,Review / Timing Interactions,The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.
-nist_800_53_v4,nist_800_53_v4:si-10(5),SI-10 (5),Enhancement,2,,Restrict Inputs To Trusted Sources And Approved Formats,The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].
-nist_800_53_v4,nist_800_53_v4:si-11,SI-11,Control,1,,Error Handling,
-nist_800_53_v4,nist_800_53_v4:si-11a.,SI-11a.,Statement,2,,,The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
-nist_800_53_v4,nist_800_53_v4:si-11b.,SI-11b.,Statement,2,,,The information system: Reveals error messages only to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:si-12,SI-12,Control,1,,Information Handling and Retention,
-nist_800_53_v4,nist_800_53_v4:si-13,SI-13,Control,1,,Predictable Failure Prevention,
-nist_800_53_v4,nist_800_53_v4:si-13(1),SI-13 (1),Enhancement,2,,Transferring Component Responsibilities,The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
-nist_800_53_v4,nist_800_53_v4:si-13(3),SI-13 (3),Enhancement,2,,Manual Transfer Between Components,The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:si-13(4),SI-13 (4),Enhancement,2,,Standby Component Installation / Notification,"The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]."
-nist_800_53_v4,nist_800_53_v4:si-13(5),SI-13 (5),Enhancement,2,,Failover Capability,The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.
-nist_800_53_v4,nist_800_53_v4:si-13a.,SI-13a.,Statement,2,,,The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
-nist_800_53_v4,nist_800_53_v4:si-13b.,SI-13b.,Statement,2,,,The organization: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
-nist_800_53_v4,nist_800_53_v4:si-14,SI-14,Control,1,,Non-Persistence,
-nist_800_53_v4,nist_800_53_v4:si-14(1),SI-14 (1),Enhancement,2,,Refresh From Trusted Sources,The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources].
-nist_800_53_v4,nist_800_53_v4:si-15,SI-15,Control,1,,Information Output Filtering,
-nist_800_53_v4,nist_800_53_v4:si-16,SI-16,Control,1,,Memory Protection,
-nist_800_53_v4,nist_800_53_v4:si-17,SI-17,Control,1,,Fail-Safe Procedures,
-nist_800_53_v4,nist_800_53_v4:si-1a.,SI-1a.,Statement,2,,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"
-nist_800_53_v4,nist_800_53_v4:si-1b.,SI-1b.,Statement,2,,,The organization: Reviews and updates the current: System and information integrity policy [Assignment: organization-defined frequency]; and System and information integrity procedures [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:si-2,SI-2,Control,1,,Flaw Remediation,
-nist_800_53_v4,nist_800_53_v4:si-2(1),SI-2 (1),Enhancement,2,,Central Management,The organization centrally manages the flaw remediation process.
-nist_800_53_v4,nist_800_53_v4:si-2(2),SI-2 (2),Enhancement,2,,Automated Flaw Remediation Status,The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.
-nist_800_53_v4,nist_800_53_v4:si-2(3),SI-2 (3),Enhancement,2,,Time To Remediate Flaws / Benchmarks For Corrective Actions,The organization: Measures the time between flaw identification and flaw remediation; and Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.
-nist_800_53_v4,nist_800_53_v4:si-2(5),SI-2 (5),Enhancement,2,,Automatic Software / Firmware Updates,The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:si-2(6),SI-2 (6),Enhancement,2,,Removal Of Previous Versions Of Software / Firmware,The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.
-nist_800_53_v4,nist_800_53_v4:si-2a.,SI-2a.,Statement,2,,,"The organization: Identifies, reports, and corrects information system flaws;"
-nist_800_53_v4,nist_800_53_v4:si-2b.,SI-2b.,Statement,2,,,The organization: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
-nist_800_53_v4,nist_800_53_v4:si-2c.,SI-2c.,Statement,2,,,The organization: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
-nist_800_53_v4,nist_800_53_v4:si-2d.,SI-2d.,Statement,2,,,The organization: Incorporates flaw remediation into the organizational configuration management process.
-nist_800_53_v4,nist_800_53_v4:si-3,SI-3,Control,1,,Malicious Code Protection,
-nist_800_53_v4,nist_800_53_v4:si-3(1),SI-3 (1),Enhancement,2,,Central Management,The organization centrally manages malicious code protection mechanisms.
-nist_800_53_v4,nist_800_53_v4:si-3(10),SI-3 (10),Enhancement,2,,Malicious Code Analysis,The organization: Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.
-nist_800_53_v4,nist_800_53_v4:si-3(2),SI-3 (2),Enhancement,2,,Automatic Updates,The information system automatically updates malicious code protection mechanisms.
-nist_800_53_v4,nist_800_53_v4:si-3(4),SI-3 (4),Enhancement,2,,Updates Only By Privileged Users,The information system updates malicious code protection mechanisms only when directed by a privileged user.
-nist_800_53_v4,nist_800_53_v4:si-3(6),SI-3 (6),Enhancement,2,,Testing / Verification,"The organization: Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and Verifies that both detection of the test case and associated incident reporting occur."
-nist_800_53_v4,nist_800_53_v4:si-3(7),SI-3 (7),Enhancement,2,,Nonsignature-Based Detection,The information system implements nonsignature-based malicious code detection mechanisms.
-nist_800_53_v4,nist_800_53_v4:si-3(8),SI-3 (8),Enhancement,2,,Detect Unauthorized Commands,The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
-nist_800_53_v4,nist_800_53_v4:si-3(9),SI-3 (9),Enhancement,2,,Authenticate Remote Commands,The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands].
-nist_800_53_v4,nist_800_53_v4:si-3a.,SI-3a.,Statement,2,,,The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
-nist_800_53_v4,nist_800_53_v4:si-3b.,SI-3b.,Statement,2,,,The organization: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
-nist_800_53_v4,nist_800_53_v4:si-3c.,SI-3c.,Statement,2,,,"The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and"
-nist_800_53_v4,nist_800_53_v4:si-3d.,SI-3d.,Statement,2,,,The organization: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
-nist_800_53_v4,nist_800_53_v4:si-4,SI-4,Control,1,,Information System Monitoring,
-nist_800_53_v4,nist_800_53_v4:si-4(1),SI-4 (1),Enhancement,2,,System-Wide Intrusion Detection System,The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.
-nist_800_53_v4,nist_800_53_v4:si-4(10),SI-4 (10),Enhancement,2,,Visibility Of Encrypted Communications,The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools].
-nist_800_53_v4,nist_800_53_v4:si-4(11),SI-4 (11),Enhancement,2,,Analyze Communications Traffic Anomalies,"The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."
-nist_800_53_v4,nist_800_53_v4:si-4(12),SI-4 (12),Enhancement,2,,Automated Alerts,The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts].
-nist_800_53_v4,nist_800_53_v4:si-4(13),SI-4 (13),Enhancement,2,,Analyze Traffic / Event Patterns,The organization: Analyzes communications traffic/event patterns for the information system; Develops profiles representing common traffic patterns and/or events; and Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
-nist_800_53_v4,nist_800_53_v4:si-4(14),SI-4 (14),Enhancement,2,,Wireless Intrusion Detection,The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
-nist_800_53_v4,nist_800_53_v4:si-4(15),SI-4 (15),Enhancement,2,,Wireless To Wireline Communications,The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
-nist_800_53_v4,nist_800_53_v4:si-4(16),SI-4 (16),Enhancement,2,,Correlate Monitoring Information,The organization correlates information from monitoring tools employed throughout the information system.
-nist_800_53_v4,nist_800_53_v4:si-4(17),SI-4 (17),Enhancement,2,,Integrated Situational Awareness,"The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."
-nist_800_53_v4,nist_800_53_v4:si-4(18),SI-4 (18),Enhancement,2,,Analyze Traffic / Covert Exfiltration,"The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."
-nist_800_53_v4,nist_800_53_v4:si-4(19),SI-4 (19),Enhancement,2,,Individuals Posing Greater Risk,The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
-nist_800_53_v4,nist_800_53_v4:si-4(2),SI-4 (2),Enhancement,2,,Automated Tools For Real-Time Analysis,The organization employs automated tools to support near real-time analysis of events.
-nist_800_53_v4,nist_800_53_v4:si-4(20),SI-4 (20),Enhancement,2,,Privileged Users,The organization implements [Assignment: organization-defined additional monitoring] of privileged users.
-nist_800_53_v4,nist_800_53_v4:si-4(21),SI-4 (21),Enhancement,2,,Probationary Periods,The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].
-nist_800_53_v4,nist_800_53_v4:si-4(22),SI-4 (22),Enhancement,2,,Unauthorized Network Services,The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].
-nist_800_53_v4,nist_800_53_v4:si-4(23),SI-4 (23),Enhancement,2,,Host-Based Devices,The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].
-nist_800_53_v4,nist_800_53_v4:si-4(24),SI-4 (24),Enhancement,2,,Indicators Of Compromise,"The information system discovers, collects, distributes, and uses indicators of compromise."
-nist_800_53_v4,nist_800_53_v4:si-4(3),SI-4 (3),Enhancement,2,,Automated Tool Integration,The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
-nist_800_53_v4,nist_800_53_v4:si-4(4),SI-4 (4),Enhancement,2,,Inbound And Outbound Communications Traffic,The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
-nist_800_53_v4,nist_800_53_v4:si-4(5),SI-4 (5),Enhancement,2,,System-Generated Alerts,The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
-nist_800_53_v4,nist_800_53_v4:si-4(7),SI-4 (7),Enhancement,2,,Automated Response To Suspicious Events,The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
-nist_800_53_v4,nist_800_53_v4:si-4(9),SI-4 (9),Enhancement,2,,Testing Of Monitoring Tools,The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].
-nist_800_53_v4,nist_800_53_v4:si-4a.,SI-4a.,Statement,2,,,"The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections;"
-nist_800_53_v4,nist_800_53_v4:si-4b.,SI-4b.,Statement,2,,,The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
-nist_800_53_v4,nist_800_53_v4:si-4c.,SI-4c.,Statement,2,,,The organization: Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization;
-nist_800_53_v4,nist_800_53_v4:si-4d.,SI-4d.,Statement,2,,,"The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"
-nist_800_53_v4,nist_800_53_v4:si-4e.,SI-4e.,Statement,2,,,"The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"
-nist_800_53_v4,nist_800_53_v4:si-4f.,SI-4f.,Statement,2,,,"The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"
-nist_800_53_v4,nist_800_53_v4:si-4g.,SI-4g.,Statement,2,,,The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
-nist_800_53_v4,nist_800_53_v4:si-5,SI-5,Control,1,,"Security Alerts, Advisories, and Directives",
-nist_800_53_v4,nist_800_53_v4:si-5(1),SI-5 (1),Enhancement,2,,Automated Alerts And Advisories,The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.
-nist_800_53_v4,nist_800_53_v4:si-5a.,SI-5a.,Statement,2,,,"The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;"
-nist_800_53_v4,nist_800_53_v4:si-5b.,SI-5b.,Statement,2,,,"The organization: Generates internal security alerts, advisories, and directives as deemed necessary;"
-nist_800_53_v4,nist_800_53_v4:si-5c.,SI-5c.,Statement,2,,,"The organization: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and"
-nist_800_53_v4,nist_800_53_v4:si-5d.,SI-5d.,Statement,2,,,"The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."
-nist_800_53_v4,nist_800_53_v4:si-6,SI-6,Control,1,,Security Function Verification,
-nist_800_53_v4,nist_800_53_v4:si-6(2),SI-6 (2),Enhancement,2,,Automation Support For Distributed Testing,The information system implements automated mechanisms to support the management of distributed security testing.
-nist_800_53_v4,nist_800_53_v4:si-6(3),SI-6 (3),Enhancement,2,,Report Verification Results,The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:si-6a.,SI-6a.,Statement,2,,,The information system: Verifies the correct operation of [Assignment: organization-defined security functions];
-nist_800_53_v4,nist_800_53_v4:si-6b.,SI-6b.,Statement,2,,,The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
-nist_800_53_v4,nist_800_53_v4:si-6c.,SI-6c.,Statement,2,,,The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
-nist_800_53_v4,nist_800_53_v4:si-6d.,SI-6d.,Statement,2,,,The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
-nist_800_53_v4,nist_800_53_v4:si-7,SI-7,Control,1,,"Software, Firmware, and Information Integrity",
-nist_800_53_v4,nist_800_53_v4:si-7(1),SI-7 (1),Enhancement,2,,Integrity Checks,"The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]."
-nist_800_53_v4,nist_800_53_v4:si-7(10),SI-7 (10),Enhancement,2,,Protection Of Boot Firmware,The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
-nist_800_53_v4,nist_800_53_v4:si-7(11),SI-7 (11),Enhancement,2,,Confined Environments With Limited Privileges,The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges.
-nist_800_53_v4,nist_800_53_v4:si-7(12),SI-7 (12),Enhancement,2,,Integrity Verification,The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.
-nist_800_53_v4,nist_800_53_v4:si-7(13),SI-7 (13),Enhancement,2,,Code Execution In Protected Environments,The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles].
-nist_800_53_v4,nist_800_53_v4:si-7(14),SI-7 (14),Enhancement,2,,Binary Or Machine Executable Code,The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
-nist_800_53_v4,nist_800_53_v4:si-7(15),SI-7 (15),Enhancement,2,,Code Authentication,The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
-nist_800_53_v4,nist_800_53_v4:si-7(16),SI-7 (16),Enhancement,2,,Time Limit On Process Execution W/O Supervision,The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period].
-nist_800_53_v4,nist_800_53_v4:si-7(2),SI-7 (2),Enhancement,2,,Automated Notifications Of Integrity Violations,The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
-nist_800_53_v4,nist_800_53_v4:si-7(3),SI-7 (3),Enhancement,2,,Centrally-Managed Integrity Tools,The organization employs centrally managed integrity verification tools.
-nist_800_53_v4,nist_800_53_v4:si-7(5),SI-7 (5),Enhancement,2,,Automated Response To Integrity Violations,The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.
-nist_800_53_v4,nist_800_53_v4:si-7(6),SI-7 (6),Enhancement,2,,Cryptographic Protection,"The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."
-nist_800_53_v4,nist_800_53_v4:si-7(7),SI-7 (7),Enhancement,2,,Integration Of Detection And Response,The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.
-nist_800_53_v4,nist_800_53_v4:si-7(8),SI-7 (8),Enhancement,2,,Auditing Capability For Significant Events,"The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]."
-nist_800_53_v4,nist_800_53_v4:si-7(9),SI-7 (9),Enhancement,2,,Verify Boot Process,The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
-nist_800_53_v4,nist_800_53_v4:si-8,SI-8,Control,1,,Spam Protection,
-nist_800_53_v4,nist_800_53_v4:si-8(1),SI-8 (1),Enhancement,2,,Central Management,The organization centrally manages spam protection mechanisms.
-nist_800_53_v4,nist_800_53_v4:si-8(2),SI-8 (2),Enhancement,2,,Automatic Updates,The information system automatically updates spam protection mechanisms.
-nist_800_53_v4,nist_800_53_v4:si-8(3),SI-8 (3),Enhancement,2,,Continuous Learning Capability,The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
-nist_800_53_v4,nist_800_53_v4:si-8a.,SI-8a.,Statement,2,,,The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
-nist_800_53_v4,nist_800_53_v4:si-8b.,SI-8b.,Statement,2,,,The organization: Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
-nist_800_53_v4,nist_800_53_v4:si-9,SI-9,Control,1,,Information Input Restrictions,
+nist_800_53_v4,nist_800_53_v4:si-1,SI-1,Control,1,1,System and Information Integrity Policy and Procedures,
+nist_800_53_v4,nist_800_53_v4:si-10,SI-10,Control,1,10,Information Input Validation,
+nist_800_53_v4,nist_800_53_v4:si-10(1),SI-10 (1),Enhancement,2,1,Manual Override Capability,The information system: Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and Audits the use of the manual override capability.
+nist_800_53_v4,nist_800_53_v4:si-10(2),SI-10 (2),Enhancement,2,2,Review / Resolution Of Errors,The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:si-10(3),SI-10 (3),Enhancement,2,3,Predictable Behavior,The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
+nist_800_53_v4,nist_800_53_v4:si-10(4),SI-10 (4),Enhancement,2,4,Review / Timing Interactions,The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.
+nist_800_53_v4,nist_800_53_v4:si-10(5),SI-10 (5),Enhancement,2,5,Restrict Inputs To Trusted Sources And Approved Formats,The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].
+nist_800_53_v4,nist_800_53_v4:si-11,SI-11,Control,1,11,Error Handling,
+nist_800_53_v4,nist_800_53_v4:si-11a.,SI-11a.,Statement,2,1,,The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
+nist_800_53_v4,nist_800_53_v4:si-11b.,SI-11b.,Statement,2,2,,The information system: Reveals error messages only to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:si-12,SI-12,Control,1,12,Information Handling and Retention,
+nist_800_53_v4,nist_800_53_v4:si-13,SI-13,Control,1,13,Predictable Failure Prevention,
+nist_800_53_v4,nist_800_53_v4:si-13(1),SI-13 (1),Enhancement,2,1,Transferring Component Responsibilities,The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
+nist_800_53_v4,nist_800_53_v4:si-13(3),SI-13 (3),Enhancement,2,3,Manual Transfer Between Components,The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:si-13(4),SI-13 (4),Enhancement,2,4,Standby Component Installation / Notification,"The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]."
+nist_800_53_v4,nist_800_53_v4:si-13(5),SI-13 (5),Enhancement,2,5,Failover Capability,The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.
+nist_800_53_v4,nist_800_53_v4:si-13a.,SI-13a.,Statement,2,1,,The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
+nist_800_53_v4,nist_800_53_v4:si-13b.,SI-13b.,Statement,2,2,,The organization: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
+nist_800_53_v4,nist_800_53_v4:si-14,SI-14,Control,1,14,Non-Persistence,
+nist_800_53_v4,nist_800_53_v4:si-14(1),SI-14 (1),Enhancement,2,1,Refresh From Trusted Sources,The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources].
+nist_800_53_v4,nist_800_53_v4:si-15,SI-15,Control,1,15,Information Output Filtering,
+nist_800_53_v4,nist_800_53_v4:si-16,SI-16,Control,1,16,Memory Protection,
+nist_800_53_v4,nist_800_53_v4:si-17,SI-17,Control,1,17,Fail-Safe Procedures,
+nist_800_53_v4,nist_800_53_v4:si-1a.,SI-1a.,Statement,2,1,,"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"
+nist_800_53_v4,nist_800_53_v4:si-1b.,SI-1b.,Statement,2,2,,The organization: Reviews and updates the current: System and information integrity policy [Assignment: organization-defined frequency]; and System and information integrity procedures [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:si-2,SI-2,Control,1,2,Flaw Remediation,
+nist_800_53_v4,nist_800_53_v4:si-2(1),SI-2 (1),Enhancement,2,1,Central Management,The organization centrally manages the flaw remediation process.
+nist_800_53_v4,nist_800_53_v4:si-2(2),SI-2 (2),Enhancement,2,2,Automated Flaw Remediation Status,The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.
+nist_800_53_v4,nist_800_53_v4:si-2(3),SI-2 (3),Enhancement,2,3,Time To Remediate Flaws / Benchmarks For Corrective Actions,The organization: Measures the time between flaw identification and flaw remediation; and Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.
+nist_800_53_v4,nist_800_53_v4:si-2(5),SI-2 (5),Enhancement,2,5,Automatic Software / Firmware Updates,The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:si-2(6),SI-2 (6),Enhancement,2,6,Removal Of Previous Versions Of Software / Firmware,The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.
+nist_800_53_v4,nist_800_53_v4:si-2a.,SI-2a.,Statement,2,1,,"The organization: Identifies, reports, and corrects information system flaws;"
+nist_800_53_v4,nist_800_53_v4:si-2b.,SI-2b.,Statement,2,2,,The organization: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
+nist_800_53_v4,nist_800_53_v4:si-2c.,SI-2c.,Statement,2,3,,The organization: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
+nist_800_53_v4,nist_800_53_v4:si-2d.,SI-2d.,Statement,2,4,,The organization: Incorporates flaw remediation into the organizational configuration management process.
+nist_800_53_v4,nist_800_53_v4:si-3,SI-3,Control,1,3,Malicious Code Protection,
+nist_800_53_v4,nist_800_53_v4:si-3(1),SI-3 (1),Enhancement,2,1,Central Management,The organization centrally manages malicious code protection mechanisms.
+nist_800_53_v4,nist_800_53_v4:si-3(10),SI-3 (10),Enhancement,2,10,Malicious Code Analysis,The organization: Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.
+nist_800_53_v4,nist_800_53_v4:si-3(2),SI-3 (2),Enhancement,2,2,Automatic Updates,The information system automatically updates malicious code protection mechanisms.
+nist_800_53_v4,nist_800_53_v4:si-3(4),SI-3 (4),Enhancement,2,4,Updates Only By Privileged Users,The information system updates malicious code protection mechanisms only when directed by a privileged user.
+nist_800_53_v4,nist_800_53_v4:si-3(6),SI-3 (6),Enhancement,2,6,Testing / Verification,"The organization: Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and Verifies that both detection of the test case and associated incident reporting occur."
+nist_800_53_v4,nist_800_53_v4:si-3(7),SI-3 (7),Enhancement,2,7,Nonsignature-Based Detection,The information system implements nonsignature-based malicious code detection mechanisms.
+nist_800_53_v4,nist_800_53_v4:si-3(8),SI-3 (8),Enhancement,2,8,Detect Unauthorized Commands,The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].
+nist_800_53_v4,nist_800_53_v4:si-3(9),SI-3 (9),Enhancement,2,9,Authenticate Remote Commands,The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands].
+nist_800_53_v4,nist_800_53_v4:si-3a.,SI-3a.,Statement,2,1,,The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
+nist_800_53_v4,nist_800_53_v4:si-3b.,SI-3b.,Statement,2,2,,The organization: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
+nist_800_53_v4,nist_800_53_v4:si-3c.,SI-3c.,Statement,2,3,,"The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and"
+nist_800_53_v4,nist_800_53_v4:si-3d.,SI-3d.,Statement,2,4,,The organization: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
+nist_800_53_v4,nist_800_53_v4:si-4,SI-4,Control,1,4,Information System Monitoring,
+nist_800_53_v4,nist_800_53_v4:si-4(1),SI-4 (1),Enhancement,2,1,System-Wide Intrusion Detection System,The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.
+nist_800_53_v4,nist_800_53_v4:si-4(10),SI-4 (10),Enhancement,2,10,Visibility Of Encrypted Communications,The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools].
+nist_800_53_v4,nist_800_53_v4:si-4(11),SI-4 (11),Enhancement,2,11,Analyze Communications Traffic Anomalies,"The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."
+nist_800_53_v4,nist_800_53_v4:si-4(12),SI-4 (12),Enhancement,2,12,Automated Alerts,The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts].
+nist_800_53_v4,nist_800_53_v4:si-4(13),SI-4 (13),Enhancement,2,13,Analyze Traffic / Event Patterns,The organization: Analyzes communications traffic/event patterns for the information system; Develops profiles representing common traffic patterns and/or events; and Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
+nist_800_53_v4,nist_800_53_v4:si-4(14),SI-4 (14),Enhancement,2,14,Wireless Intrusion Detection,The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
+nist_800_53_v4,nist_800_53_v4:si-4(15),SI-4 (15),Enhancement,2,15,Wireless To Wireline Communications,The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
+nist_800_53_v4,nist_800_53_v4:si-4(16),SI-4 (16),Enhancement,2,16,Correlate Monitoring Information,The organization correlates information from monitoring tools employed throughout the information system.
+nist_800_53_v4,nist_800_53_v4:si-4(17),SI-4 (17),Enhancement,2,17,Integrated Situational Awareness,"The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."
+nist_800_53_v4,nist_800_53_v4:si-4(18),SI-4 (18),Enhancement,2,18,Analyze Traffic / Covert Exfiltration,"The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."
+nist_800_53_v4,nist_800_53_v4:si-4(19),SI-4 (19),Enhancement,2,19,Individuals Posing Greater Risk,The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
+nist_800_53_v4,nist_800_53_v4:si-4(2),SI-4 (2),Enhancement,2,2,Automated Tools For Real-Time Analysis,The organization employs automated tools to support near real-time analysis of events.
+nist_800_53_v4,nist_800_53_v4:si-4(20),SI-4 (20),Enhancement,2,20,Privileged Users,The organization implements [Assignment: organization-defined additional monitoring] of privileged users.
+nist_800_53_v4,nist_800_53_v4:si-4(21),SI-4 (21),Enhancement,2,21,Probationary Periods,The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].
+nist_800_53_v4,nist_800_53_v4:si-4(22),SI-4 (22),Enhancement,2,22,Unauthorized Network Services,The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].
+nist_800_53_v4,nist_800_53_v4:si-4(23),SI-4 (23),Enhancement,2,23,Host-Based Devices,The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].
+nist_800_53_v4,nist_800_53_v4:si-4(24),SI-4 (24),Enhancement,2,24,Indicators Of Compromise,"The information system discovers, collects, distributes, and uses indicators of compromise."
+nist_800_53_v4,nist_800_53_v4:si-4(3),SI-4 (3),Enhancement,2,3,Automated Tool Integration,The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
+nist_800_53_v4,nist_800_53_v4:si-4(4),SI-4 (4),Enhancement,2,4,Inbound And Outbound Communications Traffic,The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
+nist_800_53_v4,nist_800_53_v4:si-4(5),SI-4 (5),Enhancement,2,5,System-Generated Alerts,The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
+nist_800_53_v4,nist_800_53_v4:si-4(7),SI-4 (7),Enhancement,2,7,Automated Response To Suspicious Events,The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
+nist_800_53_v4,nist_800_53_v4:si-4(9),SI-4 (9),Enhancement,2,9,Testing Of Monitoring Tools,The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].
+nist_800_53_v4,nist_800_53_v4:si-4a.,SI-4a.,Statement,2,1,,"The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections;"
+nist_800_53_v4,nist_800_53_v4:si-4b.,SI-4b.,Statement,2,2,,The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
+nist_800_53_v4,nist_800_53_v4:si-4c.,SI-4c.,Statement,2,3,,The organization: Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization;
+nist_800_53_v4,nist_800_53_v4:si-4d.,SI-4d.,Statement,2,4,,"The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"
+nist_800_53_v4,nist_800_53_v4:si-4e.,SI-4e.,Statement,2,5,,"The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"
+nist_800_53_v4,nist_800_53_v4:si-4f.,SI-4f.,Statement,2,6,,"The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"
+nist_800_53_v4,nist_800_53_v4:si-4g.,SI-4g.,Statement,2,7,,The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
+nist_800_53_v4,nist_800_53_v4:si-5,SI-5,Control,1,5,"Security Alerts, Advisories, and Directives",
+nist_800_53_v4,nist_800_53_v4:si-5(1),SI-5 (1),Enhancement,2,1,Automated Alerts And Advisories,The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.
+nist_800_53_v4,nist_800_53_v4:si-5a.,SI-5a.,Statement,2,1,,"The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;"
+nist_800_53_v4,nist_800_53_v4:si-5b.,SI-5b.,Statement,2,2,,"The organization: Generates internal security alerts, advisories, and directives as deemed necessary;"
+nist_800_53_v4,nist_800_53_v4:si-5c.,SI-5c.,Statement,2,3,,"The organization: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and"
+nist_800_53_v4,nist_800_53_v4:si-5d.,SI-5d.,Statement,2,4,,"The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."
+nist_800_53_v4,nist_800_53_v4:si-6,SI-6,Control,1,6,Security Function Verification,
+nist_800_53_v4,nist_800_53_v4:si-6(2),SI-6 (2),Enhancement,2,2,Automation Support For Distributed Testing,The information system implements automated mechanisms to support the management of distributed security testing.
+nist_800_53_v4,nist_800_53_v4:si-6(3),SI-6 (3),Enhancement,2,3,Report Verification Results,The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:si-6a.,SI-6a.,Statement,2,1,,The information system: Verifies the correct operation of [Assignment: organization-defined security functions];
+nist_800_53_v4,nist_800_53_v4:si-6b.,SI-6b.,Statement,2,2,,The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
+nist_800_53_v4,nist_800_53_v4:si-6c.,SI-6c.,Statement,2,3,,The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
+nist_800_53_v4,nist_800_53_v4:si-6d.,SI-6d.,Statement,2,4,,The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
+nist_800_53_v4,nist_800_53_v4:si-7,SI-7,Control,1,7,"Software, Firmware, and Information Integrity",
+nist_800_53_v4,nist_800_53_v4:si-7(1),SI-7 (1),Enhancement,2,1,Integrity Checks,"The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]."
+nist_800_53_v4,nist_800_53_v4:si-7(10),SI-7 (10),Enhancement,2,10,Protection Of Boot Firmware,The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
+nist_800_53_v4,nist_800_53_v4:si-7(11),SI-7 (11),Enhancement,2,11,Confined Environments With Limited Privileges,The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges.
+nist_800_53_v4,nist_800_53_v4:si-7(12),SI-7 (12),Enhancement,2,12,Integrity Verification,The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.
+nist_800_53_v4,nist_800_53_v4:si-7(13),SI-7 (13),Enhancement,2,13,Code Execution In Protected Environments,The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles].
+nist_800_53_v4,nist_800_53_v4:si-7(14),SI-7 (14),Enhancement,2,14,Binary Or Machine Executable Code,The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
+nist_800_53_v4,nist_800_53_v4:si-7(15),SI-7 (15),Enhancement,2,15,Code Authentication,The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
+nist_800_53_v4,nist_800_53_v4:si-7(16),SI-7 (16),Enhancement,2,16,Time Limit On Process Execution W/O Supervision,The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period].
+nist_800_53_v4,nist_800_53_v4:si-7(2),SI-7 (2),Enhancement,2,2,Automated Notifications Of Integrity Violations,The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
+nist_800_53_v4,nist_800_53_v4:si-7(3),SI-7 (3),Enhancement,2,3,Centrally-Managed Integrity Tools,The organization employs centrally managed integrity verification tools.
+nist_800_53_v4,nist_800_53_v4:si-7(5),SI-7 (5),Enhancement,2,5,Automated Response To Integrity Violations,The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.
+nist_800_53_v4,nist_800_53_v4:si-7(6),SI-7 (6),Enhancement,2,6,Cryptographic Protection,"The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."
+nist_800_53_v4,nist_800_53_v4:si-7(7),SI-7 (7),Enhancement,2,7,Integration Of Detection And Response,The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.
+nist_800_53_v4,nist_800_53_v4:si-7(8),SI-7 (8),Enhancement,2,8,Auditing Capability For Significant Events,"The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]."
+nist_800_53_v4,nist_800_53_v4:si-7(9),SI-7 (9),Enhancement,2,9,Verify Boot Process,The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
+nist_800_53_v4,nist_800_53_v4:si-8,SI-8,Control,1,8,Spam Protection,
+nist_800_53_v4,nist_800_53_v4:si-8(1),SI-8 (1),Enhancement,2,1,Central Management,The organization centrally manages spam protection mechanisms.
+nist_800_53_v4,nist_800_53_v4:si-8(2),SI-8 (2),Enhancement,2,2,Automatic Updates,The information system automatically updates spam protection mechanisms.
+nist_800_53_v4,nist_800_53_v4:si-8(3),SI-8 (3),Enhancement,2,3,Continuous Learning Capability,The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
+nist_800_53_v4,nist_800_53_v4:si-8a.,SI-8a.,Statement,2,1,,The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
+nist_800_53_v4,nist_800_53_v4:si-8b.,SI-8b.,Statement,2,2,,The organization: Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
+nist_800_53_v4,nist_800_53_v4:si-9,SI-9,Control,1,9,Information Input Restrictions,
 nist_csf_v1.1,nist_csf_v1.1:de,DE,Function,0,3,Detect,Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
 nist_csf_v1.1,nist_csf_v1.1:de.ae,DE.AE,Category,1,13,Anomalies and Events ,Anomalous activity is detected and the potential impact of events is understood.
 nist_csf_v1.1,nist_csf_v1.1:de.ae-1,DE.AE-1,Subcategory,2,69,,A baseline of network operations and expected data flows for users and systems is established and managed
@@ -1759,289 +1759,4838 @@ asvs_v4.0.1,asvs_v4.0.1:v11,V11,Section,0,11,BusLogic,Business Logic Verificatio
 asvs_v4.0.1,asvs_v4.0.1:v12,V12,Section,0,12,Files,File and Resources Verification Requirements
 asvs_v4.0.1,asvs_v4.0.1:v13,V13,Section,0,13,API,API and Web Service Verification Requirements
 asvs_v4.0.1,asvs_v4.0.1:v14,V14,Section,0,14,Config,Configuration Verification Requirements
-asvs_v4.0.1,asvs_v4.0.1:1.1.1,1.1.1,Item,1,,,Verify the use of a secure software development lifecycle that addresses security in all stages of development. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.1.2,1.1.2,Item,1,,,"Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing."
-asvs_v4.0.1,asvs_v4.0.1:1.1.3,1.1.3,Item,1,,,"Verify that all user stories and features contain functional security constraints, such as ""As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile"""
-asvs_v4.0.1,asvs_v4.0.1:1.1.4,1.1.4,Item,1,,,"Verify documentation and justification of all the application's trust boundaries, components, and significant data flows."
-asvs_v4.0.1,asvs_v4.0.1:1.1.5,1.1.5,Item,1,,,Verify definition and security analysis of the application's high-level architecture and all connected remote services. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.1.6,1.1.6,Item,1,,,"Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.1.7,1.1.7,Item,1,,,"Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers."
-asvs_v4.0.1,asvs_v4.0.1:1.10.1,1.10.1,Item,1,,,"Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes."
-asvs_v4.0.1,asvs_v4.0.1:1.11.1,1.11.1,Item,1,,,Verify the definition and documentation of all application components in terms of the business or security functions they provide.
-asvs_v4.0.1,asvs_v4.0.1:1.11.2,1.11.2,Item,1,,,"Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state."
-asvs_v4.0.1,asvs_v4.0.1:1.11.3,1.11.3,Item,1,,,"Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions."
-asvs_v4.0.1,asvs_v4.0.1:1.12.1,1.12.1,Item,1,,,Verify that user-uploaded files are stored outside of the web root.
-asvs_v4.0.1,asvs_v4.0.1:1.12.2,1.12.2,Item,1,,,"Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file."
-asvs_v4.0.1,asvs_v4.0.1:1.14.1,1.14.1,Item,1,,,"Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms."
-asvs_v4.0.1,asvs_v4.0.1:1.14.2,1.14.2,Item,1,,,"Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints."
-asvs_v4.0.1,asvs_v4.0.1:1.14.3,1.14.3,Item,1,,,Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions.
-asvs_v4.0.1,asvs_v4.0.1:1.14.4,1.14.4,Item,1,,,"Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."
-asvs_v4.0.1,asvs_v4.0.1:1.14.5,1.14.5,Item,1,,,"Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.14.6,1.14.6,Item,1,,,"Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets."
-asvs_v4.0.1,asvs_v4.0.1:1.2.1,1.2.1,Item,1,,,"Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.2.2,1.2.2,Item,1,,,"Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.2.3,1.2.3,Item,1,,,"Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches."
-asvs_v4.0.1,asvs_v4.0.1:1.2.4,1.2.4,Item,1,,,"Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application."
-asvs_v4.0.1,asvs_v4.0.1:1.4.1,1.4.1,Item,1,,,"Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client."
-asvs_v4.0.1,asvs_v4.0.1:1.4.2,1.4.2,Item,1,,,Verify that the chosen access control solution is flexible enough to meet the application's needs.
-asvs_v4.0.1,asvs_v4.0.1:1.4.3,1.4.3,Item,1,,,"Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege."
-asvs_v4.0.1,asvs_v4.0.1:1.4.4,1.4.4,Item,1,,,Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.4.5,1.4.5,Item,1,,,Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.5.1,1.5.1,Item,1,,,"Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance."
-asvs_v4.0.1,asvs_v4.0.1:1.5.2,1.5.2,Item,1,,,"Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection."
-asvs_v4.0.1,asvs_v4.0.1:1.5.3,1.5.3,Item,1,,,Verify that input validation is enforced on a trusted service layer. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.5.4,1.5.4,Item,1,,,Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.6.1,1.6.1,Item,1,,,Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.
-asvs_v4.0.1,asvs_v4.0.1:1.6.2,1.6.2,Item,1,,,Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.
-asvs_v4.0.1,asvs_v4.0.1:1.6.3,1.6.3,Item,1,,,Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.
-asvs_v4.0.1,asvs_v4.0.1:1.6.4,1.6.4,Item,1,,,"Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such."
-asvs_v4.0.1,asvs_v4.0.1:1.7.1,1.7.1,Item,1,,,Verify that a common logging format and approach is used across the system.  ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:1.7.2,1.7.2,Item,1,,,"Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.8.1,1.8.1,Item,1,,,Verify that all sensitive data is identified and classified into protection levels.
-asvs_v4.0.1,asvs_v4.0.1:1.8.2,1.8.2,Item,1,,,"Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture."
-asvs_v4.0.1,asvs_v4.0.1:1.9.1,1.9.1,Item,1,,,"Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:1.9.2,1.9.2,Item,1,,,"Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains."
-asvs_v4.0.1,asvs_v4.0.1:2.1.1,2.1.1,Item,1,,,Verify that user set passwords are at least 12 characters in length. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.1.10,2.1.10,Item,1,,,Verify that there are no periodic credential rotation or password history requirements.
-asvs_v4.0.1,asvs_v4.0.1:2.1.11,2.1.11,Item,1,,,"Verify that ""paste"" functionality, browser password helpers, and external password managers are permitted."
-asvs_v4.0.1,asvs_v4.0.1:2.1.12,2.1.12,Item,1,,,"Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality."
-asvs_v4.0.1,asvs_v4.0.1:2.1.2,2.1.2,Item,1,,,Verify that passwords 64 characters or longer are permitted. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.1.3,2.1.3,Item,1,,,Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.1.4,2.1.4,Item,1,,,"Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."
-asvs_v4.0.1,asvs_v4.0.1:2.1.5,2.1.5,Item,1,,,Verify users can change their password.
-asvs_v4.0.1,asvs_v4.0.1:2.1.6,2.1.6,Item,1,,,Verify that password change functionality requires the user's current and new password.
-asvs_v4.0.1,asvs_v4.0.1:2.1.7,2.1.7,Item,1,,,"Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.1.8,2.1.8,Item,1,,,Verify that a password strength meter is provided to help users set a stronger password.
-asvs_v4.0.1,asvs_v4.0.1:2.1.9,2.1.9,Item,1,,,Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.10.1,2.10.1,Item,1,,,"Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged accounts."
-asvs_v4.0.1,asvs_v4.0.1:2.10.2,2.10.2,Item,1,,,"Verify that if passwords are required, the credentials are not a default account."
-asvs_v4.0.1,asvs_v4.0.1:2.10.3,2.10.3,Item,1,,,"Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access."
-asvs_v4.0.1,asvs_v4.0.1:2.10.4,2.10.4,Item,1,,,"Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform module (TPM), or a hardware security module (L3) is recommended for password storage."
-asvs_v4.0.1,asvs_v4.0.1:2.2.1,2.2.1,Item,1,,,"Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account."
-asvs_v4.0.1,asvs_v4.0.1:2.2.2,2.2.2,Item,1,,,"Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise."
-asvs_v4.0.1,asvs_v4.0.1:2.2.3,2.2.3,Item,1,,,"Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification."
-asvs_v4.0.1,asvs_v4.0.1:2.2.4,2.2.4,Item,1,,,"Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates."
-asvs_v4.0.1,asvs_v4.0.1:2.2.5,2.2.5,Item,1,,,"Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints."
-asvs_v4.0.1,asvs_v4.0.1:2.2.6,2.2.6,Item,1,,,"Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup codes."
-asvs_v4.0.1,asvs_v4.0.1:2.2.7,2.2.7,Item,1,,,Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key.
-asvs_v4.0.1,asvs_v4.0.1:2.3.1,2.3.1,Item,1,,,"Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password."
-asvs_v4.0.1,asvs_v4.0.1:2.3.2,2.3.2,Item,1,,,"Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or FIDO tokens."
-asvs_v4.0.1,asvs_v4.0.1:2.3.3,2.3.3,Item,1,,,Verify that renewal instructions are sent with sufficient time to renew time bound authenticators.
-asvs_v4.0.1,asvs_v4.0.1:2.4.1,2.4.1,Item,1,,,"Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.4.2,2.4.2,Item,1,,,"Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.4.3,2.4.3,Item,1,,,"Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.4.4,2.4.4,Item,1,,,"Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.4.5,2.4.5,Item,1,,,"Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module)."
-asvs_v4.0.1,asvs_v4.0.1:2.5.1,2.5.1,Item,1,,,Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.5.2,2.5.2,Item,1,,,"Verify password hints or knowledge-based authentication (so-called ""secret questions"") are not present."
-asvs_v4.0.1,asvs_v4.0.1:2.5.3,2.5.3,Item,1,,,Verify password credential recovery does not reveal the current password in any way. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:2.5.4,2.5.4,Item,1,,,"Verify shared or default accounts are not present (e.g. ""root"", ""admin"", or ""sa"")."
-asvs_v4.0.1,asvs_v4.0.1:2.5.5,2.5.5,Item,1,,,"Verify that if an authentication factor is changed or replaced, that the user is notified of this event."
-asvs_v4.0.1,asvs_v4.0.1:2.5.6,2.5.6,Item,1,,,"Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:2.5.7,2.5.7,Item,1,,,"Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment."
-asvs_v4.0.1,asvs_v4.0.1:2.6.1,2.6.1,Item,1,,,Verify that lookup secrets can be used only once.
-asvs_v4.0.1,asvs_v4.0.1:2.6.2,2.6.2,Item,1,,,"Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash."
-asvs_v4.0.1,asvs_v4.0.1:2.6.3,2.6.3,Item,1,,,"Verify that lookup secrets are resistant to offline attacks, such as predictable values."
-asvs_v4.0.1,asvs_v4.0.1:2.7.1,2.7.1,Item,1,,,"Verify that clear text out of band (NIST ""restricted"") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first."
-asvs_v4.0.1,asvs_v4.0.1:2.7.2,2.7.2,Item,1,,,"Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes."
-asvs_v4.0.1,asvs_v4.0.1:2.7.3,2.7.3,Item,1,,,"Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request."
-asvs_v4.0.1,asvs_v4.0.1:2.7.4,2.7.4,Item,1,,,Verify that the out of band authenticator and verifier communicates over a secure independent channel.
-asvs_v4.0.1,asvs_v4.0.1:2.7.5,2.7.5,Item,1,,,Verify that the out of band verifier retains only a hashed version of the authentication code.
-asvs_v4.0.1,asvs_v4.0.1:2.7.6,2.7.6,Item,1,,,"Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient)."
-asvs_v4.0.1,asvs_v4.0.1:2.8.1,2.8.1,Item,1,,,Verify that time-based OTPs have a defined lifetime before expiring.
-asvs_v4.0.1,asvs_v4.0.1:2.8.2,2.8.2,Item,1,,,"Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage."
-asvs_v4.0.1,asvs_v4.0.1:2.8.3,2.8.3,Item,1,,,"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
-asvs_v4.0.1,asvs_v4.0.1:2.8.4,2.8.4,Item,1,,,Verify that time-based OTP can be used only once within the validity period.
-asvs_v4.0.1,asvs_v4.0.1:2.8.5,2.8.5,Item,1,,,"Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device."
-asvs_v4.0.1,asvs_v4.0.1:2.8.6,2.8.6,Item,1,,,"Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location."
-asvs_v4.0.1,asvs_v4.0.1:2.8.7,2.8.7,Item,1,,,Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know.
-asvs_v4.0.1,asvs_v4.0.1:2.9.1,2.9.1,Item,1,,,"Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage."
-asvs_v4.0.1,asvs_v4.0.1:2.9.2,2.9.2,Item,1,,,"Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device."
-asvs_v4.0.1,asvs_v4.0.1:2.9.3,2.9.3,Item,1,,,"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
-asvs_v4.0.1,asvs_v4.0.1:3.1.1,3.1.1,Item,1,,,Verify the application never reveals session tokens in URL parameters or error messages.
-asvs_v4.0.1,asvs_v4.0.1:3.2.1,3.2.1,Item,1,,,Verify the application generates a new session token on user authentication. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.2.2,3.2.2,Item,1,,,Verify that session tokens possess at least 64 bits of entropy. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.2.3,3.2.3,Item,1,,,Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.
-asvs_v4.0.1,asvs_v4.0.1:3.2.4,3.2.4,Item,1,,,Verify that session token are generated using approved cryptographic algorithms. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.3.1,3.3.1,Item,1,,,"Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:3.3.2,3.3.2,Item,1,,,"If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:3.3.3,3.3.3,Item,1,,,"Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties."
-asvs_v4.0.1,asvs_v4.0.1:3.3.4,3.3.4,Item,1,,,Verify that users are able to view and log out of any or all currently active sessions and devices.
-asvs_v4.0.1,asvs_v4.0.1:3.4.1,3.4.1,Item,1,,,Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.4.2,3.4.2,Item,1,,,Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.4.3,3.4.3,Item,1,,,Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:3.4.4,3.4.4,Item,1,,,"Verify that cookie-based session tokens use ""__Host-"" prefix (see references) to provide session cookie confidentiality."
-asvs_v4.0.1,asvs_v4.0.1:3.4.5,3.4.5,Item,1,,,"Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:3.5.1,3.5.1,Item,1,,,Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications.
-asvs_v4.0.1,asvs_v4.0.1:3.5.2,3.5.2,Item,1,,,"Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations."
-asvs_v4.0.1,asvs_v4.0.1:3.5.3,3.5.3,Item,1,,,"Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks."
-asvs_v4.0.1,asvs_v4.0.1:3.6.1,3.6.1,Item,1,,,Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven't used a session within that period.
-asvs_v4.0.1,asvs_v4.0.1:3.6.2,3.6.2,Item,1,,,"Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user."
-asvs_v4.0.1,asvs_v4.0.1:3.7.1,3.7.1,Item,1,,,Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
-asvs_v4.0.1,asvs_v4.0.1:4.1.1,4.1.1,Item,1,,,"Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed."
-asvs_v4.0.1,asvs_v4.0.1:4.1.2,4.1.2,Item,1,,,Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
-asvs_v4.0.1,asvs_v4.0.1:4.1.3,4.1.3,Item,1,,,"Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:4.1.4,4.1.4,Item,1,,,Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.  ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:4.1.5,4.1.5,Item,1,,,Verify that access controls fail securely including when an exception occurs. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:4.2.1,4.2.1,Item,1,,,"Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records."
-asvs_v4.0.1,asvs_v4.0.1:4.2.2,4.2.2,Item,1,,,"Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality."
-asvs_v4.0.1,asvs_v4.0.1:4.3.1,4.3.1,Item,1,,,Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.
-asvs_v4.0.1,asvs_v4.0.1:4.3.2,4.3.2,Item,1,,,"Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders."
-asvs_v4.0.1,asvs_v4.0.1:4.3.3,4.3.3,Item,1,,,"Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud."
-asvs_v4.0.1,asvs_v4.0.1:5.1.1,5.1.1,Item,1,,,"Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables)."
-asvs_v4.0.1,asvs_v4.0.1:5.1.2,5.1.2,Item,1,,,"Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.1.3,5.1.3,Item,1,,,"Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.1.4,5.1.4,Item,1,,,"Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.1.5,5.1.5,Item,1,,,"Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content."
-asvs_v4.0.1,asvs_v4.0.1:5.2.1,5.2.1,Item,1,,,Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:5.2.2,5.2.2,Item,1,,,Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length.
-asvs_v4.0.1,asvs_v4.0.1:5.2.3,5.2.3,Item,1,,,Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.
-asvs_v4.0.1,asvs_v4.0.1:5.2.4,5.2.4,Item,1,,,"Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed."
-asvs_v4.0.1,asvs_v4.0.1:5.2.5,5.2.5,Item,1,,,Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed.
-asvs_v4.0.1,asvs_v4.0.1:5.2.6,5.2.6,Item,1,,,"Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports."
-asvs_v4.0.1,asvs_v4.0.1:5.2.7,5.2.7,Item,1,,,"Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject."
-asvs_v4.0.1,asvs_v4.0.1:5.2.8,5.2.8,Item,1,,,"Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar."
-asvs_v4.0.1,asvs_v4.0.1:5.3.1,5.3.1,Item,1,,,"Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.10,5.3.10,Item,1,,,Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:5.3.2,5.3.2,Item,1,,,"Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.3,5.3.3,Item,1,,,"Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.4,5.3.4,Item,1,,,"Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.5,5.3.5,Item,1,,,"Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.6,5.3.6,Item,1,,,"Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.7,5.3.7,Item,1,,,"Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:5.3.8,5.3.8,Item,1,,,Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:5.3.9,5.3.9,Item,1,,,Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
-asvs_v4.0.1,asvs_v4.0.1:5.4.1,5.4.1,Item,1,,,"Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows."
-asvs_v4.0.1,asvs_v4.0.1:5.4.2,5.4.2,Item,1,,,"Verify that format strings do not take potentially hostile input, and are constant."
-asvs_v4.0.1,asvs_v4.0.1:5.4.3,5.4.3,Item,1,,,"Verify that sign, range, and input validation techniques are used to prevent integer overflows."
-asvs_v4.0.1,asvs_v4.0.1:5.5.1,5.5.1,Item,1,,,Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:5.5.2,5.5.2,Item,1,,,Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE.
-asvs_v4.0.1,asvs_v4.0.1:5.5.3,5.5.3,Item,1,,,"Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers)."
-asvs_v4.0.1,asvs_v4.0.1:5.5.4,5.5.4,Item,1,,,"Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON."
-asvs_v4.0.1,asvs_v4.0.1:6.1.1,6.1.1,Item,1,,,"Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR."
-asvs_v4.0.1,asvs_v4.0.1:6.1.2,6.1.2,Item,1,,,"Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records."
-asvs_v4.0.1,asvs_v4.0.1:6.1.3,6.1.3,Item,1,,,"Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records."
-asvs_v4.0.1,asvs_v4.0.1:6.2.1,6.2.1,Item,1,,,"Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks."
-asvs_v4.0.1,asvs_v4.0.1:6.2.2,6.2.2,Item,1,,,"Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:6.2.3,6.2.3,Item,1,,,"Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice."
-asvs_v4.0.1,asvs_v4.0.1:6.2.4,6.2.4,Item,1,,,"Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:6.2.5,6.2.5,Item,1,,,"Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility."
-asvs_v4.0.1,asvs_v4.0.1:6.2.6,6.2.6,Item,1,,,"Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used."
-asvs_v4.0.1,asvs_v4.0.1:6.2.7,6.2.7,Item,1,,,"Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party."
-asvs_v4.0.1,asvs_v4.0.1:6.2.8,6.2.8,Item,1,,,"Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information."
-asvs_v4.0.1,asvs_v4.0.1:6.3.1,6.3.1,Item,1,,,"Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker."
-asvs_v4.0.1,asvs_v4.0.1:6.3.2,6.3.2,Item,1,,,"Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable."
-asvs_v4.0.1,asvs_v4.0.1:6.3.3,6.3.3,Item,1,,,"Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances."
-asvs_v4.0.1,asvs_v4.0.1:6.4.1,6.4.1,Item,1,,,"Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:6.4.2,6.4.2,Item,1,,,Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.1.1,7.1.1,Item,1,,,"Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:7.1.2,7.1.2,Item,1,,,Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.1.3,7.1.3,Item,1,,,"Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures. ([C5, C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:7.1.4,7.1.4,Item,1,,,Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.2.1,7.2.1,Item,1,,,"Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations."
-asvs_v4.0.1,asvs_v4.0.1:7.2.2,7.2.2,Item,1,,,Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations.
-asvs_v4.0.1,asvs_v4.0.1:7.3.1,7.3.1,Item,1,,,Verify that the application appropriately encodes user-supplied data to prevent log injection. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.3.2,7.3.2,Item,1,,,Verify that all events are protected from injection when viewed in log viewing software. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.3.3,7.3.3,Item,1,,,Verify that security logs are protected from unauthorized access and modification. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.3.4,7.3.4,Item,1,,,Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.4.1,7.4.1,Item,1,,,"Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.  ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:7.4.2,7.4.2,Item,1,,,Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:7.4.3,7.4.3,Item,1,,,"Verify that a ""last resort"" error handler is defined which will catch all unhandled exceptions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:8.1.1,8.1.1,Item,1,,,Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.
-asvs_v4.0.1,asvs_v4.0.1:8.1.2,8.1.2,Item,1,,,Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
-asvs_v4.0.1,asvs_v4.0.1:8.1.3,8.1.3,Item,1,,,"Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values."
-asvs_v4.0.1,asvs_v4.0.1:8.1.4,8.1.4,Item,1,,,"Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application."
-asvs_v4.0.1,asvs_v4.0.1:8.1.5,8.1.5,Item,1,,,Verify that regular backups of important data are performed and that test restoration of data is performed.
-asvs_v4.0.1,asvs_v4.0.1:8.1.6,8.1.6,Item,1,,,Verify that backups are stored securely to prevent data from being stolen or corrupted.
-asvs_v4.0.1,asvs_v4.0.1:8.2.1,8.2.1,Item,1,,,Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.
-asvs_v4.0.1,asvs_v4.0.1:8.2.2,8.2.2,Item,1,,,"Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII."
-asvs_v4.0.1,asvs_v4.0.1:8.2.3,8.2.3,Item,1,,,"Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated."
-asvs_v4.0.1,asvs_v4.0.1:8.3.1,8.3.1,Item,1,,,"Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data."
-asvs_v4.0.1,asvs_v4.0.1:8.3.2,8.3.2,Item,1,,,Verify that users have a method to remove or export their data on demand.
-asvs_v4.0.1,asvs_v4.0.1:8.3.3,8.3.3,Item,1,,,Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way.
-asvs_v4.0.1,asvs_v4.0.1:8.3.4,8.3.4,Item,1,,,"Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:8.3.5,8.3.5,Item,1,,,"Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required."
-asvs_v4.0.1,asvs_v4.0.1:8.3.6,8.3.6,Item,1,,,"Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data."
-asvs_v4.0.1,asvs_v4.0.1:8.3.7,8.3.7,Item,1,,,"Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:8.3.8,8.3.8,Item,1,,,"Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires."
-asvs_v4.0.1,asvs_v4.0.1:9.1.1,9.1.1,Item,1,,,"Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:9.1.2,9.1.2,Item,1,,,"Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred."
-asvs_v4.0.1,asvs_v4.0.1:9.1.3,9.1.3,Item,1,,,"Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite."
-asvs_v4.0.1,asvs_v4.0.1:9.2.1,9.2.1,Item,1,,,"Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected."
-asvs_v4.0.1,asvs_v4.0.1:9.2.2,9.2.2,Item,1,,,"Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols."
-asvs_v4.0.1,asvs_v4.0.1:9.2.3,9.2.3,Item,1,,,Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated.
-asvs_v4.0.1,asvs_v4.0.1:9.2.4,9.2.4,Item,1,,,"Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured."
-asvs_v4.0.1,asvs_v4.0.1:9.2.5,9.2.5,Item,1,,,Verify that backend TLS connection failures are logged.
-asvs_v4.0.1,asvs_v4.0.1:10.1.1,10.1.1,Item,1,,,"Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections."
-asvs_v4.0.1,asvs_v4.0.1:10.2.1,10.2.1,Item,1,,,"Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate  before collecting any data."
-asvs_v4.0.1,asvs_v4.0.1:10.2.2,10.2.2,Item,1,,,"Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location."
-asvs_v4.0.1,asvs_v4.0.1:10.2.3,10.2.3,Item,1,,,"Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."
-asvs_v4.0.1,asvs_v4.0.1:10.2.4,10.2.4,Item,1,,,Verify that the application source code and third party libraries does not contain time bombs by searching for date and time related functions.
-asvs_v4.0.1,asvs_v4.0.1:10.2.5,10.2.5,Item,1,,,"Verify that the application source code and third party libraries does not contain malicious code, such as salami attacks, logic bypasses, or logic bombs."
-asvs_v4.0.1,asvs_v4.0.1:10.2.6,10.2.6,Item,1,,,Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality.
-asvs_v4.0.1,asvs_v4.0.1:10.3.1,10.3.1,Item,1,,,"Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update."
-asvs_v4.0.1,asvs_v4.0.1:10.3.2,10.3.2,Item,1,,,"Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet."
-asvs_v4.0.1,asvs_v4.0.1:10.3.3,10.3.3,Item,1,,,"Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change."
-asvs_v4.0.1,asvs_v4.0.1:11.1.1,11.1.1,Item,1,,,Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps.
-asvs_v4.0.1,asvs_v4.0.1:11.1.2,11.1.2,Item,1,,,"Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly."
-asvs_v4.0.1,asvs_v4.0.1:11.1.3,11.1.3,Item,1,,,Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis.
-asvs_v4.0.1,asvs_v4.0.1:11.1.4,11.1.4,Item,1,,,"Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks."
-asvs_v4.0.1,asvs_v4.0.1:11.1.5,11.1.5,Item,1,,,"Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies."
-asvs_v4.0.1,asvs_v4.0.1:11.1.6,11.1.6,Item,1,,,"Verify the application does not suffer from ""time of check to time of use"" (TOCTOU) issues or other race conditions for sensitive operations."
-asvs_v4.0.1,asvs_v4.0.1:11.1.7,11.1.7,Item,1,,,"Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:11.1.8,11.1.8,Item,1,,,Verify the application has configurable alerting when automated attacks or unusual activity is detected.
-asvs_v4.0.1,asvs_v4.0.1:12.1.1,12.1.1,Item,1,,,Verify that the application will not accept large files that could fill up storage or cause a denial of service attack.
-asvs_v4.0.1,asvs_v4.0.1:12.1.2,12.1.2,Item,1,,,"Verify that compressed files are checked for ""zip bombs"" - small input files that will decompress into huge files thus exhausting file storage limits."
-asvs_v4.0.1,asvs_v4.0.1:12.1.3,12.1.3,Item,1,,,"Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files."
-asvs_v4.0.1,asvs_v4.0.1:12.2.1,12.2.1,Item,1,,,Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content.
-asvs_v4.0.1,asvs_v4.0.1:12.3.1,12.3.1,Item,1,,,Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal.
-asvs_v4.0.1,asvs_v4.0.1:12.3.2,12.3.2,Item,1,,,"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI)."
-asvs_v4.0.1,asvs_v4.0.1:12.3.3,12.3.3,Item,1,,,"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF."
-asvs_v4.0.1,asvs_v4.0.1:12.3.4,12.3.4,Item,1,,,"Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename."
-asvs_v4.0.1,asvs_v4.0.1:12.3.5,12.3.5,Item,1,,,"Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection."
-asvs_v4.0.1,asvs_v4.0.1:12.3.6,12.3.6,Item,1,,,"Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs."
-asvs_v4.0.1,asvs_v4.0.1:12.4.1,12.4.1,Item,1,,,"Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation."
-asvs_v4.0.1,asvs_v4.0.1:12.4.2,12.4.2,Item,1,,,Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
-asvs_v4.0.1,asvs_v4.0.1:12.5.1,12.5.1,Item,1,,,"Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required."
-asvs_v4.0.1,asvs_v4.0.1:12.5.2,12.5.2,Item,1,,,Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.
-asvs_v4.0.1,asvs_v4.0.1:12.6.1,12.6.1,Item,1,,,Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from.
-asvs_v4.0.1,asvs_v4.0.1:13.1.1,13.1.1,Item,1,,,Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.
-asvs_v4.0.1,asvs_v4.0.1:13.1.2,13.1.2,Item,1,,,Verify that access to administration and management functions is limited to authorized administrators.
-asvs_v4.0.1,asvs_v4.0.1:13.1.3,13.1.3,Item,1,,,"Verify API URLs do not expose sensitive information, such as the API key, session tokens etc."
-asvs_v4.0.1,asvs_v4.0.1:13.1.4,13.1.4,Item,1,,,"Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions."
-asvs_v4.0.1,asvs_v4.0.1:13.1.5,13.1.5,Item,1,,,Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).
-asvs_v4.0.1,asvs_v4.0.1:13.2.1,13.2.1,Item,1,,,"Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources."
-asvs_v4.0.1,asvs_v4.0.1:13.2.2,13.2.2,Item,1,,,Verify that JSON schema validation is in place and verified before accepting input.
-asvs_v4.0.1,asvs_v4.0.1:13.2.3,13.2.3,Item,1,,,"Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks."
-asvs_v4.0.1,asvs_v4.0.1:13.2.4,13.2.4,Item,1,,,"Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated."
-asvs_v4.0.1,asvs_v4.0.1:13.2.5,13.2.5,Item,1,,,"Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON."
-asvs_v4.0.1,asvs_v4.0.1:13.2.6,13.2.6,Item,1,,,Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits.
-asvs_v4.0.1,asvs_v4.0.1:13.3.1,13.3.1,Item,1,,,"Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place."
-asvs_v4.0.1,asvs_v4.0.1:13.3.2,13.3.2,Item,1,,,Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service.
-asvs_v4.0.1,asvs_v4.0.1:13.4.1,13.4.1,Item,1,,,"Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used."
-asvs_v4.0.1,asvs_v4.0.1:13.4.2,13.4.2,Item,1,,,Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.
-asvs_v4.0.1,asvs_v4.0.1:14.1.1,14.1.1,Item,1,,,"Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts."
-asvs_v4.0.1,asvs_v4.0.1:14.1.2,14.1.2,Item,1,,,"Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found."
-asvs_v4.0.1,asvs_v4.0.1:14.1.3,14.1.3,Item,1,,,Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use.
-asvs_v4.0.1,asvs_v4.0.1:14.1.4,14.1.4,Item,1,,,"Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion."
-asvs_v4.0.1,asvs_v4.0.1:14.1.5,14.1.5,Item,1,,,Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering.
-asvs_v4.0.1,asvs_v4.0.1:14.2.1,14.2.1,Item,1,,,"Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:14.2.2,14.2.2,Item,1,,,"Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users."
-asvs_v4.0.1,asvs_v4.0.1:14.2.3,14.2.3,Item,1,,,"Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset."
-asvs_v4.0.1,asvs_v4.0.1:14.2.4,14.2.4,Item,1,,,"Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
-asvs_v4.0.1,asvs_v4.0.1:14.2.5,14.2.5,Item,1,,,Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:14.2.6,14.2.6,Item,1,,,Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
-asvs_v4.0.1,asvs_v4.0.1:14.3.1,14.3.1,Item,1,,,"Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures."
-asvs_v4.0.1,asvs_v4.0.1:14.3.2,14.3.2,Item,1,,,"Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures."
-asvs_v4.0.1,asvs_v4.0.1:14.3.3,14.3.3,Item,1,,,Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.
-asvs_v4.0.1,asvs_v4.0.1:14.4.1,14.4.1,Item,1,,,"Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1)."
-asvs_v4.0.1,asvs_v4.0.1:14.4.2,14.4.2,Item,1,,,"Verify that all API responses contain Content-Disposition: attachment; filename=""api.json"" (or other appropriate filename for the content type)."
-asvs_v4.0.1,asvs_v4.0.1:14.4.3,14.4.3,Item,1,,,"Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."
-asvs_v4.0.1,asvs_v4.0.1:14.4.4,14.4.4,Item,1,,,Verify that all responses contain X-Content-Type-Options: nosniff.
-asvs_v4.0.1,asvs_v4.0.1:14.4.5,14.4.5,Item,1,,,"Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains."
-asvs_v4.0.1,asvs_v4.0.1:14.4.6,14.4.6,Item,1,,,"Verify that a suitable ""Referrer-Policy"" header is included, such as ""no-referrer"" or ""same-origin""."
-asvs_v4.0.1,asvs_v4.0.1:14.4.7,14.4.7,Item,1,,,Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site.
-asvs_v4.0.1,asvs_v4.0.1:14.5.1,14.5.1,Item,1,,,"Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS."
-asvs_v4.0.1,asvs_v4.0.1:14.5.2,14.5.2,Item,1,,,"Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker."
-asvs_v4.0.1,asvs_v4.0.1:14.5.3,14.5.3,Item,1,,,"Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the ""null"" origin."
-asvs_v4.0.1,asvs_v4.0.1:14.5.4,14.5.4,Item,1,,,"Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application."
+asvs_v4.0.1,asvs_v4.0.1:1.1.1,1.1.1,Item,1,1,,Verify the use of a secure software development lifecycle that addresses security in all stages of development. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.1.2,1.1.2,Item,1,2,,"Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing."
+asvs_v4.0.1,asvs_v4.0.1:1.1.3,1.1.3,Item,1,3,,"Verify that all user stories and features contain functional security constraints, such as ""As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile"""
+asvs_v4.0.1,asvs_v4.0.1:1.1.4,1.1.4,Item,1,4,,"Verify documentation and justification of all the application's trust boundaries, components, and significant data flows."
+asvs_v4.0.1,asvs_v4.0.1:1.1.5,1.1.5,Item,1,5,,Verify definition and security analysis of the application's high-level architecture and all connected remote services. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.1.6,1.1.6,Item,1,6,,"Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.1.7,1.1.7,Item,1,7,,"Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers."
+asvs_v4.0.1,asvs_v4.0.1:1.10.1,1.10.1,Item,1,1,,"Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes."
+asvs_v4.0.1,asvs_v4.0.1:1.11.1,1.11.1,Item,1,1,,Verify the definition and documentation of all application components in terms of the business or security functions they provide.
+asvs_v4.0.1,asvs_v4.0.1:1.11.2,1.11.2,Item,1,2,,"Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state."
+asvs_v4.0.1,asvs_v4.0.1:1.11.3,1.11.3,Item,1,3,,"Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions."
+asvs_v4.0.1,asvs_v4.0.1:1.12.1,1.12.1,Item,1,1,,Verify that user-uploaded files are stored outside of the web root.
+asvs_v4.0.1,asvs_v4.0.1:1.12.2,1.12.2,Item,1,2,,"Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file."
+asvs_v4.0.1,asvs_v4.0.1:1.14.1,1.14.1,Item,1,1,,"Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms."
+asvs_v4.0.1,asvs_v4.0.1:1.14.2,1.14.2,Item,1,2,,"Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints."
+asvs_v4.0.1,asvs_v4.0.1:1.14.3,1.14.3,Item,1,3,,Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions.
+asvs_v4.0.1,asvs_v4.0.1:1.14.4,1.14.4,Item,1,4,,"Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."
+asvs_v4.0.1,asvs_v4.0.1:1.14.5,1.14.5,Item,1,5,,"Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.14.6,1.14.6,Item,1,6,,"Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets."
+asvs_v4.0.1,asvs_v4.0.1:1.2.1,1.2.1,Item,1,1,,"Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.2.2,1.2.2,Item,1,2,,"Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.2.3,1.2.3,Item,1,3,,"Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches."
+asvs_v4.0.1,asvs_v4.0.1:1.2.4,1.2.4,Item,1,4,,"Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application."
+asvs_v4.0.1,asvs_v4.0.1:1.4.1,1.4.1,Item,1,1,,"Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client."
+asvs_v4.0.1,asvs_v4.0.1:1.4.2,1.4.2,Item,1,2,,Verify that the chosen access control solution is flexible enough to meet the application's needs.
+asvs_v4.0.1,asvs_v4.0.1:1.4.3,1.4.3,Item,1,3,,"Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege."
+asvs_v4.0.1,asvs_v4.0.1:1.4.4,1.4.4,Item,1,4,,Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.4.5,1.4.5,Item,1,5,,Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.5.1,1.5.1,Item,1,1,,"Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance."
+asvs_v4.0.1,asvs_v4.0.1:1.5.2,1.5.2,Item,1,2,,"Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection."
+asvs_v4.0.1,asvs_v4.0.1:1.5.3,1.5.3,Item,1,3,,Verify that input validation is enforced on a trusted service layer. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.5.4,1.5.4,Item,1,4,,Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.6.1,1.6.1,Item,1,1,,Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.
+asvs_v4.0.1,asvs_v4.0.1:1.6.2,1.6.2,Item,1,2,,Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.
+asvs_v4.0.1,asvs_v4.0.1:1.6.3,1.6.3,Item,1,3,,Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.
+asvs_v4.0.1,asvs_v4.0.1:1.6.4,1.6.4,Item,1,4,,"Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such."
+asvs_v4.0.1,asvs_v4.0.1:1.7.1,1.7.1,Item,1,1,,Verify that a common logging format and approach is used across the system.  ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:1.7.2,1.7.2,Item,1,2,,"Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.8.1,1.8.1,Item,1,1,,Verify that all sensitive data is identified and classified into protection levels.
+asvs_v4.0.1,asvs_v4.0.1:1.8.2,1.8.2,Item,1,2,,"Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture."
+asvs_v4.0.1,asvs_v4.0.1:1.9.1,1.9.1,Item,1,1,,"Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:1.9.2,1.9.2,Item,1,2,,"Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains."
+asvs_v4.0.1,asvs_v4.0.1:2.1.1,2.1.1,Item,1,1,,Verify that user set passwords are at least 12 characters in length. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.1.10,2.1.10,Item,1,10,,Verify that there are no periodic credential rotation or password history requirements.
+asvs_v4.0.1,asvs_v4.0.1:2.1.11,2.1.11,Item,1,11,,"Verify that ""paste"" functionality, browser password helpers, and external password managers are permitted."
+asvs_v4.0.1,asvs_v4.0.1:2.1.12,2.1.12,Item,1,12,,"Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality."
+asvs_v4.0.1,asvs_v4.0.1:2.1.2,2.1.2,Item,1,2,,Verify that passwords 64 characters or longer are permitted. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.1.3,2.1.3,Item,1,3,,Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.1.4,2.1.4,Item,1,4,,"Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."
+asvs_v4.0.1,asvs_v4.0.1:2.1.5,2.1.5,Item,1,5,,Verify users can change their password.
+asvs_v4.0.1,asvs_v4.0.1:2.1.6,2.1.6,Item,1,6,,Verify that password change functionality requires the user's current and new password.
+asvs_v4.0.1,asvs_v4.0.1:2.1.7,2.1.7,Item,1,7,,"Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.1.8,2.1.8,Item,1,8,,Verify that a password strength meter is provided to help users set a stronger password.
+asvs_v4.0.1,asvs_v4.0.1:2.1.9,2.1.9,Item,1,9,,Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.10.1,2.10.1,Item,1,1,,"Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged accounts."
+asvs_v4.0.1,asvs_v4.0.1:2.10.2,2.10.2,Item,1,2,,"Verify that if passwords are required, the credentials are not a default account."
+asvs_v4.0.1,asvs_v4.0.1:2.10.3,2.10.3,Item,1,3,,"Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access."
+asvs_v4.0.1,asvs_v4.0.1:2.10.4,2.10.4,Item,1,4,,"Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform module (TPM), or a hardware security module (L3) is recommended for password storage."
+asvs_v4.0.1,asvs_v4.0.1:2.2.1,2.2.1,Item,1,1,,"Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account."
+asvs_v4.0.1,asvs_v4.0.1:2.2.2,2.2.2,Item,1,2,,"Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise."
+asvs_v4.0.1,asvs_v4.0.1:2.2.3,2.2.3,Item,1,3,,"Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification."
+asvs_v4.0.1,asvs_v4.0.1:2.2.4,2.2.4,Item,1,4,,"Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates."
+asvs_v4.0.1,asvs_v4.0.1:2.2.5,2.2.5,Item,1,5,,"Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints."
+asvs_v4.0.1,asvs_v4.0.1:2.2.6,2.2.6,Item,1,6,,"Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup codes."
+asvs_v4.0.1,asvs_v4.0.1:2.2.7,2.2.7,Item,1,7,,Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key.
+asvs_v4.0.1,asvs_v4.0.1:2.3.1,2.3.1,Item,1,1,,"Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password."
+asvs_v4.0.1,asvs_v4.0.1:2.3.2,2.3.2,Item,1,2,,"Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or FIDO tokens."
+asvs_v4.0.1,asvs_v4.0.1:2.3.3,2.3.3,Item,1,3,,Verify that renewal instructions are sent with sufficient time to renew time bound authenticators.
+asvs_v4.0.1,asvs_v4.0.1:2.4.1,2.4.1,Item,1,1,,"Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.4.2,2.4.2,Item,1,2,,"Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.4.3,2.4.3,Item,1,3,,"Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.4.4,2.4.4,Item,1,4,,"Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.4.5,2.4.5,Item,1,5,,"Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module)."
+asvs_v4.0.1,asvs_v4.0.1:2.5.1,2.5.1,Item,1,1,,Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.5.2,2.5.2,Item,1,2,,"Verify password hints or knowledge-based authentication (so-called ""secret questions"") are not present."
+asvs_v4.0.1,asvs_v4.0.1:2.5.3,2.5.3,Item,1,3,,Verify password credential recovery does not reveal the current password in any way. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:2.5.4,2.5.4,Item,1,4,,"Verify shared or default accounts are not present (e.g. ""root"", ""admin"", or ""sa"")."
+asvs_v4.0.1,asvs_v4.0.1:2.5.5,2.5.5,Item,1,5,,"Verify that if an authentication factor is changed or replaced, that the user is notified of this event."
+asvs_v4.0.1,asvs_v4.0.1:2.5.6,2.5.6,Item,1,6,,"Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:2.5.7,2.5.7,Item,1,7,,"Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment."
+asvs_v4.0.1,asvs_v4.0.1:2.6.1,2.6.1,Item,1,1,,Verify that lookup secrets can be used only once.
+asvs_v4.0.1,asvs_v4.0.1:2.6.2,2.6.2,Item,1,2,,"Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash."
+asvs_v4.0.1,asvs_v4.0.1:2.6.3,2.6.3,Item,1,3,,"Verify that lookup secrets are resistant to offline attacks, such as predictable values."
+asvs_v4.0.1,asvs_v4.0.1:2.7.1,2.7.1,Item,1,1,,"Verify that clear text out of band (NIST ""restricted"") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first."
+asvs_v4.0.1,asvs_v4.0.1:2.7.2,2.7.2,Item,1,2,,"Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes."
+asvs_v4.0.1,asvs_v4.0.1:2.7.3,2.7.3,Item,1,3,,"Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request."
+asvs_v4.0.1,asvs_v4.0.1:2.7.4,2.7.4,Item,1,4,,Verify that the out of band authenticator and verifier communicates over a secure independent channel.
+asvs_v4.0.1,asvs_v4.0.1:2.7.5,2.7.5,Item,1,5,,Verify that the out of band verifier retains only a hashed version of the authentication code.
+asvs_v4.0.1,asvs_v4.0.1:2.7.6,2.7.6,Item,1,6,,"Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient)."
+asvs_v4.0.1,asvs_v4.0.1:2.8.1,2.8.1,Item,1,1,,Verify that time-based OTPs have a defined lifetime before expiring.
+asvs_v4.0.1,asvs_v4.0.1:2.8.2,2.8.2,Item,1,2,,"Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage."
+asvs_v4.0.1,asvs_v4.0.1:2.8.3,2.8.3,Item,1,3,,"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
+asvs_v4.0.1,asvs_v4.0.1:2.8.4,2.8.4,Item,1,4,,Verify that time-based OTP can be used only once within the validity period.
+asvs_v4.0.1,asvs_v4.0.1:2.8.5,2.8.5,Item,1,5,,"Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device."
+asvs_v4.0.1,asvs_v4.0.1:2.8.6,2.8.6,Item,1,6,,"Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location."
+asvs_v4.0.1,asvs_v4.0.1:2.8.7,2.8.7,Item,1,7,,Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know.
+asvs_v4.0.1,asvs_v4.0.1:2.9.1,2.9.1,Item,1,1,,"Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage."
+asvs_v4.0.1,asvs_v4.0.1:2.9.2,2.9.2,Item,1,2,,"Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device."
+asvs_v4.0.1,asvs_v4.0.1:2.9.3,2.9.3,Item,1,3,,"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
+asvs_v4.0.1,asvs_v4.0.1:3.1.1,3.1.1,Item,1,1,,Verify the application never reveals session tokens in URL parameters or error messages.
+asvs_v4.0.1,asvs_v4.0.1:3.2.1,3.2.1,Item,1,1,,Verify the application generates a new session token on user authentication. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.2.2,3.2.2,Item,1,2,,Verify that session tokens possess at least 64 bits of entropy. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.2.3,3.2.3,Item,1,3,,Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.
+asvs_v4.0.1,asvs_v4.0.1:3.2.4,3.2.4,Item,1,4,,Verify that session token are generated using approved cryptographic algorithms. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.3.1,3.3.1,Item,1,1,,"Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:3.3.2,3.3.2,Item,1,2,,"If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:3.3.3,3.3.3,Item,1,3,,"Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties."
+asvs_v4.0.1,asvs_v4.0.1:3.3.4,3.3.4,Item,1,4,,Verify that users are able to view and log out of any or all currently active sessions and devices.
+asvs_v4.0.1,asvs_v4.0.1:3.4.1,3.4.1,Item,1,1,,Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.4.2,3.4.2,Item,1,2,,Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.4.3,3.4.3,Item,1,3,,Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:3.4.4,3.4.4,Item,1,4,,"Verify that cookie-based session tokens use ""__Host-"" prefix (see references) to provide session cookie confidentiality."
+asvs_v4.0.1,asvs_v4.0.1:3.4.5,3.4.5,Item,1,5,,"Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:3.5.1,3.5.1,Item,1,1,,Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications.
+asvs_v4.0.1,asvs_v4.0.1:3.5.2,3.5.2,Item,1,2,,"Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations."
+asvs_v4.0.1,asvs_v4.0.1:3.5.3,3.5.3,Item,1,3,,"Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks."
+asvs_v4.0.1,asvs_v4.0.1:3.6.1,3.6.1,Item,1,1,,Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven't used a session within that period.
+asvs_v4.0.1,asvs_v4.0.1:3.6.2,3.6.2,Item,1,2,,"Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user."
+asvs_v4.0.1,asvs_v4.0.1:3.7.1,3.7.1,Item,1,1,,Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
+asvs_v4.0.1,asvs_v4.0.1:4.1.1,4.1.1,Item,1,1,,"Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed."
+asvs_v4.0.1,asvs_v4.0.1:4.1.2,4.1.2,Item,1,2,,Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
+asvs_v4.0.1,asvs_v4.0.1:4.1.3,4.1.3,Item,1,3,,"Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:4.1.4,4.1.4,Item,1,4,,Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.  ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:4.1.5,4.1.5,Item,1,5,,Verify that access controls fail securely including when an exception occurs. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:4.2.1,4.2.1,Item,1,1,,"Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records."
+asvs_v4.0.1,asvs_v4.0.1:4.2.2,4.2.2,Item,1,2,,"Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality."
+asvs_v4.0.1,asvs_v4.0.1:4.3.1,4.3.1,Item,1,1,,Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.
+asvs_v4.0.1,asvs_v4.0.1:4.3.2,4.3.2,Item,1,2,,"Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders."
+asvs_v4.0.1,asvs_v4.0.1:4.3.3,4.3.3,Item,1,3,,"Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud."
+asvs_v4.0.1,asvs_v4.0.1:5.1.1,5.1.1,Item,1,1,,"Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables)."
+asvs_v4.0.1,asvs_v4.0.1:5.1.2,5.1.2,Item,1,2,,"Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.1.3,5.1.3,Item,1,3,,"Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.1.4,5.1.4,Item,1,4,,"Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.1.5,5.1.5,Item,1,5,,"Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content."
+asvs_v4.0.1,asvs_v4.0.1:5.2.1,5.2.1,Item,1,1,,Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:5.2.2,5.2.2,Item,1,2,,Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length.
+asvs_v4.0.1,asvs_v4.0.1:5.2.3,5.2.3,Item,1,3,,Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.
+asvs_v4.0.1,asvs_v4.0.1:5.2.4,5.2.4,Item,1,4,,"Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed."
+asvs_v4.0.1,asvs_v4.0.1:5.2.5,5.2.5,Item,1,5,,Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed.
+asvs_v4.0.1,asvs_v4.0.1:5.2.6,5.2.6,Item,1,6,,"Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports."
+asvs_v4.0.1,asvs_v4.0.1:5.2.7,5.2.7,Item,1,7,,"Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject."
+asvs_v4.0.1,asvs_v4.0.1:5.2.8,5.2.8,Item,1,8,,"Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar."
+asvs_v4.0.1,asvs_v4.0.1:5.3.1,5.3.1,Item,1,1,,"Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.10,5.3.10,Item,1,10,,Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:5.3.2,5.3.2,Item,1,2,,"Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.3,5.3.3,Item,1,3,,"Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.4,5.3.4,Item,1,4,,"Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.5,5.3.5,Item,1,5,,"Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.6,5.3.6,Item,1,6,,"Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.7,5.3.7,Item,1,7,,"Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:5.3.8,5.3.8,Item,1,8,,Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:5.3.9,5.3.9,Item,1,9,,Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
+asvs_v4.0.1,asvs_v4.0.1:5.4.1,5.4.1,Item,1,1,,"Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows."
+asvs_v4.0.1,asvs_v4.0.1:5.4.2,5.4.2,Item,1,2,,"Verify that format strings do not take potentially hostile input, and are constant."
+asvs_v4.0.1,asvs_v4.0.1:5.4.3,5.4.3,Item,1,3,,"Verify that sign, range, and input validation techniques are used to prevent integer overflows."
+asvs_v4.0.1,asvs_v4.0.1:5.5.1,5.5.1,Item,1,1,,Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:5.5.2,5.5.2,Item,1,2,,Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE.
+asvs_v4.0.1,asvs_v4.0.1:5.5.3,5.5.3,Item,1,3,,"Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers)."
+asvs_v4.0.1,asvs_v4.0.1:5.5.4,5.5.4,Item,1,4,,"Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON."
+asvs_v4.0.1,asvs_v4.0.1:6.1.1,6.1.1,Item,1,1,,"Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR."
+asvs_v4.0.1,asvs_v4.0.1:6.1.2,6.1.2,Item,1,2,,"Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records."
+asvs_v4.0.1,asvs_v4.0.1:6.1.3,6.1.3,Item,1,3,,"Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records."
+asvs_v4.0.1,asvs_v4.0.1:6.2.1,6.2.1,Item,1,1,,"Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks."
+asvs_v4.0.1,asvs_v4.0.1:6.2.2,6.2.2,Item,1,2,,"Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:6.2.3,6.2.3,Item,1,3,,"Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice."
+asvs_v4.0.1,asvs_v4.0.1:6.2.4,6.2.4,Item,1,4,,"Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:6.2.5,6.2.5,Item,1,5,,"Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility."
+asvs_v4.0.1,asvs_v4.0.1:6.2.6,6.2.6,Item,1,6,,"Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used."
+asvs_v4.0.1,asvs_v4.0.1:6.2.7,6.2.7,Item,1,7,,"Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party."
+asvs_v4.0.1,asvs_v4.0.1:6.2.8,6.2.8,Item,1,8,,"Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information."
+asvs_v4.0.1,asvs_v4.0.1:6.3.1,6.3.1,Item,1,1,,"Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker."
+asvs_v4.0.1,asvs_v4.0.1:6.3.2,6.3.2,Item,1,2,,"Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable."
+asvs_v4.0.1,asvs_v4.0.1:6.3.3,6.3.3,Item,1,3,,"Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances."
+asvs_v4.0.1,asvs_v4.0.1:6.4.1,6.4.1,Item,1,1,,"Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:6.4.2,6.4.2,Item,1,2,,Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.1.1,7.1.1,Item,1,1,,"Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:7.1.2,7.1.2,Item,1,2,,Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.1.3,7.1.3,Item,1,3,,"Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures. ([C5, C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:7.1.4,7.1.4,Item,1,4,,Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.2.1,7.2.1,Item,1,1,,"Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations."
+asvs_v4.0.1,asvs_v4.0.1:7.2.2,7.2.2,Item,1,2,,Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations.
+asvs_v4.0.1,asvs_v4.0.1:7.3.1,7.3.1,Item,1,1,,Verify that the application appropriately encodes user-supplied data to prevent log injection. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.3.2,7.3.2,Item,1,2,,Verify that all events are protected from injection when viewed in log viewing software. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.3.3,7.3.3,Item,1,3,,Verify that security logs are protected from unauthorized access and modification. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.3.4,7.3.4,Item,1,4,,Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.4.1,7.4.1,Item,1,1,,"Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.  ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:7.4.2,7.4.2,Item,1,2,,Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:7.4.3,7.4.3,Item,1,3,,"Verify that a ""last resort"" error handler is defined which will catch all unhandled exceptions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:8.1.1,8.1.1,Item,1,1,,Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.
+asvs_v4.0.1,asvs_v4.0.1:8.1.2,8.1.2,Item,1,2,,Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
+asvs_v4.0.1,asvs_v4.0.1:8.1.3,8.1.3,Item,1,3,,"Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values."
+asvs_v4.0.1,asvs_v4.0.1:8.1.4,8.1.4,Item,1,4,,"Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application."
+asvs_v4.0.1,asvs_v4.0.1:8.1.5,8.1.5,Item,1,5,,Verify that regular backups of important data are performed and that test restoration of data is performed.
+asvs_v4.0.1,asvs_v4.0.1:8.1.6,8.1.6,Item,1,6,,Verify that backups are stored securely to prevent data from being stolen or corrupted.
+asvs_v4.0.1,asvs_v4.0.1:8.2.1,8.2.1,Item,1,1,,Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.
+asvs_v4.0.1,asvs_v4.0.1:8.2.2,8.2.2,Item,1,2,,"Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII."
+asvs_v4.0.1,asvs_v4.0.1:8.2.3,8.2.3,Item,1,3,,"Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated."
+asvs_v4.0.1,asvs_v4.0.1:8.3.1,8.3.1,Item,1,1,,"Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data."
+asvs_v4.0.1,asvs_v4.0.1:8.3.2,8.3.2,Item,1,2,,Verify that users have a method to remove or export their data on demand.
+asvs_v4.0.1,asvs_v4.0.1:8.3.3,8.3.3,Item,1,3,,Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way.
+asvs_v4.0.1,asvs_v4.0.1:8.3.4,8.3.4,Item,1,4,,"Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:8.3.5,8.3.5,Item,1,5,,"Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required."
+asvs_v4.0.1,asvs_v4.0.1:8.3.6,8.3.6,Item,1,6,,"Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data."
+asvs_v4.0.1,asvs_v4.0.1:8.3.7,8.3.7,Item,1,7,,"Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:8.3.8,8.3.8,Item,1,8,,"Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires."
+asvs_v4.0.1,asvs_v4.0.1:9.1.1,9.1.1,Item,1,1,,"Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:9.1.2,9.1.2,Item,1,2,,"Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred."
+asvs_v4.0.1,asvs_v4.0.1:9.1.3,9.1.3,Item,1,3,,"Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite."
+asvs_v4.0.1,asvs_v4.0.1:9.2.1,9.2.1,Item,1,1,,"Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected."
+asvs_v4.0.1,asvs_v4.0.1:9.2.2,9.2.2,Item,1,2,,"Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols."
+asvs_v4.0.1,asvs_v4.0.1:9.2.3,9.2.3,Item,1,3,,Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated.
+asvs_v4.0.1,asvs_v4.0.1:9.2.4,9.2.4,Item,1,4,,"Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured."
+asvs_v4.0.1,asvs_v4.0.1:9.2.5,9.2.5,Item,1,5,,Verify that backend TLS connection failures are logged.
+asvs_v4.0.1,asvs_v4.0.1:10.1.1,10.1.1,Item,1,1,,"Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections."
+asvs_v4.0.1,asvs_v4.0.1:10.2.1,10.2.1,Item,1,1,,"Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate  before collecting any data."
+asvs_v4.0.1,asvs_v4.0.1:10.2.2,10.2.2,Item,1,2,,"Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location."
+asvs_v4.0.1,asvs_v4.0.1:10.2.3,10.2.3,Item,1,3,,"Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."
+asvs_v4.0.1,asvs_v4.0.1:10.2.4,10.2.4,Item,1,4,,Verify that the application source code and third party libraries does not contain time bombs by searching for date and time related functions.
+asvs_v4.0.1,asvs_v4.0.1:10.2.5,10.2.5,Item,1,5,,"Verify that the application source code and third party libraries does not contain malicious code, such as salami attacks, logic bypasses, or logic bombs."
+asvs_v4.0.1,asvs_v4.0.1:10.2.6,10.2.6,Item,1,6,,Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality.
+asvs_v4.0.1,asvs_v4.0.1:10.3.1,10.3.1,Item,1,1,,"Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update."
+asvs_v4.0.1,asvs_v4.0.1:10.3.2,10.3.2,Item,1,2,,"Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet."
+asvs_v4.0.1,asvs_v4.0.1:10.3.3,10.3.3,Item,1,3,,"Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change."
+asvs_v4.0.1,asvs_v4.0.1:11.1.1,11.1.1,Item,1,1,,Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps.
+asvs_v4.0.1,asvs_v4.0.1:11.1.2,11.1.2,Item,1,2,,"Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly."
+asvs_v4.0.1,asvs_v4.0.1:11.1.3,11.1.3,Item,1,3,,Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis.
+asvs_v4.0.1,asvs_v4.0.1:11.1.4,11.1.4,Item,1,4,,"Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks."
+asvs_v4.0.1,asvs_v4.0.1:11.1.5,11.1.5,Item,1,5,,"Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies."
+asvs_v4.0.1,asvs_v4.0.1:11.1.6,11.1.6,Item,1,6,,"Verify the application does not suffer from ""time of check to time of use"" (TOCTOU) issues or other race conditions for sensitive operations."
+asvs_v4.0.1,asvs_v4.0.1:11.1.7,11.1.7,Item,1,7,,"Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:11.1.8,11.1.8,Item,1,8,,Verify the application has configurable alerting when automated attacks or unusual activity is detected.
+asvs_v4.0.1,asvs_v4.0.1:12.1.1,12.1.1,Item,1,1,,Verify that the application will not accept large files that could fill up storage or cause a denial of service attack.
+asvs_v4.0.1,asvs_v4.0.1:12.1.2,12.1.2,Item,1,2,,"Verify that compressed files are checked for ""zip bombs"" - small input files that will decompress into huge files thus exhausting file storage limits."
+asvs_v4.0.1,asvs_v4.0.1:12.1.3,12.1.3,Item,1,3,,"Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files."
+asvs_v4.0.1,asvs_v4.0.1:12.2.1,12.2.1,Item,1,1,,Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content.
+asvs_v4.0.1,asvs_v4.0.1:12.3.1,12.3.1,Item,1,1,,Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal.
+asvs_v4.0.1,asvs_v4.0.1:12.3.2,12.3.2,Item,1,2,,"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI)."
+asvs_v4.0.1,asvs_v4.0.1:12.3.3,12.3.3,Item,1,3,,"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF."
+asvs_v4.0.1,asvs_v4.0.1:12.3.4,12.3.4,Item,1,4,,"Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename."
+asvs_v4.0.1,asvs_v4.0.1:12.3.5,12.3.5,Item,1,5,,"Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection."
+asvs_v4.0.1,asvs_v4.0.1:12.3.6,12.3.6,Item,1,6,,"Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs."
+asvs_v4.0.1,asvs_v4.0.1:12.4.1,12.4.1,Item,1,1,,"Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation."
+asvs_v4.0.1,asvs_v4.0.1:12.4.2,12.4.2,Item,1,2,,Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
+asvs_v4.0.1,asvs_v4.0.1:12.5.1,12.5.1,Item,1,1,,"Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required."
+asvs_v4.0.1,asvs_v4.0.1:12.5.2,12.5.2,Item,1,2,,Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.
+asvs_v4.0.1,asvs_v4.0.1:12.6.1,12.6.1,Item,1,1,,Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from.
+asvs_v4.0.1,asvs_v4.0.1:13.1.1,13.1.1,Item,1,1,,Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.
+asvs_v4.0.1,asvs_v4.0.1:13.1.2,13.1.2,Item,1,2,,Verify that access to administration and management functions is limited to authorized administrators.
+asvs_v4.0.1,asvs_v4.0.1:13.1.3,13.1.3,Item,1,3,,"Verify API URLs do not expose sensitive information, such as the API key, session tokens etc."
+asvs_v4.0.1,asvs_v4.0.1:13.1.4,13.1.4,Item,1,4,,"Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions."
+asvs_v4.0.1,asvs_v4.0.1:13.1.5,13.1.5,Item,1,5,,Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).
+asvs_v4.0.1,asvs_v4.0.1:13.2.1,13.2.1,Item,1,1,,"Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources."
+asvs_v4.0.1,asvs_v4.0.1:13.2.2,13.2.2,Item,1,2,,Verify that JSON schema validation is in place and verified before accepting input.
+asvs_v4.0.1,asvs_v4.0.1:13.2.3,13.2.3,Item,1,3,,"Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks."
+asvs_v4.0.1,asvs_v4.0.1:13.2.4,13.2.4,Item,1,4,,"Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated."
+asvs_v4.0.1,asvs_v4.0.1:13.2.5,13.2.5,Item,1,5,,"Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON."
+asvs_v4.0.1,asvs_v4.0.1:13.2.6,13.2.6,Item,1,6,,Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits.
+asvs_v4.0.1,asvs_v4.0.1:13.3.1,13.3.1,Item,1,1,,"Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place."
+asvs_v4.0.1,asvs_v4.0.1:13.3.2,13.3.2,Item,1,2,,Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service.
+asvs_v4.0.1,asvs_v4.0.1:13.4.1,13.4.1,Item,1,1,,"Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used."
+asvs_v4.0.1,asvs_v4.0.1:13.4.2,13.4.2,Item,1,2,,Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.
+asvs_v4.0.1,asvs_v4.0.1:14.1.1,14.1.1,Item,1,1,,"Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts."
+asvs_v4.0.1,asvs_v4.0.1:14.1.2,14.1.2,Item,1,2,,"Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found."
+asvs_v4.0.1,asvs_v4.0.1:14.1.3,14.1.3,Item,1,3,,Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use.
+asvs_v4.0.1,asvs_v4.0.1:14.1.4,14.1.4,Item,1,4,,"Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion."
+asvs_v4.0.1,asvs_v4.0.1:14.1.5,14.1.5,Item,1,5,,Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering.
+asvs_v4.0.1,asvs_v4.0.1:14.2.1,14.2.1,Item,1,1,,"Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:14.2.2,14.2.2,Item,1,2,,"Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users."
+asvs_v4.0.1,asvs_v4.0.1:14.2.3,14.2.3,Item,1,3,,"Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset."
+asvs_v4.0.1,asvs_v4.0.1:14.2.4,14.2.4,Item,1,4,,"Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
+asvs_v4.0.1,asvs_v4.0.1:14.2.5,14.2.5,Item,1,5,,Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:14.2.6,14.2.6,Item,1,6,,Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
+asvs_v4.0.1,asvs_v4.0.1:14.3.1,14.3.1,Item,1,1,,"Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures."
+asvs_v4.0.1,asvs_v4.0.1:14.3.2,14.3.2,Item,1,2,,"Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures."
+asvs_v4.0.1,asvs_v4.0.1:14.3.3,14.3.3,Item,1,3,,Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.
+asvs_v4.0.1,asvs_v4.0.1:14.4.1,14.4.1,Item,1,1,,"Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1)."
+asvs_v4.0.1,asvs_v4.0.1:14.4.2,14.4.2,Item,1,2,,"Verify that all API responses contain Content-Disposition: attachment; filename=""api.json"" (or other appropriate filename for the content type)."
+asvs_v4.0.1,asvs_v4.0.1:14.4.3,14.4.3,Item,1,3,,"Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."
+asvs_v4.0.1,asvs_v4.0.1:14.4.4,14.4.4,Item,1,4,,Verify that all responses contain X-Content-Type-Options: nosniff.
+asvs_v4.0.1,asvs_v4.0.1:14.4.5,14.4.5,Item,1,5,,"Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains."
+asvs_v4.0.1,asvs_v4.0.1:14.4.6,14.4.6,Item,1,6,,"Verify that a suitable ""Referrer-Policy"" header is included, such as ""no-referrer"" or ""same-origin""."
+asvs_v4.0.1,asvs_v4.0.1:14.4.7,14.4.7,Item,1,7,,Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site.
+asvs_v4.0.1,asvs_v4.0.1:14.5.1,14.5.1,Item,1,1,,"Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS."
+asvs_v4.0.1,asvs_v4.0.1:14.5.2,14.5.2,Item,1,2,,"Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker."
+asvs_v4.0.1,asvs_v4.0.1:14.5.3,14.5.3,Item,1,3,,"Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the ""null"" origin."
+asvs_v4.0.1,asvs_v4.0.1:14.5.4,14.5.4,Item,1,4,,"Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv,GV,Function,0,1,Governance,
+fsscc_profile_v1.0,fsscc_profile_v1.0:id,ID,Function,0,2,Identify,
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr,PR,Function,0,3,Protect,
+fsscc_profile_v1.0,fsscc_profile_v1.0:de,DE,Function,0,4,Detect,
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs,RS,Function,0,5,Respond,
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc,RC,Function,0,6,Recover,
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm,DM,Function,0,7,Supply chain / dependency management,
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf,GV.SF,Category,1,1,Strategy and Framework,The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm,GV.RM,Category,1,2,Risk Management,"The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl,GV.PL,Category,1,3,Policy,The organization has established a security policy in support of its cyber risk management framework.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr,GV.RR,Category,1,4,Roles and Responsibilities,"The organization has designated appropriate roles and responsibilities, including an individual responsible for cybersecurity for the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp,GV.SP,Category,1,5,Security Program,The organization has a cybersecurity program that is continually measured and improved.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir,GV.IR,Category,1,6,Independent Risk Management Function,The organization has an independent risk management function.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au,GV.AU,Category,1,7,Audit,The organization has an independent audit function to provide for appropriate oversight of the cybersecurity program.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te,GV.TE,Category,1,8,Technology,"The organization integrates cyber risk considerations into new technology development, design, implementation, and adoption."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am,ID.AM,Category,1,9,Asset Management,"The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra,ID.RA,Category,1,10,Risk Assessment,"The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac,PR.AC,Category,1,11,Identity Management and Access Control,"Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at,PR.AT,Category,1,12,Awareness and Training,"The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds,PR.DS,Category,1,13,Data Security,"Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip,PR.IP,Category,1,14,Information Protection Processes and Procedures,"Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
+"
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma,PR.MA,Category,1,15,Maintenance,Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt,PR.PT,Category,1,16,Protective Technology,"Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae,DE.AE,Category,1,17,Anomalies and Events,Anomalous activity is detected in a timely manner and the potential impact of events is understood.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm,DE.CM,Category,1,18,Security Continuous Monitoring,The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp,DE.DP,Category,1,19,Detection Processes,Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp,RS.RP,Category,1,20,Response Planning,"Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co,RS.CO,Category,1,21,Communications,"Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an,RS.AN,Category,1,22,Analysis,Analysis is conducted to ensure adequate response and support recovery activities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi,RS.MI,Category,1,23,Mitigation,"Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im,RS.IM,Category,1,24,Improvements,Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp,RC.RP,Category,1,25,Recovery Planning,Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im,RC.IM,Category,1,26,Improvements,Recovery planning and processes are improved by incorporating lessons learned into future activities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co,RC.CO,Category,1,27,Communications,"Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id,DM.ID,Category,1,28,Internal Dependencies,The organization manages risks associated with its internal dependencies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed,DM.ED,Category,1,29,External Dependencies,The organization manages risks associated with its external dependencies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs,DM.RS,Category,1,30,Resilience,The organization is resilient and able to operate while experiencing a cyber attack.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be,DM.BE,Category,1,31,Business Environment,"The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1,GV.SF-1,Subcategory,2,1,,Organization has a cyber risk management strategy and framework.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-2,GV.SF-2,Subcategory,2,2,,"Cyber risk management strategy and framework is appropriately informed by international, national, and industry standards and guidelines."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3,GV.SF-3,Subcategory,2,3,,Cyber risk management strategy and framework address applicable cybersecurity risks.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-4,GV.SF-4,Subcategory,2,4,,The organization’s determination of cyber risk appetite is informed by its role in critical infrastructure and sector specific risk analysis.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1,GV.RM-1,Subcategory,2,5,,"Cyber risk management processes are established, managed, and agreed to by organizational stakeholders."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2,GV.RM-2,Subcategory,2,6,,Organizational risk tolerance is determined and clearly expressed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3,GV.RM-3,Subcategory,2,7,,Cyber risk management framework is integrated into the enterprise risk management framework.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1,GV.PL-1,Subcategory,2,8,,Organizational cybersecurity policy is established and has been approved by appropriate governance bodies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2,GV.PL-2,Subcategory,2,9,,"Organizational cybersecurity policy addresses appropriate controls, identified through risk assessment."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3,GV.PL-3,Subcategory,2,10,,"Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-1,GV.RR-1,Subcategory,2,11,,Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2,GV.RR-2,Subcategory,2,12,,"Organization has appointed a manager responsible for cybersecurity efforts within the organization, including authority, sufficient budget, and access to the executive suite and appropriate governing authority (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1,GV.SP-1,Subcategory,2,13,,"Organization has a cybersecurity program that implements, monitors and updates its policies, procedures, processes, and controls to continually manage cybersecurity risks to the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2,GV.SP-2,Subcategory,2,14,,Cybersecurity performance is measured and regularly reported to senior executives and the Board or an appropriate governing body.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1,GV.IR-1,Subcategory,2,15,,An independent risk management function provides assurance that the cybersecurity risk management framework has been implemented according to policy and is consistent with the organization's risk appetite and tolerance.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2,GV.IR-2,Subcategory,2,16,,An independent risk management function assesses the appropriateness of the risk management program for the organization's risk appetite and proposes risk mitigation strategies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-3,GV.IR-3,Subcategory,2,17,,"An independent risk management function reports implementation of cyber risk management framework to the appropriate governing authority (e.g., the Board or one of its committees)"
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1,GV.AU-1,Subcategory,2,18,,An independent audit function assesses compliance with internal controls and applicable laws and regulations.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2,GV.AU-2,Subcategory,2,19,,An independent audit function updates its procedures to adjust to the evolving cybersecurity environment.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3,GV.AU-3,Subcategory,2,20,,"An independent audit function identifies, tracks, and reports significant changes in the organization's cyber risk exposure to the appropriate governing authority (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1,GV.TE-1,Subcategory,2,21,,Organization integrates consideration of cyber risks into technology implementations.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-2,GV.TE-2,Subcategory,2,22,,"Organization should use technical security standards, architectures, and tools to ensure security to the maximum extent possible."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-1,ID.AM-1,Subcategory,2,23,,Physical devices and systems within the organization are inventoried.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-2,ID.AM-2,Subcategory,2,24,,Software platforms and applications within the organization are inventoried.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3,ID.AM-3,Subcategory,2,25,,Organizational communication and data flows are mapped.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-4,ID.AM-4,Subcategory,2,26,,External information systems are catalogued.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5,ID.AM-5,Subcategory,2,27,,"Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-6,ID.AM-6,Subcategory,2,28,,"Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-1,ID.RA-1,Subcategory,2,29,,Asset vulnerabilities are identified and documented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-2,ID.RA-2,Subcategory,2,30,,Cyber threat intelligence is received from information sharing forums and sources.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3,ID.RA-3,Subcategory,2,31,,"Cyber threats, both internal and external, are identified and documented."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-4,ID.RA-4,Subcategory,2,32,,Potential business impacts and likelihoods are identified.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5,ID.RA-5,Subcategory,2,33,,"Threats, vulnerabilities, likelihoods, and impacts are used to determine risk."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6,ID.RA-6,Subcategory,2,34,,Risk responses are identified and prioritized.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1,PR.AC-1,Subcategory,2,35,,"Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-2,PR.AC-2,Subcategory,2,36,,Physical access to assets is managed and protected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3,PR.AC-3,Subcategory,2,37,,Remote access is managed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4,PR.AC-4,Subcategory,2,38,,"Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5,PR.AC-5,Subcategory,2,39,,"Network integrity is protected, incorporating network segregation where appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-6,PR.AC-6,Subcategory,2,40,,"Identities are proofed and bound to credentials, and asserted in interactions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7,PR.AC-7,Subcategory,2,41,,"Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
+"
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1,PR.AT-1,Subcategory,2,42,,All users are informed and trained.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2,PR.AT-2,Subcategory,2,43,,Privileged users understand their roles and responsibilities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3,PR.AT-3,Subcategory,2,44,,"Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4,PR.AT-4,Subcategory,2,45,,Senior executives understand their roles and responsibilities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-5,PR.AT-5,Subcategory,2,46,,Physical and information security personnel understand roles and responsibilities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1,PR.DS-1,Subcategory,2,47,,Data-at-rest is protected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2,PR.DS-2,Subcategory,2,48,,Data-in-transit is protected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-3,PR.DS-3,Subcategory,2,49,,"Assets are formally managed throughout removal, transfers, and disposition."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-4,PR.DS-4,Subcategory,2,50,,Adequate capacity to ensure availability is maintained.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-5,PR.DS-5,Subcategory,2,51,,Protections against data leaks are implemented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-6,PR.DS-6,Subcategory,2,52,,"Integrity checking mechanisms are used to verify software, firmware, and information integrity."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-7,PR.DS-7,Subcategory,2,53,,The development and testing environment(s) are separate from the production environment.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-8,PR.DS-8,Subcategory,2,54,,Integrity checking mechanisms are used to verify hardware integrity.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1,PR.IP-1,Subcategory,2,55,,"A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2,PR.IP-2,Subcategory,2,56,,A System Development Life Cycle to manage systems is implemented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-3,PR.IP-3,Subcategory,2,57,,Configuration change control processes are in place.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4,PR.IP-4,Subcategory,2,58,,"Backups of information are conducted, maintained, and tested periodically."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-5,PR.IP-5,Subcategory,2,59,,Policy and regulations regarding the physical operating environment for organizational assets are met.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-6,PR.IP-6,Subcategory,2,60,,Data is destroyed according to policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-7,PR.IP-7,Subcategory,2,61,,Protection processes are continuously improved.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-8,PR.IP-8,Subcategory,2,62,,Effectiveness of protection technologies is shared with appropriate parties.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9,PR.IP-9,Subcategory,2,63,,Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10,PR.IP-10,Subcategory,2,64,,Response and recovery plans are tested.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11,PR.IP-11,Subcategory,2,65,,"Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12,PR.IP-12,Subcategory,2,66,,A vulnerability management plan is developed and implemented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-1,PR.MA-1,Subcategory,2,67,,"Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-2,PR.MA-2,Subcategory,2,68,,"Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1,PR.PT-1,Subcategory,2,69,,"Audit/log records are determined, documented, implemented, and reviewed in accordance with policy."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-2,PR.PT-2,Subcategory,2,70,,Removable media is protected and its use restricted according to policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-3,PR.PT-3,Subcategory,2,71,,The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-4,PR.PT-4,Subcategory,2,72,,Communications and control networks are protected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-5,PR.PT-5,Subcategory,2,73,,"Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-1,DE.AE-1,Subcategory,2,74,,A baseline of network operations and expected data flows for users and systems is established and managed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-2,DE.AE-2,Subcategory,2,75,,Detected events are analyzed to understand attack targets and methods.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3,DE.AE-3,Subcategory,2,76,,Event data are collected and correlated from multiple sources and sensors.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-4,DE.AE-4,Subcategory,2,77,,Impact of events is determined.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-5,DE.AE-5,Subcategory,2,78,,Incident alert thresholds are established.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1,DE.CM-1,Subcategory,2,79,,The network is monitored to detect potential cybersecurity events.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-2,DE.CM-2,Subcategory,2,80,,The physical environment is monitored to detect potential cybersecurity events.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3,DE.CM-3,Subcategory,2,81,,Personnel activity is monitored to detect potential cybersecurity events.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4,DE.CM-4,Subcategory,2,82,,Malicious code is detected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-5,DE.CM-5,Subcategory,2,83,,Unauthorized mobile code is detected.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6,DE.CM-6,Subcategory,2,84,,External service provider activity is monitored to detect potential cybersecurity events.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7,DE.CM-7,Subcategory,2,85,,"Monitoring for unauthorized personnel, connections, devices, and software is performed."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8,DE.CM-8,Subcategory,2,86,,Vulnerability scans are performed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-1,DE.DP-1,Subcategory,2,87,,Roles and responsibilities for detection are well defined to ensure accountability.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-2,DE.DP-2,Subcategory,2,88,,Detection activities comply with all applicable requirements.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-3,DE.DP-3,Subcategory,2,89,,Detection processes are tested.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4,DE.DP-4,Subcategory,2,90,,Event detection information is communicated to appropriate parties.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-5,DE.DP-5,Subcategory,2,91,,Detection processes are continuously improved.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp-1,RS.RP-1,Subcategory,2,92,,Response plan is executed during or after an incident.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1,RS.CO-1,Subcategory,2,93,,Personnel know their roles and order of operations when a response is needed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2,RS.CO-2,Subcategory,2,94,,Incidents are reported consistent with established criteria.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3,RS.CO-3,Subcategory,2,95,,Information is shared consistent with response plans.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-4,RS.CO-4,Subcategory,2,96,,Coordination with stakeholders occurs consistent with response plans.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5,RS.CO-5,Subcategory,2,97,,Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-1,RS.AN-1,Subcategory,2,98,,Notifications from detection systems are investigated.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2,RS.AN-2,Subcategory,2,99,,The impact of the incident is understood.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-3,RS.AN-3,Subcategory,2,100,,Forensics are performed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-4,RS.AN-4,Subcategory,2,101,,Incidents are categorized consistent with response plans.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5,RS.AN-5,Subcategory,2,102,,"Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, or security researchers)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1,RS.MI-1,Subcategory,2,103,,Incidents are contained.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-2,RS.MI-2,Subcategory,2,104,,Incidents are mitigated.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3,RS.MI-3,Subcategory,2,105,,Newly identified vulnerabilities are mitigated or documented as accepted risks.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1,RS.IM-1,Subcategory,2,106,,Response plans incorporate lessons learned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-2,RS.IM-2,Subcategory,2,107,,Response strategies are updated.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1,RC.RP-1,Subcategory,2,108,,Recovery plan is executed during or after a cybersecurity incident.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-1,RC.IM-1,Subcategory,2,109,,Recovery plans incorporate lessons learned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-2,RC.IM-2,Subcategory,2,110,,Recovery strategies are updated.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1,RC.CO-1,Subcategory,2,111,,Public relations are managed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-2,RC.CO-2,Subcategory,2,112,,Reputation after an event is repaired.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-3,RC.CO-3,Subcategory,2,113,,Recovery activities are communicated to internal and external stakeholders as well as and executive and management teams.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1,DM.ID-1,Subcategory,2,114,,The organization integrates internal dependency management strategy into the overall strategic risk management plan.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-2,DM.ID-2,Subcategory,2,115,,Roles and responsibilities for internal dependency management are defined and assigned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1,DM.ED-1,Subcategory,2,116,,The organization integrates external dependency management strategy into the overall strategic risk management plan.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2,DM.ED-2,Subcategory,2,117,,"Dependency management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3,DM.ED-3,Subcategory,2,118,,Roles and responsibilities for external dependency management are defined and assigned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4,DM.ED-4,Subcategory,2,119,,The organization manages cyber risks associated with external dependencies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5,DM.ED-5,Subcategory,2,120,,"Functions, activities, products, and services - including interconnections, dependencies, and third parties - are identified and prioritized based on their criticality to the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6,DM.ED-6,Subcategory,2,121,,Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7,DM.ED-7,Subcategory,2,122,,"Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1,DM.RS-1,Subcategory,2,123,,Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2,DM.RS-2,Subcategory,2,124,,"Organizational incident response, business continuity, and disaster recovery plans and exercises incorporate its external dependencies and critical business partners."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1,DM.BE-1,Subcategory,2,125,,The organization’s place in critical infrastructure and its industry sector is identified and communicated.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2,DM.BE-2,Subcategory,2,126,,Dependencies and critical functions for delivery of critical services are established.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-3,DM.BE-3,Subcategory,2,127,,"Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.1,GV.SF-1.1,Statement,3,1,,"The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.2,GV.SF-1.2,Statement,3,2,,"An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization’s cyber risk management strategy and framework."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.3,GV.SF-1.3,Statement,3,3,,The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.4,GV.SF-1.4,Statement,3,4,,The cyber risk management strategy identifies and communicates the organization’s role within the financial services sector as a component of critical infrastructure in the financial services industry.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.5,GV.SF-1.5,Statement,3,5,,"The cyber risk management strategy and framework establishes and communicates priorities for organizational mission, objectives, and activities."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-2.1,GV.SF-2.1,Statement,3,6,,"The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.1,GV.SF-3.1,Statement,3,7,,"An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.2,GV.SF-3.2,Statement,3,8,,"An appropriate governing authority (e.g., the Board or one of its committees) periodically reviews and evaluates the organization's ability to manage its cyber risks."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.3,GV.SF-3.3,Statement,3,9,,The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-4.1,GV.SF-4.1,Statement,3,10,,The risk appetite is informed by the organization’s role in critical infrastructure.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.1,GV.RM-1.1,Statement,3,11,,"The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.2,GV.RM-1.2,Statement,3,12,,"The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.3,GV.RM-1.3,Statement,3,13,,"As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.4,GV.RM-1.4,Statement,3,14,,The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.5,GV.RM-1.5,Statement,3,15,,"The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.6,GV.RM-1.6,Statement,3,16,,"The cyber risk management program addresses identified cyber risks in one of the following ways:  risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.1,GV.RM-2.1,Statement,3,17,,"The organization has established a cyber risk tolerance consistent with its risk appetite, and integrated it into technology or operational risk management, as appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.2,GV.RM-2.2,Statement,3,18,,The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration).
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.3,GV.RM-2.3,Statement,3,19,,"The cyber risk management strategy articulates how the organization would maintain an acceptable level of residual cyber risk set by the appropriate governing authority (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.1,GV.RM-3.1,Statement,3,20,,The cyber risk management framework is integrated into the enterprise risk management framework.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.2,GV.RM-3.2,Statement,3,21,,The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.3,GV.RM-3.3,Statement,3,22,,"The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1.1,GV.PL-1.1,Statement,3,23,,"The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1.2,GV.PL-1.2,Statement,3,24,,The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.1,GV.PL-2.1,Statement,3,25,,The cybersecurity policy is supported by the organization's risk management program.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.2,GV.PL-2.2,Statement,3,26,,Cybersecurity processes and procedures are established based on the cybersecurity policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.3,GV.PL-2.3,Statement,3,27,,"The cybersecurity policy is periodically reviewed and revised under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.1,GV.PL-3.1,Statement,3,28,,"The cybersecurity policy, strategy and framework should take into account the organization's legal and regulatory obligations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.2,GV.PL-3.2,Statement,3,29,,The organization's cybersecurity policies are consistent with its privacy and civil liberty obligations.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.3,GV.PL-3.3,Statement,3,30,,"The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-1.1,GV.RR-1.1,Statement,3,31,,"The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.1,GV.RR-2.1,Statement,3,32,,"The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.2,GV.RR-2.2,Statement,3,33,,"The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.3,GV.RR-2.3,Statement,3,34,,"The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.4,GV.RR-2.4,Statement,3,35,,The organization provides adequate resources to maintain and enhance the cybersecurity situational awareness of senior managers within the organization.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1.1,GV.SP-1.1,Statement,3,36,,"The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1.2,GV.SP-1.2,Statement,3,37,,"Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.1,GV.SP-2.1,Statement,3,38,,"The organization implements a repeatable process to develop, collect, store, report, and refresh actionable cybersecurity key performance indicators and metrics. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.2,GV.SP-2.2,Statement,3,39,,"The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to  measure, monitor, and report actionable indicators to help guide the security program.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.3,GV.SP-2.3,Statement,3,40,,"The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.1,GV.IR-1.1,Statement,3,41,,The organization's enterprise-wide cyber risk management framework includes an independent risk management function that provides assurance that the cyber risk management framework is implemented as intended.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.2,GV.IR-1.2,Statement,3,42,,"An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.3,GV.IR-1.3,Statement,3,43,,"The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.4,GV.IR-1.4,Statement,3,44,,"Individuals responsible for independent risk management and oversight are independent of business line management, including senior leadership."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2.1,GV.IR-2.1,Statement,3,45,,An independent risk management function assesses the appropriateness of the cyber risk management program according to the organization's risk appetite.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2.2,GV.IR-2.2,Statement,3,46,,"An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-3.1,GV.IR-3.1,Statement,3,47,,"An independent risk management function reports to the appropriate governing authority (e.g., the Board or one of its committees) and to the appropriate risk management officer within the organization on the implementation of the cyber risk management framework throughout the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.1,GV.AU-1.1,Statement,3,48,,The organization has an independent audit function. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.2,GV.AU-1.2,Statement,3,49,,The organization has an independent audit plan that provides for an evaluation of the organization's compliance with the appropriately approved cyber risk management framework and its cybersecurity policies and processes including how well the organization adapts to the evolving cyber risk environment while remaining within its stated risk appetite and tolerance.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.3,GV.AU-1.3,Statement,3,50,,An independent audit function tests security controls and information security policies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.4,GV.AU-1.4,Statement,3,51,,An independent audit function assesses compliance with applicable laws and regulations.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2.1,GV.AU-2.1,Statement,3,52,,A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2.2,GV.AU-2.2,Statement,3,53,,A formal process is in place for the independent audit function to update its procedures based on changes to the organization's risk appetite and risk tolerance.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.1,GV.AU-3.1,Statement,3,54,,An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.2,GV.AU-3.2,Statement,3,55,,An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.3,GV.AU-3.3,Statement,3,56,,"An independent audit function reports to the appropriate governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when cyber risk tolerance has been exceeded in any part of the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1.1,GV.TE-1.1,Statement,3,57,,"The organization identifies how cybersecurity will support emerging technologies that support business needs (e.g., cloud, mobile, IoT, IIoT, etc.) by integrating cybersecurity considerations into the lifecycle of new technologies from their inception."
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1.2,GV.TE-1.2,Statement,3,58,,The organization applies its cyber risk management framework to all technology projects.
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-2.1,GV.TE-2.1,Statement,3,59,,"The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-1.1,ID.AM-1.1,Statement,3,60,,"The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-2.1,ID.AM-2.1,Statement,3,61,,The organization maintains a current and complete inventory of software platforms and business applications.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.1,ID.AM-3.1,Statement,3,62,,"The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.2,ID.AM-3.2,Statement,3,63,,"The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.3,ID.AM-3.3,Statement,3,64,,"The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-4.1,ID.AM-4.1,Statement,3,65,,The organization maintains an inventory of external information systems. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5.1,ID.AM-5.1,Statement,3,66,,"The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees).  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5.2,ID.AM-5.2,Statement,3,67,,"The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-6.1,ID.AM-6.1,Statement,3,68,,"Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-1.1,ID.RA-1.1,Statement,3,69,,"The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-2.1,ID.RA-2.1,Statement,3,70,,"The organization participates actively (in geopolitical alignment with its business operations) in applicable information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats and early warning indicators relating to cyber threats. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.1,ID.RA-3.1,Statement,3,71,,"The organization identifies, documents, and analyzes threats that are internal and external to the firm."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.2,ID.RA-3.2,Statement,3,72,,"The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.3,ID.RA-3.3,Statement,3,73,,The organization regularly reviews and updates results of its cyber threat analysis.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-4.1,ID.RA-4.1,Statement,3,74,,The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.1,ID.RA-5.1,Statement,3,75,,"Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.2,ID.RA-5.2,Statement,3,76,,"The organization considers threat intelligence received from the organization's participants, service and utility providers and other industry organizations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.3,ID.RA-5.3,Statement,3,77,,"The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.4,ID.RA-5.4,Statement,3,78,,"The organization's business units assess, on an ongoing basis, the cyber risks associated with the activities of the business unit."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.5,ID.RA-5.5,Statement,3,79,,The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.6,ID.RA-5.6,Statement,3,80,,The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk.
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6.1,ID.RA-6.1,Statement,3,81,,"The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk."
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6.2,ID.RA-6.2,Statement,3,82,,Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.1,PR.AC-1.1,Statement,3,83,,Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.2,PR.AC-1.2,Statement,3,84,,User access authorization is limited to individuals who are appropriately trained and monitored.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.3,PR.AC-1.3,Statement,3,85,,"Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, revocation of credentials for users who change roles or leave the organization, etc.)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-2.1,PR.AC-2.1,Statement,3,86,,"The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3.1,PR.AC-3.1,Statement,3,87,,Remote access is actively managed and restricted to necessary systems.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3.2,PR.AC-3.2,Statement,3,88,,"The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.1,PR.AC-4.1,Statement,3,89,,The organization limits access privileges to the minimum necessary.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.2,PR.AC-4.2,Statement,3,90,,The organization institutes strong controls over privileged system access by strictly limiting and closely supervising staff with elevated system access entitlements. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.3,PR.AC-4.3,Statement,3,91,,"The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5.1,PR.AC-5.1,Statement,3,92,,Networks and systems are segmented to maintain appropriate security.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5.2,PR.AC-5.2,Statement,3,93,,"The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-6.1,PR.AC-6.1,Statement,3,94,,The organization authenticates identity and validates the authorization level of a user before granting access to its systems.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7.1,PR.AC-7.1,Statement,3,95,,"The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on:
+(1) The type of data being accessed (e.g., customer PII, public data);
+(2) The risk of the transaction (e.g., internal-to-internal, external-to-internal);
+(3) The organization's level of trust for the accessing agent (e.g., external application, internal user); and
+(4) The potential for harm."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7.2,PR.AC-7.2,Statement,3,96,,"Based on the risk level of a given transaction, the organization has defined and implemented authentication requirements, such as including implementing multi-factor, out-of-band authentication for high risk transactions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.1,PR.AT-1.1,Statement,3,97,,"All personnel (full-time or part-time; permanent, temporary or contract) receive periodic cybersecurity awareness training, as permitted by law."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.2,PR.AT-1.2,Statement,3,98,,"Cybersecurity awareness training includes at a minimum appropriate awareness of and competencies for data protection, detecting and addressing cyber risks, and how to report any unusual activity or incidents.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.3,PR.AT-1.3,Statement,3,99,,Cybersecurity awareness training is updated on a regular basis to reflect risks identified by the organization in its risk assessment.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.1,PR.AT-2.1,Statement,3,100,,"High-risk groups, such as those with privileged system access or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.2,PR.AT-2.2,Statement,3,101,,"Cybersecurity personnel receive training appropriate for their roles and responsibilities in cybersecurity, including situational awareness training sufficient to maintain current knowledge of cyber threats and countermeasures. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.3,PR.AT-2.3,Statement,3,102,,A mechanism is in place to verify that key cybersecurity personnel maintain current knowledge of changing cyber threats and countermeasures. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.1,PR.AT-3.1,Statement,3,103,,"The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of their role in cybersecurity, as appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.2,PR.AT-3.2,Statement,3,104,,Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.3,PR.AT-3.3,Statement,3,105,,Cybersecurity training covers topics designed to minimize risks to or from interconnected parties.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4.1,PR.AT-4.1,Statement,3,106,,"The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: 
+(1) Evaluate and manage cyber risks;
+(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and
+(3) Lead by example."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4.2,PR.AT-4.2,Statement,3,107,,"Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-5.1,PR.AT-5.1,Statement,3,108,,The individuals who fulfill the organization’s physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1.1,PR.DS-1.1,Statement,3,109,,Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1.2,PR.DS-1.2,Statement,3,110,,"Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2.1,PR.DS-2.1,Statement,3,111,,Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2.2,PR.DS-2.2,Statement,3,112,,"Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-3.1,PR.DS-3.1,Statement,3,113,,"The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-4.1,PR.DS-4.1,Statement,3,114,,"The organization maintains appropriate system and network availability, consistent with business requirements and risk assessment."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-5.1,PR.DS-5.1,Statement,3,115,,The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-6.1,PR.DS-6.1,Statement,3,116,,"The organization uses integrity checking mechanisms to verify software, firmware and information integrity, as practicable. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-7.1,PR.DS-7.1,Statement,3,117,,"The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-8.1,PR.DS-8.1,Statement,3,118,,"The organization uses integrity checking mechanisms to verify hardware integrity, as practicable."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.1,PR.IP-1.1,Statement,3,119,,The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.2,PR.IP-1.2,Statement,3,120,,"The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.3,PR.IP-1.3,Statement,3,121,,The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.1,PR.IP-2.1,Statement,3,122,,The organization implements a process for Secure System Development Lifecycle for in-house software design and development.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.2,PR.IP-2.2,Statement,3,123,,"The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.3,PR.IP-2.3,Statement,3,124,,The organization assesses the cyber risks of software prior to deployment.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-3.1,PR.IP-3.1,Statement,3,125,,"The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.1,PR.IP-4.1,Statement,3,126,,"The organization designs and tests its systems and processes to enable recovery of accurate data (e.g., material financial transactions) sufficient to support normal operations and obligations following a cybersecurity incident. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.2,PR.IP-4.2,Statement,3,127,,The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.3,PR.IP-4.3,Statement,3,128,,"The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.4,PR.IP-4.4,Statement,3,129,,Recovery point objectives to support data integrity efforts are consistent with the organization's resumption time objective for critical operations.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-5.1,PR.IP-5.1,Statement,3,130,,Physical and environmental security policies are implemented and managed. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-6.1,PR.IP-6.1,Statement,3,131,,"Data is maintained, stored, retained and destroyed according to the organization's data retention policy."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-7.1,PR.IP-7.1,Statement,3,132,,A formal process is in place to improve protection processes by integrating lessons learned and responding to changes in the organization's environment.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-8.1,PR.IP-8.1,Statement,3,133,,The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9.1,PR.IP-9.1,Statement,3,134,,"The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9.2,PR.IP-9.2,Statement,3,135,,The organization defines objectives for resumption of critical operations.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.1,PR.IP-10.1,Statement,3,136,,"The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive) that could affect the organization's ability to service clients."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.2,PR.IP-10.2,Statement,3,137,,The organization's testing program validates the effectiveness of its cyber resilience framework on a regular basis.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.3,PR.IP-10.3,Statement,3,138,,"The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.4,PR.IP-10.4,Statement,3,139,,"The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.1,PR.IP-11.1,Statement,3,140,,"The organization conducts background/screening checks on all new employees, as permitted by law."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.2,PR.IP-11.2,Statement,3,141,,"The organization conducts background/screening checks on all staff at regular intervals throughout their employment, commensurate with staff’s access to critical systems or a change in role, as permitted by law."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.3,PR.IP-11.3,Statement,3,142,,"The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.1,PR.IP-12.1,Statement,3,143,,"The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.2,PR.IP-12.2,Statement,3,144,,The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.3,PR.IP-12.3,Statement,3,145,,The organization has a formal exception management process for vulnerabilities that cannot be mitigated due to business-related exceptions.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.4,PR.IP-12.4,Statement,3,146,,"The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-1.1,PR.MA-1.1,Statement,3,147,,"Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-2.1,PR.MA-2.1,Statement,3,148,,"Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1.1,PR.PT-1.1,Statement,3,149,,The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1.2,PR.PT-1.2,Statement,3,150,,The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-2.1,PR.PT-2.1,Statement,3,151,,The organization's removable media and mobile devices are protected and use is restricted according to policy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-3.1,PR.PT-3.1,Statement,3,152,,The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality.
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-4.1,PR.PT-4.1,Statement,3,153,,"The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-5.1,PR.PT-5.1,Statement,3,154,,"The organization implements mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-1.1,DE.AE-1.1,Statement,3,155,,"The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-2.1,DE.AE-2.1,Statement,3,156,,"The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to:
+(1) Assess and understand the nature, scope and method of the attack;
+(2) Predict and block a similar future attack; and
+(3) Report timely risk metrics."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3.1,DE.AE-3.1,Statement,3,157,,"The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3.2,DE.AE-3.2,Statement,3,158,,"The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prevent multifaceted cyber attacks."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-4.1,DE.AE-4.1,Statement,3,159,,"The organization has a documented process in place to analyze the impact of a material cybersecurity incident (including the financial impact) on the organization as well as across the financial sector, as appropriate, per organization's size, scope, and complexity and its role in the financial sector."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-5.1,DE.AE-5.1,Statement,3,160,,"The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.1,DE.CM-1.1,Statement,3,161,,The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.2,DE.CM-1.2,Statement,3,162,,"The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.3,DE.CM-1.3,Statement,3,163,,The organization deploys an intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.4,DE.CM-1.4,Statement,3,164,,"The organization implements mechanisms, such as alerting and filtering sudden high volume and suspicious incoming traffic, to prevent (Distributed) Denial of Services (DoS/DDoS) attacks."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-2.1,DE.CM-2.1,Statement,3,165,,"The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.1,DE.CM-3.1,Statement,3,166,,"The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.2,DE.CM-3.2,Statement,3,167,,"The organization performs logging and reviewing of the systems activities of privileged users, and monitoring for anomalies is implemented."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.3,DE.CM-3.3,Statement,3,168,,"The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4.1,DE.CM-4.1,Statement,3,169,,The organization implements and manages appropriate tools to detect and block malware from infecting networks and systems.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4.2,DE.CM-4.2,Statement,3,170,,"The organization implements email protection mechanisms to automatically scan, detect, and protect from any attached malware or malicious links present in the email."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-5.1,DE.CM-5.1,Statement,3,171,,"The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.1,DE.CM-6.1,Statement,3,172,,The organization authorizes and monitors all third-party connections.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.2,DE.CM-6.2,Statement,3,173,,The organization collaborates with third-party service providers to maintain and improve the security of external connections.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.3,DE.CM-6.3,Statement,3,174,,The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.1,DE.CM-7.1,Statement,3,175,,The organization implements appropriate controls to prevent use of unsupported and unauthorized software. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.2,DE.CM-7.2,Statement,3,176,,"The organization has policies, procedures and adequate tools in place to monitor, detect, and block access from/to devices, connections, and data transfers."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.3,DE.CM-7.3,Statement,3,177,,"The organization sets up automatic and real-time alerts when an unauthorized software, hardware or configuration change occurs."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.4,DE.CM-7.4,Statement,3,178,,The organization implements web-filtering tools and technology to block access to inappropriate or malicious websites. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8.1,DE.CM-8.1,Statement,3,179,,"The organization conducts periodic vulnerability scanning, including automated scanning across all environments to identify potential system vulnerabilities, including publicly known vulnerabilities, upgrade opportunities, and new defense layers."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8.2,DE.CM-8.2,Statement,3,180,,"The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-1.1,DE.DP-1.1,Statement,3,181,,The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-2.1,DE.DP-2.1,Statement,3,182,,The organization's monitoring and detection processes comply with all applicable requirements.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-3.1,DE.DP-3.1,Statement,3,183,,The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4.1,DE.DP-4.1,Statement,3,184,,"The organization has established processes and protocols to communicate, alert and periodically report detected potential cyber attacks and incident information including its corresponding analysis and cyber threat intelligence to internal and external stakeholders."
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4.2,DE.DP-4.2,Statement,3,185,,The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders.
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-5.1,DE.DP-5.1,Statement,3,186,,"The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp-1.1,RS.RP-1.1,Statement,3,187,,The organization's response plans are in place and executed during or after an incident.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.1,RS.CO-1.1,Statement,3,188,,"The organization's incident response plan contains clearly defined roles, responsibilities and levels of decision-making authority."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.2,RS.CO-1.2,Statement,3,189,,"The organization ensures cyber threat intelligence is made available to appropriate staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.3,RS.CO-1.3,Statement,3,190,,The organization's personnel know their roles and responsibilities and order of operations when a response is needed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.1,RS.CO-2.1,Statement,3,191,,The organization's incident response plan describes how to appropriately document and report cyber events and related incident response activities.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.2,RS.CO-2.2,Statement,3,192,,"In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.3,RS.CO-2.3,Statement,3,193,,"The organization's incident response program includes effective escalation protocols linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's appropriate governing authority and senior management), and how information provided to the organization will be acted upon."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.4,RS.CO-2.4,Statement,3,194,,The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3.1,RS.CO-3.1,Statement,3,195,,Information is shared consistent with response plans.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3.2,RS.CO-3.2,Statement,3,196,,"In the event of a cybersecurity incident, the organization shares information in an appropriate manner that could facilitate the detection, response, resumption and recovery of its own systems and those of other financial sector participants through trusted channels."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-4.1,RS.CO-4.1,Statement,3,197,,The organization has a plan to coordinate and communicate with internal and external stakeholders during or following a cyber attack as appropriate.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.1,RS.CO-5.1,Statement,3,198,,The organization actively participates in multilateral information-sharing arrangements to facilitate a sector-wide response to large-scale incidents.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.2,RS.CO-5.2,Statement,3,199,,The organization shares information on its cyber resilience framework bilaterally with trusted external stakeholders to promote understanding of each other’s approach to securing systems that are linked or interfaced.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.3,RS.CO-5.3,Statement,3,200,,The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-1.1,RS.AN-1.1,Statement,3,201,,"Tools and processes are in place to ensure timely detection, alert, and activation of the incident response program."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2.1,RS.AN-2.1,Statement,3,202,,The organization uses cyber-attack scenarios to determine potential impact to critical business processes.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2.2,RS.AN-2.2,Statement,3,203,,"The organization performs a thorough investigation to determine the nature of a cyber event, its extent, and the damage inflicted."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-3.1,RS.AN-3.1,Statement,3,204,,The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-4.1,RS.AN-4.1,Statement,3,205,,The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems to the enterprise.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.1,RS.AN-5.1,Statement,3,206,,"The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from:
+(1) Public sources (e.g., security researchers);
+(2) Vulnerability sharing forums (e.g., FS-ISAC); and
+(3) Third-parties (e.g., cloud vendors);
+(4) Internal sources (e.g., development teams)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.2,RS.AN-5.2,Statement,3,207,,"The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on:
+(1) Determining its validity;
+(2) Aassessing its scope (e.g., affected assets);
+(3) Determining it's severity and impact;
+(4) Identifying affected stakeholders or customers; and
+(5) Analyzing options to respond."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.3,RS.AN-5.3,Statement,3,208,,"The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1.1,RS.MI-1.1,Statement,3,209,,The organization contains cybersecurity incidents in a timely manner.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1.2,RS.MI-1.2,Statement,3,210,,"The organization's procedures include containment strategies and notifying potentially impacted third-parties, as appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-2.1,RS.MI-2.1,Statement,3,211,,The organization mitigates cybersecurity incidents in a timely manner.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3.1,RS.MI-3.1,Statement,3,212,,The organization's incident response plan identifies requirements for the remediation of any identified weaknesses in systems and associated controls.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3.2,RS.MI-3.2,Statement,3,213,,Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.1,RS.IM-1.1,Statement,3,214,,"The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.2,RS.IM-1.2,Statement,3,215,,The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.3,RS.IM-1.3,Statement,3,216,,The organization's cyber resilience and incident response programs have processes in place to incorporate lessons learned from cyber events that have occurred within and outside the organization.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-2.1,RS.IM-2.1,Statement,3,217,,"The organization periodically reviews response strategy and exercises and updates them as necessary, based on:
+(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);
+(2) Current cyber threat intelligence (both internal and external sources);
+(3) Recent and wide-scale cyber attack scenarios;
+(4) Operationally and technically plausible future cyber attacks; and
+(5) New technological developments."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.1,RC.RP-1.1,Statement,3,218,,"The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.2,RC.RP-1.2,Statement,3,219,,"Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.3,RC.RP-1.3,Statement,3,220,,The recovery plan includes a minimum recovery time for the sector critical systems.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.4,RC.RP-1.4,Statement,3,221,,The recovery plan includes recovery of clearing and settlement activities after a wide-scale disruption with the overall goal of completing material pending transactions on the scheduled settlement date.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.5,RC.RP-1.5,Statement,3,222,,"The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.6,RC.RP-1.6,Statement,3,223,,"The recovery plan includes plans to come back for both traditional and highly available (e.g., cloud) infrastructure."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-1.1,RC.IM-1.1,Statement,3,224,,"The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from:
+(1) cybersecurity incidents that have occurred within the organization;
+(2) Cybersecurity assessments and testing performed internally; and
+(3) Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-2.1,RC.IM-2.1,Statement,3,225,,"The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on: 
+(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);
+(2) Current cyber threat intelligence (both internal and external sources);
+(3) Recent and wide-scale cyber attack scenarios;
+(4) Operationally and technically plausible future cyber attacks; and
+(5) New technological developments."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1.1,RC.CO-1.1,Statement,3,226,,"The organization's governing body (e.g., the Board or one of its committees) ensures that a communication plan exists to notify internal and external stakeholders about an incident, as appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1.2,RC.CO-1.2,Statement,3,227,,"The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-2.1,RC.CO-2.1,Statement,3,228,,Actionable and effective mitigation techniques are taken and communicated appropriately to restore and improve the organization's reputation after an incident.
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-3.1,RC.CO-3.1,Statement,3,229,,"The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the appropriate governing body (e.g., the Board or one of its committees), senior management and relevant internal stakeholders."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.1,DM.ID-1.1,Statement,3,230,,The organization has integrated its internal dependency management strategy into the overall strategic risk management plan.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.2,DM.ID-1.2,Statement,3,231,,The organization monitors the effectiveness of its internal dependency management strategy.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.3,DM.ID-1.3,Statement,3,232,,The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.4,DM.ID-1.4,Statement,3,233,,The organization has established and applies appropriate controls to address the inherent risk of internal dependencies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-2.1,DM.ID-2.1,Statement,3,234,,Roles and responsibilities for internal dependency management are defined and assigned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.1,DM.ED-1.1,Statement,3,235,,The organization has integrated its external dependency management strategy into the overall cyber risk management plan.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.2,DM.ED-1.2,Statement,3,236,,The organization monitors the effectiveness of its external dependency management strategy to reduce cyber risks associated with external dependencies.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.3,DM.ED-1.3,Statement,3,237,,The organization ensures appropriate oversight and compliance with the external dependency strategy implementation.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.1,DM.ED-2.1,Statement,3,238,,"The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.2,DM.ED-2.2,Statement,3,239,,"The organization's dependency management policies, plans, and procedures are regularly updated."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.3,DM.ED-2.3,Statement,3,240,,"The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.4,DM.ED-2.4,Statement,3,241,,Dependency management processes may allow the organization to the adopt  security program(s) of its affiliate(s) as long as such program provides an appropriate level of control and assurance.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.5,DM.ED-2.5,Statement,3,242,,"The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3.1,DM.ED-3.1,Statement,3,243,,Roles and responsibilities for external dependency management are defined and assigned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3.2,DM.ED-3.2,Statement,3,244,,Responsibilities for ongoing independent oversight (external) of third-party access are defined and assigned.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.1,DM.ED-4.1,Statement,3,245,,"The organization ensures that cyber risks associated with external dependencies are consistent with cyber risk appetite approved by an appropriate governing body (e.g., the Board or one of its committees)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.2,DM.ED-4.2,Statement,3,246,,"The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.3,DM.ED-4.3,Statement,3,247,,"The organization conducts a risk assessment to define appropriate controls to address the cyber risk presented by each external partner, implements these controls, and monitors their status throughout the lifecycle of partner relationships."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.4,DM.ED-4.4,Statement,3,248,,The organization has a documented third-party termination/exit strategy to include procedures for timely removal of the third-party access when no longer required.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.5,DM.ED-4.5,Statement,3,249,,"The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.1,DM.ED-5.1,Statement,3,250,,The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.2,DM.ED-5.2,Statement,3,251,,"The organization maintains a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.3,DM.ED-5.3,Statement,3,252,,"The organization has prioritized functions, activities, products, and services provided by external dependencies based on criticality."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.4,DM.ED-5.4,Statement,3,253,,"The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.1,DM.ED-6.1,Statement,3,254,,"The organization has documented minimum cybersecurity requirements for critical third-parties that, at a minimum, meet cybersecurity practices of the organization."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.2,DM.ED-6.2,Statement,3,255,,The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.3,DM.ED-6.3,Statement,3,256,,Minimum cybersecurity requirements for third-parties include how the organization will monitor security of its external dependencies to ensure that requirements are continually satisfied.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.4,DM.ED-6.4,Statement,3,257,,Minimum cybersecurity requirements for third-parties include consideration of whether the third-party is responsible for the security of the organization's confidential data and of geographic limits on where data can be stored and transmitted.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.5,DM.ED-6.5,Statement,3,258,,"Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including:
+1) Joint maintenance of contingency plans;
+2) Responsibilities for responding to cybersecurity incident; 
+3) Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and
+4) Incorporating potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.6,DM.ED-6.6,Statement,3,259,,Minimum cybersecurity requirements for third-parties identify conditions of and the recourse available to the organization should the third-party fail to meet their cybersecurity requirements. 
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.7,DM.ED-6.7,Statement,3,260,,"Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, including return or destruction of data during cloud or virtualization use and upon relationship termination."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.1,DM.ED-7.1,Statement,3,261,,The organization has a formal program for third-party due diligence and monitoring.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.2,DM.ED-7.2,Statement,3,262,,The organization conducts regular third-party reviews for critical vendors to validate that appropriate security controls have been implemented.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.3,DM.ED-7.3,Statement,3,263,,"A process is in place to confirm that the organization's third-party service providers conduct due diligence of their own third-parties (e.g., subcontractors)."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.4,DM.ED-7.4,Statement,3,264,,A process is in place to confirm that the organization's third-party service providers conduct periodic resiliency testing or justify why it is not needed.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.1,DM.RS-1.1,Statement,3,265,,"The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.2,DM.RS-1.2,Statement,3,266,,The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial sector.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.3,DM.RS-1.3,Statement,3,267,,"The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data).  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.1,DM.RS-2.1,Statement,3,268,,"The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.2,DM.RS-2.2,Statement,3,269,,"The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on multiple elements of interconnected critical infrastructure, such as energy and telecommunications. "
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.3,DM.RS-2.3,Statement,3,270,,"The organization designs and tests its cyber resilience plans, and exercises to support financial sector's sector-wide resilience and address external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc.  "
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.4,DM.RS-2.4,Statement,3,271,,The organization periodically identifies and tests alternative solutions in case an external partner fails to perform as expected.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.5,DM.RS-2.5,Statement,3,272,,"When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1.1,DM.BE-1.1,Statement,3,273,,The cyber risk strategy identifies and communicates the organization's role as it relates to other critical infrastructures and as a component of the financial services sector.  
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1.2,DM.BE-1.2,Statement,3,274,,A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2.1,DM.BE-2.1,Statement,3,275,,The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders.
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2.2,DM.BE-2.2,Statement,3,276,,"The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-3.1,DM.BE-3.1,Statement,3,277,,"Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1,D1,Domain,0,1,Cyber Risk Management & Oversight,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2,D2,Domain,0,2,Threat Intelligence & Collaboration,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3,D3,Domain,0,3,Cybersecurity Controls,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4,D4,Domain,0,4,External Dependency Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5,D5,Domain,0,5,Cyber Incident Management and Resilience,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g,D1.G,Factor,1,1,Governance,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm,D1.RM,Factor,1,2,Risk Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r,D1.R,Factor,1,3,Resources,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc,D1.TC,Factor,1,4,Training & Culture,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti,D2.TI,Factor,1,5,Threat Intelligence,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma,D2.MA,Factor,1,6,Monitoring & Analyzing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is,D2.IS,Factor,1,7,Information Sharing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc,D3.PC,Factor,1,8,Preventative Controls,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc,D3.DC,Factor,1,9,Detective Controls,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc,D3.CC,Factor,1,10,Corrective Controls,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c,D4.C,Factor,1,11,Connections,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm,D4.RM,Factor,1,12,Relationship Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir,D5.IR,Factor,1,13,Incident Resilience Planning and Strategy,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr,D5.DR,Factor,1,14,"Detection, Response, and Mitigation",
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er,D5.ER,Factor,1,15,Escalation and Reporting,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov,D1.G.Ov,Component,2,1,Oversight,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp,D1.G.SP,Component,2,2,Strategy / Policies,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it,D1.G.IT,Component,2,3,IT Asset Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp,D1.RM.RMP,Component,2,4,Risk Management Program,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra,D1.RM.RA,Component,2,5,Risk Assessment,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au,D1.RM.Au,Component,2,6,Audit,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st,D1.R.St,Component,2,7,Staffing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr,D1.TC.Tr,Component,2,8,Training,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu,D1.TC.Cu,Component,2,9,Culture,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti,D2.TI.Ti,Component,2,10,Threat Intelligence and Information,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma,D2.MA.Ma,Component,2,11,Monitoring and Analyzing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is,D2.IS.Is,Component,2,12,Information Sharing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im,D3.PC.Im,Component,2,13,Infrastructure Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am,D3.PC.Am,Component,2,14,Access and Data Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de,D3.PC.De,Component,2,15,Device / End-Point Security,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se,D3.PC.Se,Component,2,16,Secure Coding,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th,D3.DC.Th,Component,2,17,Threat and Vulnerability Detection,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an,D3.DC.An,Component,2,18,Anomalous Activity Detection,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev,D3.DC.Ev,Component,2,19,Event Detection,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa,D3.CC.Pa,Component,2,20,Patch Management,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re,D3.CC.Re,Component,2,21,Remediation,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co,D4.C.Co,Component,2,22,Connections,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd,D4.RM.Dd,Component,2,23,Due Diligence,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co,D4.RM.Co,Component,2,24,Contracts,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om,D4.RM.Om,Component,2,25,Ongoing Monitoring,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl,D5.IR.Pl,Component,2,26,Planning,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te,D5.IR.Te,Component,2,27,Testing,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de,D5.DR.De,Component,2,28,Detection,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re,D5.DR.Re,Component,2,29,Response and Mitigation,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es,D5.ER.Es,Component,2,30,Escalation and Reporting,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b,D1.G.Ov.B,Maturity Level,3,1,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e,D1.G.Ov.E,Maturity Level,3,2,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int,D1.G.Ov.Int,Maturity Level,3,3,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a,D1.G.Ov.A,Maturity Level,3,4,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn,D1.G.Ov.Inn,Maturity Level,3,5,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b,D1.G.SP.B,Maturity Level,3,6,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e,D1.G.SP.E,Maturity Level,3,7,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int,D1.G.SP.Int,Maturity Level,3,8,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a,D1.G.SP.A,Maturity Level,3,9,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.inn,D1.G.SP.Inn,Maturity Level,3,10,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b,D1.G.IT.B,Maturity Level,3,11,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e,D1.G.IT.E,Maturity Level,3,12,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int,D1.G.IT.Int,Maturity Level,3,13,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a,D1.G.IT.A,Maturity Level,3,14,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn,D1.G.IT.Inn,Maturity Level,3,15,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.b,D1.RM.RMP.B,Maturity Level,3,16,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e,D1.RM.RMP.E,Maturity Level,3,17,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int,D1.RM.RMP.Int,Maturity Level,3,18,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a,D1.RM.RMP.A,Maturity Level,3,19,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn,D1.RM.RMP.Inn,Maturity Level,3,20,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b,D1.RM.RA.B,Maturity Level,3,21,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e,D1.RM.RA.E,Maturity Level,3,22,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.int,D1.RM.RA.Int,Maturity Level,3,23,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.a,D1.RM.RA.A,Maturity Level,3,24,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn,D1.RM.RA.Inn,Maturity Level,3,25,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b,D1.RM.Au.B,Maturity Level,3,26,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e,D1.RM.Au.E,Maturity Level,3,27,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int,D1.RM.Au.Int,Maturity Level,3,28,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a,D1.RM.Au.A,Maturity Level,3,29,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn,D1.RM.Au.Inn,Maturity Level,3,30,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b,D1.R.St.B,Maturity Level,3,31,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e,D1.R.St.E,Maturity Level,3,32,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.int,D1.R.St.Int,Maturity Level,3,33,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a,D1.R.St.A,Maturity Level,3,34,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.inn,D1.R.St.Inn,Maturity Level,3,35,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b,D1.TC.Tr.B,Maturity Level,3,36,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e,D1.TC.Tr.E,Maturity Level,3,37,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int,D1.TC.Tr.Int,Maturity Level,3,38,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.a,D1.TC.Tr.A,Maturity Level,3,39,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.inn,D1.TC.Tr.Inn,Maturity Level,3,40,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.b,D1.TC.Cu.B,Maturity Level,3,41,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e,D1.TC.Cu.E,Maturity Level,3,42,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int,D1.TC.Cu.Int,Maturity Level,3,43,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.a,D1.TC.Cu.A,Maturity Level,3,44,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.inn,D1.TC.Cu.Inn,Maturity Level,3,45,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b,D2.TI.Ti.B,Maturity Level,3,46,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.e,D2.TI.Ti.E,Maturity Level,3,47,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int,D2.TI.Ti.Int,Maturity Level,3,48,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a,D2.TI.Ti.A,Maturity Level,3,49,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn,D2.TI.Ti.Inn,Maturity Level,3,50,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b,D2.MA.Ma.B,Maturity Level,3,51,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e,D2.MA.Ma.E,Maturity Level,3,52,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int,D2.MA.Ma.Int,Maturity Level,3,53,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a,D2.MA.Ma.A,Maturity Level,3,54,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn,D2.MA.Ma.Inn,Maturity Level,3,55,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b,D2.IS.Is.B,Maturity Level,3,56,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e,D2.IS.Is.E,Maturity Level,3,57,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int,D2.IS.Is.Int,Maturity Level,3,58,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a,D2.IS.Is.A,Maturity Level,3,59,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn,D2.IS.Is.Inn,Maturity Level,3,60,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b,D3.PC.Im.B,Maturity Level,3,61,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e,D3.PC.Im.E,Maturity Level,3,62,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int,D3.PC.Im.Int,Maturity Level,3,63,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a,D3.PC.Im.A,Maturity Level,3,64,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn,D3.PC.Im.Inn,Maturity Level,3,65,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b,D3.PC.Am.B,Maturity Level,3,66,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e,D3.PC.Am.E,Maturity Level,3,67,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int,D3.PC.Am.Int,Maturity Level,3,68,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a,D3.PC.Am.A,Maturity Level,3,69,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn,D3.PC.Am.Inn,Maturity Level,3,70,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.b,D3.PC.De.B,Maturity Level,3,71,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e,D3.PC.De.E,Maturity Level,3,72,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int,D3.PC.De.Int,Maturity Level,3,73,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a,D3.PC.De.A,Maturity Level,3,74,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.inn,D3.PC.De.Inn,Maturity Level,3,75,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b,D3.PC.Se.B,Maturity Level,3,76,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.e,D3.PC.Se.E,Maturity Level,3,77,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int,D3.PC.Se.Int,Maturity Level,3,78,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a,D3.PC.Se.A,Maturity Level,3,79,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.inn,D3.PC.Se.Inn,Maturity Level,3,80,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b,D3.DC.Th.B,Maturity Level,3,81,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e,D3.DC.Th.E,Maturity Level,3,82,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int,D3.DC.Th.Int,Maturity Level,3,83,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a,D3.DC.Th.A,Maturity Level,3,84,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn,D3.DC.Th.Inn,Maturity Level,3,85,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b,D3.DC.An.B,Maturity Level,3,86,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e,D3.DC.An.E,Maturity Level,3,87,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int,D3.DC.An.Int,Maturity Level,3,88,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a,D3.DC.An.A,Maturity Level,3,89,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn,D3.DC.An.Inn,Maturity Level,3,90,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b,D3.DC.Ev.B,Maturity Level,3,91,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.e,D3.DC.Ev.E,Maturity Level,3,92,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int,D3.DC.Ev.Int,Maturity Level,3,93,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a,D3.DC.Ev.A,Maturity Level,3,94,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn,D3.DC.Ev.Inn,Maturity Level,3,95,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b,D3.CC.Pa.B,Maturity Level,3,96,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e,D3.CC.Pa.E,Maturity Level,3,97,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.int,D3.CC.Pa.Int,Maturity Level,3,98,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a,D3.CC.Pa.A,Maturity Level,3,99,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn,D3.CC.Pa.Inn,Maturity Level,3,100,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.b,D3.CC.Re.B,Maturity Level,3,101,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e,D3.CC.Re.E,Maturity Level,3,102,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int,D3.CC.Re.Int,Maturity Level,3,103,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.a,D3.CC.Re.A,Maturity Level,3,104,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.inn,D3.CC.Re.Inn,Maturity Level,3,105,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b,D4.C.Co.B,Maturity Level,3,106,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e,D4.C.Co.E,Maturity Level,3,107,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int,D4.C.Co.Int,Maturity Level,3,108,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a,D4.C.Co.A,Maturity Level,3,109,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn,D4.C.Co.Inn,Maturity Level,3,110,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b,D4.RM.Dd.B,Maturity Level,3,111,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e,D4.RM.Dd.E,Maturity Level,3,112,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int,D4.RM.Dd.Int,Maturity Level,3,113,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a,D4.RM.Dd.A,Maturity Level,3,114,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn,D4.RM.Dd.Inn,Maturity Level,3,115,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b,D4.RM.Co.B,Maturity Level,3,116,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e,D4.RM.Co.E,Maturity Level,3,117,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.int,D4.RM.Co.Int,Maturity Level,3,118,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a,D4.RM.Co.A,Maturity Level,3,119,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.inn,D4.RM.Co.Inn,Maturity Level,3,120,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b,D4.RM.Om.B,Maturity Level,3,121,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e,D4.RM.Om.E,Maturity Level,3,122,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int,D4.RM.Om.Int,Maturity Level,3,123,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.a,D4.RM.Om.A,Maturity Level,3,124,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.inn,D4.RM.Om.Inn,Maturity Level,3,125,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b,D5.IR.Pl.B,Maturity Level,3,126,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e,D5.IR.Pl.E,Maturity Level,3,127,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int,D5.IR.Pl.Int,Maturity Level,3,128,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a,D5.IR.Pl.A,Maturity Level,3,129,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn,D5.IR.Pl.Inn,Maturity Level,3,130,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b,D5.IR.Te.B,Maturity Level,3,131,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e,D5.IR.Te.E,Maturity Level,3,132,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int,D5.IR.Te.Int,Maturity Level,3,133,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a,D5.IR.Te.A,Maturity Level,3,134,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn,D5.IR.Te.Inn,Maturity Level,3,135,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b,D5.DR.De.B,Maturity Level,3,136,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.e,D5.DR.De.E,Maturity Level,3,137,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int,D5.DR.De.Int,Maturity Level,3,138,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a,D5.DR.De.A,Maturity Level,3,139,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.inn,D5.DR.De.Inn,Maturity Level,3,140,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.b,D5.DR.Re.B,Maturity Level,3,141,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e,D5.DR.Re.E,Maturity Level,3,142,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int,D5.DR.Re.Int,Maturity Level,3,143,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a,D5.DR.Re.A,Maturity Level,3,144,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn,D5.DR.Re.Inn,Maturity Level,3,145,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b,D5.ER.Es.B,Maturity Level,3,146,Baseline,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e,D5.ER.Es.E,Maturity Level,3,147,Evolving,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int,D5.ER.Es.Int,Maturity Level,3,148,Intermediate,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a,D5.ER.Es.A,Maturity Level,3,149,Advanced,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.inn,D5.ER.Es.Inn,Maturity Level,3,150,Innovative,
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.1,D1.G.Ov.B.1,Statement,4,1,,"Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.2,D1.G.Ov.B.2,Statement,4,2,,"Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. (FFIEC Information Security Booklet, page 6)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.3,D1.G.Ov.B.3,Statement,4,3,,"Management provides a written report on the overall status of the information security and business continuity programs to the board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.4,D1.G.Ov.B.4,Statement,4,4,,"The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.5,D1.G.Ov.B.5,Statement,4,5,,"Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC Business Continuity Planning Booklet, page J-12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.1,D1.G.Ov.E.1,Statement,4,6,,"At least annually, the board or an appropriate board committee reviews
+and approves the institution’s cybersecurity program."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.2,D1.G.Ov.E.2,Statement,4,7,,Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.3,D1.G.Ov.E.3,Statement,4,8,,Cybersecurity tools and staff are requested through the budget process.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.4,D1.G.Ov.E.4,Statement,4,9,,There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the budgeting process.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.1,D1.G.Ov.Int.1,Statement,4,10,,The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.2,D1.G.Ov.Int.2,Statement,4,11,,The standard board meeting package includes reports and metrics that go beyond events and incidents to address threat intelligence trends and the institution’s security posture.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.3,D1.G.Ov.Int.3,Statement,4,12,,The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.4,D1.G.Ov.Int.4,Statement,4,13,,Cyber risks that exceed the risk appetite are escalated to management. 
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.5,D1.G.Ov.Int.5,Statement,4,14,,The board or an appropriate board committee ensures management’s annual cybersecurity self-assessment evaluates the institution’s ability to meet its cyber risk management standards.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.6,D1.G.Ov.Int.6,Statement,4,15,,The board or an appropriate board committee reviews and approves management’s prioritization and resource allocation decisions based on the results of the cyber assessments.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.7,D1.G.Ov.Int.7,Statement,4,16,,The board or an appropriate board committee ensures management takes appropriate actions to address changing cyber risks or significant cybersecurity issues.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.8,D1.G.Ov.Int.8,Statement,4,17,,The budget process for requesting additional cybersecurity staff and tools is integrated into business units’ budget processes.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.1,D1.G.Ov.A.1,Statement,4,18,,The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.2,D1.G.Ov.A.2,Statement,4,19,,Management has a formal process to continuously improve cybersecurity oversight.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.3,D1.G.Ov.A.3,Statement,4,20,,The budget process for requesting additional cybersecurity staff and tools maps current resources and tools to the cybersecurity strategy.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.4,D1.G.Ov.A.4,Statement,4,21,,Management and the board or an appropriate board committee hold business units accountable for effectively managing all cyber risks associated with their activities.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.5,D1.G.Ov.A.5,Statement,4,22,,Management identifies root cause(s) when cyber attacks result in material loss.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.6,D1.G.Ov.A.6,Statement,4,23,,The board or an appropriate board committee ensures that management’s actions consider the cyber risks that the institution poses to the financial sector.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn.1,D1.G.Ov.Inn.1,Statement,4,24,,The board or an appropriate board committee discusses ways for management to develop cybersecurity improvements that may be adopted sector-wide.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn.2,D1.G.Ov.Inn.2,Statement,4,25,,"The board or an appropriate board committee verifies that management’s actions consider the cyber risks that the institution poses to other critical infrastructures (e.g., telecommunications, energy)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.1,D1.G.SP.B.1,Statement,4,26,,"The institution has an information security strategy that integrates technology, policies, procedures, and training to mitigate risk. (FFIEC Information Security Booklet, page 3)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.2,D1.G.SP.B.2,Statement,4,27,,"The institution has policies commensurate with its risk and complexity that address the concepts of information technology risk management. (FFIEC Information Security Booklet, page, 16)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.3,D1.G.SP.B.3,Statement,4,28,,"The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.4,D1.G.SP.B.4,Statement,4,29,,"The institution has board-approved policies commensurate with its risk and complexity that address information security. (FFIEC Information Security Booklet, page 16)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.5,D1.G.SP.B.5,Statement,4,30,,"The institution has policies commensurate with its risk and complexity that address the concepts of external dependency or third-party management. (FFIEC Outsourcing Booklet, page 2)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.6,D1.G.SP.B.6,Statement,4,31,,"The institution has policies commensurate with its risk and complexity that address the concepts of incident response and resilience. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.7,D1.G.SP.B.7,Statement,4,32,,"All elements of the information security program are coordinated enterprise-wide. (FFIEC Information Security Booklet, page 7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.1,D1.G.SP.E.1,Statement,4,33,,The institution augmented its information security strategy to incorporate cybersecurity and resilience.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.2,D1.G.SP.E.2,Statement,4,34,,The institution has a formal cybersecurity program that is based on technology and security industry standards or benchmarks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.3,D1.G.SP.E.3,Statement,4,35,,A formal process is in place to update policies as the institution’s inherent risk profile changes.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.1,D1.G.SP.Int.1,Statement,4,36,,The institution has a comprehensive set of policies commensurate with its risk and complexity that address the concepts of threat intelligence.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.2,D1.G.SP.Int.2,Statement,4,37,,Management periodically reviews the cybersecurity strategy to address evolving cyber threats and changes to the institution’s inherent risk profile.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.3,D1.G.SP.Int.3,Statement,4,38,,"The cybersecurity strategy is incorporated into, or conceptually fits within, the institution’s enterprise-wide risk management strategy. "
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.4,D1.G.SP.Int.4,Statement,4,39,,Management links strategic cybersecurity objectives to tactical goals.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.5,D1.G.SP.Int.5,Statement,4,40,,A formal process is in place to cross-reference and simultaneously update all policies related to cyber risks across business lines.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.1,D1.G.SP.A.1,Statement,4,41,,"The cybersecurity strategy outlines the institution’s future state of
+cybersecurity with short-term and long-term perspectives."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.2,D1.G.SP.A.2,Statement,4,42,,Industry-recognized cybersecurity standards are used as sources during the analysis of cybersecurity program gaps.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.3,D1.G.SP.A.3,Statement,4,43,,The cybersecurity strategy identifies and communicates the institution’s role as a component of critical infrastructure in the financial services industry.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.4,D1.G.SP.A.4,Statement,4,44,,The risk appetite is informed by the institution’s role in critical infrastructure.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.5,D1.G.SP.A.5,Statement,4,45,,Management is continuously improving the existing cybersecurity program to adapt as the desired cybersecurity target state changes.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.inn.1,D1.G.SP.Inn.1,Statement,4,46,,The cybersecurity strategy identifies and communicates the institution's role as it relates to other critical infrastructures.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.1,D1.G.IT.B.1,Statement,4,47,,"An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. (FFIEC Information Security Booklet, page 9)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.2,D1.G.IT.B.2,Statement,4,48,,"Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value. (FFIEC Information Security Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.3,D1.G.IT.B.3,Statement,4,49,,"Management assigns accountability for maintaining an inventory of organizational assets. (FFIEC Information Security Booklet, page 9)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.4,D1.G.IT.B.4,Statement,4,50,,"A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools. (FFIEC Information Security Booklet, page 56)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.1,D1.G.IT.E.1,Statement,4,51,,"The asset inventory, including identification of critical assets, is updated at least annually to address new, relocated, re-purposed, and sunset assets."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.2,D1.G.IT.E.2,Statement,4,52,,The institution has a documented asset life-cycle process that considers whether assets to be acquired have appropriate security safeguards.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.3,D1.G.IT.E.3,Statement,4,53,,"The institution proactively manages system EOL (e.g., replacement) to limit security risks."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.4,D1.G.IT.E.4,Statement,4,54,,Changes are formally approved by an individual or committee with appropriate authority and with separation of duties.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int.1,D1.G.IT.Int.1,Statement,4,55,,"Baseline configurations cannot be altered without a formal change request, documented approval, and an assessment of security implications."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int.2,D1.G.IT.Int.2,Statement,4,56,,"A formal IT change management process requires cybersecurity risk to be evaluated during the analysis, approval, testing, and reporting of changes."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.1,D1.G.IT.A.1,Statement,4,57,,Supply chain risk is reviewed before the acquisition of mission-critical information systems including system components.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.2,D1.G.IT.A.2,Statement,4,58,,"Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.3,D1.G.IT.A.3,Statement,4,59,,Automated processes are in place to detect and block unauthorized changes to software and hardware.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.4,D1.G.IT.A.4,Statement,4,60,,The change management system uses thresholds to determine when a risk assessment of the impact of the change is required.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn.1,D1.G.IT.Inn.1,Statement,4,61,,A formal change management function governs decentralized or highly distributed change requests and identifies and measures security risks that may cause increased exposure to cyber attack.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn.2,D1.G.IT.Inn.2,Statement,4,62,,Comprehensive automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.b.1,D1.RM.RMP.B.1,Statement,4,63,,"An information security and business continuity risk management function(s) exists within the institution. (FFIEC Information Security Booklet, page 68)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.1,D1.RM.RMP.E.1,Statement,4,64,,"The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.2,D1.RM.RMP.E.2,Statement,4,65,,"Management reviews and uses the results of audits to improve existing cybersecurity policies, procedures, and controls."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.3,D1.RM.RMP.E.3,Statement,4,66,,Management monitors moderate and high residual risk issues from the cybersecurity risk assessment until items are addressed.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.1,D1.RM.RMP.Int.1,Statement,4,67,,The cybersecurity function has a clear reporting line that does not present a conflict of interest.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.2,D1.RM.RMP.Int.2,Statement,4,68,,"The risk management program specifically addresses cyber risks beyond the boundaries of the technological impacts (e.g., financial, strategic, regulatory, compliance)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.3,D1.RM.RMP.Int.3,Statement,4,69,,Benchmarks or target performance metrics have been established for showing improvements or regressions of the security posture over time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.4,D1.RM.RMP.Int.4,Statement,4,70,,Management uses the results of independent audits and reviews to improve cybersecurity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.5,D1.RM.RMP.Int.5,Statement,4,71,,"There is a process to analyze and assign potential losses and related expenses, by cost center, associated with cybersecurity incidents."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.1,D1.RM.RMP.A.1,Statement,4,72,,Cybersecurity metrics are used to facilitate strategic decision-making and funding in areas of need.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.2,D1.RM.RMP.A.2,Statement,4,73,,Independent risk management sets and monitors cyber-related risk limits for business units.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.3,D1.RM.RMP.A.3,Statement,4,74,,Independent risk management staff escalates to management and the board or an appropriate board committee significant discrepancies from business unit’s assessments of cyber-related risk.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.4,D1.RM.RMP.A.4,Statement,4,75,,A process is in place to analyze the financial impact cyber incidents have on the institution’s capital.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.5,D1.RM.RMP.A.5,Statement,4,76,,"The cyber risk data aggregation and real-time reporting capabilities support the institution’s ongoing reporting needs, particularly during cyber incidents."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn.1,D1.RM.RMP.Inn.1,Statement,4,77,,The risk management function identifies and analyzes commonalities in cyber events that occur both at the institution and across other sectors to enable more predictive risk management.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn.2,D1.RM.RMP.Inn.2,Statement,4,78,,A process is in place to analyze the financial impact that a cyber incident at the institution may have across the financial sector.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.1,D1.RM.RA.B.1,Statement,4,79,,"A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. (FFIEC Information Security Booklet, page 8)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.2,D1.RM.RA.B.2,Statement,4,80,,"The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls. (FFIEC Information Security Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.3,D1.RM.RA.B.3,Statement,4,81,,"The risk assessment is updated to address new technologies, products, services, and connections before deployment. (FFIEC Information Security Booklet, page 13)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.1,D1.RM.RA.E.1,Statement,4,82,,"Risk assessments are used to identify the cybersecurity risks stemming from new products, services, or relationships."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.2,D1.RM.RA.E.2,Statement,4,83,,The focus of the risk assessment has expanded beyond customer information to address all information assets.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.3,D1.RM.RA.E.3,Statement,4,84,,The risk assessment considers the risk of using EOL software and hardware components.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.int.1,D1.RM.RA.Int.1,Statement,4,85,,The risk assessment is adjusted to consider widely known risks or risk management practices.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.a.1,D1.RM.RA.A.1,Statement,4,86,,An enterprise-wide risk management function incorporates cyber threat analysis and specific risk exposure as part of the enterprise risk assessment.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.1,D1.RM.RA.Inn.1,Statement,4,87,,"The risk assessment is updated in real time as changes to the risk profile occur, new applicable standards are released or updated, and new exposures are anticipated."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.2,D1.RM.RA.Inn.2,Statement,4,88,,The institution uses information from risk assessments to predict threats and drive real-time responses.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.3,D1.RM.RA.Inn.3,Statement,4,89,,Advanced or automated analytics offer predictive information and real- time risk metrics.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.1,D1.RM.Au.B.1,Statement,4,90,,"Independent audit or review evaluates policies, procedures, and controls across the institution for significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, and information systems. (FFIEC Audit Booklet, page 4)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.2,D1.RM.Au.B.2,Statement,4,91,,"The independent audit function validates controls related to the storage or transmission of confidential data. (FFIEC Audit Booklet, page 1)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.3,D1.RM.Au.B.3,Statement,4,92,,"Logging practices are independently reviewed periodically to ensure appropriate log management (e.g., access controls, retention, and maintenance). (FFIEC Operations Booklet, page 29)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.4,D1.RM.Au.B.4,Statement,4,93,,"Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. (FFIEC Information Security Booklet, page 6)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.1,D1.RM.Au.E.1,Statement,4,94,,"The independent audit function validates that the risk management
+function is commensurate with the institution’s risk and complexity."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.2,D1.RM.Au.E.2,Statement,4,95,,The independent audit function validates that the institution’s threat information sharing is commensurate with the institution’s risk and complexity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.3,D1.RM.Au.E.3,Statement,4,96,,The independent audit function validates that the institution’s cybersecurity controls function is commensurate with the institution’s risk and complexity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.4,D1.RM.Au.E.4,Statement,4,97,,The independent audit function validates that the institution’s third-party relationship management is commensurate with the institution’s risk and complexity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.5,D1.RM.Au.E.5,Statement,4,98,,The independent audit function validates that the institution’s incident response program and resilience are commensurate with the institution’s risk and complexity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.1,D1.RM.Au.Int.1,Statement,4,99,,"A formal process is in place for the independent audit function to update
+its procedures based on changes to the institution’s inherent risk profile."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.2,D1.RM.Au.Int.2,Statement,4,100,,The independent audit function validates that the institution’s threat intelligence and collaboration are commensurate with the institution’s risk and complexity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.3,D1.RM.Au.Int.3,Statement,4,101,,The independent audit function regularly reviews management’s cyber risk appetite statement.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.4,D1.RM.Au.Int.4,Statement,4,102,,Independent audits or reviews are used to identify gaps in existing security capabilities and expertise.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.1,D1.RM.Au.A.1,Statement,4,103,,A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.2,D1.RM.Au.A.2,Statement,4,104,,The independent audit function regularly reviews the institution’s cyber risk appetite statement in comparison to assessment results and incorporates gaps into the audit strategy.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.3,D1.RM.Au.A.3,Statement,4,105,,"Independent audits or reviews are used to identify cybersecurity weaknesses, root causes, and the potential impact to business units."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn.1,D1.RM.Au.Inn.1,Statement,4,106,,A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn.2,D1.RM.Au.Inn.2,Statement,4,107,,The independent audit function uses sophisticated data mining tools to perform continuous monitoring of cybersecurity processes or controls.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b.1,D1.R.St.B.1,Statement,4,108,,"Information security roles and responsibilities have been identified.
+(FFIEC Information Security Booklet, page 7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b.2,D1.R.St.B.2,Statement,4,109,,"Processes are in place to identify additional expertise needed to improve information security defenses. (FFIEC Information Security Work Program, Objective I: 2-8)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.1,D1.R.St.E.1,Statement,4,110,,A formal process is used to identify cybersecurity tools and expertise that may be needed.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.2,D1.R.St.E.2,Statement,4,111,,Management with appropriate knowledge and experience leads the institution's cybersecurity efforts.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.3,D1.R.St.E.3,Statement,4,112,,Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.4,D1.R.St.E.4,Statement,4,113,,"Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.int.1,D1.R.St.Int.1,Statement,4,114,,"The institution has a program for talent recruitment, retention, and succession planning for the cybersecurity and resilience staffs."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a.1,D1.R.St.A.1,Statement,4,115,,"The institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a.2,D1.R.St.A.2,Statement,4,116,,"Dedicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.inn.1,D1.R.St.Inn.1,Statement,4,117,,The institution actively partners with industry associations and academia to inform curricula based on future cybersecurity staffing needs of the industry.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.1,D1.TC.Tr.B.1,Statement,4,118,,"Annual information security training is provided. (FFIEC Information
+Security Booklet, page 66)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.2,D1.TC.Tr.B.2,Statement,4,119,,"Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues. (FFIEC Information Security Booklet, page 66)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.3,D1.TC.Tr.B.3,Statement,4,120,,"Situational awareness materials are made available to employees when prompted by highly visible cyber events or by regulatory alerts. 
+(FFIEC Information Security Booklet, page 7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.4,D1.TC.Tr.B.4,Statement,4,121,,"Customer awareness materials are readily available (e.g., DHS’ Cybersecurity Awareness Month materials). (FFIEC E-Banking Work Program, Objective 6-3)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.1,D1.TC.Tr.E.1,Statement,4,122,,The institution has a program for continuing cybersecurity training and skill development for cybersecurity staff.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.2,D1.TC.Tr.E.2,Statement,4,123,,Management is provided cybersecurity training relevant to their job responsibilities.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.3,D1.TC.Tr.E.3,Statement,4,124,,Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of responsibility.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.4,D1.TC.Tr.E.4,Statement,4,125,,Business units are provided cybersecurity training relevant to their particular business risks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.5,D1.TC.Tr.E.5,Statement,4,126,,"The institution validates the effectiveness of training (e.g., social engineering or phishing tests)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.1,D1.TC.Tr.Int.1,Statement,4,127,,Management incorporates lessons learned from social engineering and phishing exercises to improve the employee awareness programs.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.2,D1.TC.Tr.Int.2,Statement,4,128,,Cybersecurity awareness information is provided to retail customers and commercial clients at least annually.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.3,D1.TC.Tr.Int.3,Statement,4,129,,"Business units are provided cybersecurity training relevant to their particular business risks, over and above what is required of the institution as a whole."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.4,D1.TC.Tr.Int.4,Statement,4,130,,The institution routinely updates its training to security staff to adapt to new threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.a.1,D1.TC.Tr.A.1,Statement,4,131,,"Independent directors are provided with cybersecurity training that addresses how complex products, services, and lines of business affect the institution's cyber risk."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.inn.1,D1.TC.Tr.Inn.1,Statement,4,132,,Key performance indicators are used to determine whether training and awareness programs positively influence behavior.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.b.1,D1.TC.Cu.B.1,Statement,4,133,,"Management holds employees accountable for complying with the information security program. (FFIEC Information Security Booklet, page
+7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.1,D1.TC.Cu.E.1,Statement,4,134,,The institution has formal standards of conduct that hold all employees accountable for complying with cybersecurity policies and procedures.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.2,D1.TC.Cu.E.2,Statement,4,135,,Cyber risks are actively discussed at business unit meetings. 
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.3,D1.TC.Cu.E.3,Statement,4,136,,Employees have a clear understanding of how to identify and escalate potential cybersecurity issues.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.1,D1.TC.Cu.Int.1,Statement,4,137,,Management ensures performance plans are tied to compliance with cybersecurity policies and standards in order to hold employees accountable.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.2,D1.TC.Cu.Int.2,Statement,4,138,,The risk culture requires formal consideration of cyber risks in all business decisions.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.3,D1.TC.Cu.Int.3,Statement,4,139,,Cyber risk reporting is presented and discussed at the independent risk management meetings.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.a.1,D1.TC.Cu.A.1,Statement,4,140,,Management ensures continuous improvement of cyber risk cultural awareness.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.inn.1,D1.TC.Cu.Inn.1,Statement,4,141,,The institution leads efforts to promote cybersecurity culture across the sector and to other sectors that they depend upon.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.1,D2.TI.Ti.B.1,Statement,4,142,,"The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E- Banking Work Program, page 28)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.2,D2.TI.Ti.B.2,Statement,4,143,,"Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.3,D2.TI.Ti.B.3,Statement,4,144,,"Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.e.1,D2.TI.Ti.E.1,Statement,4,145,,"Threat information received by the institution includes analysis of tactics, patterns, and risk mitigation recommendations."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.1,D2.TI.Ti.Int.1,Statement,4,146,,A formal threat intelligence program is implemented and includes subscription to threat feeds from external providers and internal sources.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.2,D2.TI.Ti.Int.2,Statement,4,147,,Protocols are implemented for collecting information from industry peers and government.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.3,D2.TI.Ti.Int.3,Statement,4,148,,"A read-only, central repository of cyber threat intelligence is maintained."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.1,D2.TI.Ti.A.1,Statement,4,149,,A cyber intelligence model is used for gathering threat information.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.2,D2.TI.Ti.A.2,Statement,4,150,,Threat intelligence is automatically received from multiple sources in real time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.3,D2.TI.Ti.A.3,Statement,4,151,,The institution’s threat intelligence includes information related to geopolitical events that could increase cybersecurity threat levels.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn.1,D2.TI.Ti.Inn.1,Statement,4,152,,A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn.2,D2.TI.Ti.Inn.2,Statement,4,153,,"The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b.1,D2.MA.Ma.B.1,Statement,4,154,,"Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b.2,D2.MA.Ma.B.2,Statement,4,155,,"Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.1,D2.MA.Ma.E.1,Statement,4,156,,A process is implemented to monitor threat information to discover emerging threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.2,D2.MA.Ma.E.2,Statement,4,157,,The threat information and analysis process is assigned to a specific group or individual.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.3,D2.MA.Ma.E.3,Statement,4,158,,Security processes and technology are centralized and coordinated in a Security Operations Center (SOC) or equivalent.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.4,D2.MA.Ma.E.4,Statement,4,159,,Monitoring systems operate continuously with adequate support for efficient incident handling.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.1,D2.MA.Ma.Int.1,Statement,4,160,,"A threat intelligence team is in place that evaluates threat intelligence from multiple sources for credibility, relevance, and exposure."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.2,D2.MA.Ma.Int.2,Statement,4,161,,"A profile is created for each threat that identifies the likely intent, capability, and target of the threat."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.3,D2.MA.Ma.Int.3,Statement,4,162,,Threat information sources that address all components of the threat profile are prioritized and monitored.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.4,D2.MA.Ma.Int.4,Statement,4,163,,Threat intelligence is analyzed to develop cyber threat summaries including risks to the institution and specific actions for the institution to consider.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.1,D2.MA.Ma.A.1,Statement,4,164,,A dedicated cyber threat identification and analysis committee or team exists to centralize and coordinate initiatives and communications.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.2,D2.MA.Ma.A.2,Statement,4,165,,Formal processes have been defined to resolve potential conflicts in information received from sharing and analysis centers or other sources.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.3,D2.MA.Ma.A.3,Statement,4,166,,Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.4,D2.MA.Ma.A.4,Statement,4,167,,Threat intelligence is viewed within the context of the institution's risk profile and risk appetite to prioritize mitigating actions in anticipation of threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.5,D2.MA.Ma.A.5,Statement,4,168,,Threat intelligence is used to update architecture and configuration standards.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.1,D2.MA.Ma.Inn.1,Statement,4,169,,"The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.2,D2.MA.Ma.Inn.2,Statement,4,170,,Highest risk scenarios are used to predict threats against specific business targets.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.3,D2.MA.Ma.Inn.3,Statement,4,171,,IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.1,D2.IS.Is.B.1,Statement,4,172,,"Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.2,D2.IS.Is.B.2,Statement,4,173,,"Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Work Program, Objective I: 5-1)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.3,D2.IS.Is.B.3,Statement,4,174,,"Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e.1,D2.IS.Is.E.1,Statement,4,175,,A formal and secure process is in place to share threat and vulnerability information with other entities.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e.2,D2.IS.Is.E.2,Statement,4,176,,A representative from the institution participates in law enforcement or information-sharing organization meetings.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.1,D2.IS.Is.Int.1,Statement,4,177,,"A formal protocol is in place for sharing threat, vulnerability, and incident information to employees based on their specific job function."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.2,D2.IS.Is.Int.2,Statement,4,178,,Information-sharing agreements are used as needed or required to facilitate sharing threat information with other financial sector organizations or third parties.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.3,D2.IS.Is.Int.3,Statement,4,179,,"Information is shared proactively with the industry, law enforcement, regulators, and information-sharing forums."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.4,D2.IS.Is.Int.4,Statement,4,180,,A process is in place to communicate and collaborate with the public sector regarding cyber threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.1,D2.IS.Is.A.1,Statement,4,181,,Management communicates threat intelligence with business risk context and specific risk management recommendations to the business units.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.2,D2.IS.Is.A.2,Statement,4,182,,Relationships exist with employees of peer institutions for sharing cyber threat intelligence.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.3,D2.IS.Is.A.3,Statement,4,183,,A network of trust relationships (formal and/or informal) has been established to evaluate information about cyber threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.1,D2.IS.Is.Inn.1,Statement,4,184,,A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.2,D2.IS.Is.Inn.2,Statement,4,185,,A system automatically informs management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.3,D2.IS.Is.Inn.3,Statement,4,186,,The institution is leading efforts to create new sector-wide information- sharing channels to address gaps in external-facing information-sharing mechanisms.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.1,D3.PC.Im.B.1,Statement,4,187,,"Network perimeter defense tools (e.g., border router and firewall) are used. (FFIEC Information Security Booklet, page 33)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.2,D3.PC.Im.B.2,Statement,4,188,,"Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. (FFIEC Information Security Booklet, page 46)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.3,D3.PC.Im.B.3,Statement,4,189,,"All ports are monitored. (FFIEC Information Security Booklet, page 50)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.4,D3.PC.Im.B.4,Statement,4,190,,"Up to date antivirus and anti-malware tools are used. (FFIEC Information Security Booklet, page 78)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.5,D3.PC.Im.B.5,Statement,4,191,,"Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. (FFIEC Information Security Booklet, page 56)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.6,D3.PC.Im.B.6,Statement,4,192,,"Ports, functions, protocols and services are prohibited if no longer needed for business purposes. (FFIEC Information Security Booklet, page 50)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.7,D3.PC.Im.B.7,Statement,4,193,,"Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. (FFIEC Information Security Booklet, page 56)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.8,D3.PC.Im.B.8,Statement,4,194,,"Programs that can override system, object, network, virtual machine, and application controls are restricted. (FFIEC Information Security Booklet, page 41)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.9,D3.PC.Im.B.9,Statement,4,195,,"System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. (FFIEC Information Security Booklet, page 23)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.10,D3.PC.Im.B.10,Statement,4,196,,"Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) (FFIEC Information Security Booklet, page 40)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.1,D3.PC.Im.E.1,Statement,4,197,,"There is a firewall at each Internet connection and between any
+Demilitarized Zone (DMZ) and internal network(s)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.2,D3.PC.Im.E.2,Statement,4,198,,Antivirus and intrusion detection/prevention systems (IDS/IPS) detect and block actual and attempted attacks or intrusions.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.3,D3.PC.Im.E.3,Statement,4,199,,"Technical controls prevent unauthorized devices, including rogue wireless access devices and removable media, from connecting to the internal network(s)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.4,D3.PC.Im.E.4,Statement,4,200,,"A risk-based solution is in place at the institution or Internet hosting provider to mitigate disruptive cyber attacks (e.g., DDoS attacks)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.5,D3.PC.Im.E.5,Statement,4,201,,Guest wireless networks are fully segregated from the internal network(s). (*N/A if there are no wireless networks.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.6,D3.PC.Im.E.6,Statement,4,202,,Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.7,D3.PC.Im.E.7,Statement,4,203,,"Critical systems supported by legacy technologies are regularly reviewed to identify for potential vulnerabilities, upgrade opportunities, or new defense layers."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.8,D3.PC.Im.E.8,Statement,4,204,,Controls for unsupported systems are implemented and tested.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.1,D3.PC.Im.Int.1,Statement,4,205,,"The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.2,D3.PC.Im.Int.2,Statement,4,206,,"Security controls are used for remote access to all administrative consoles, including restricted virtual systems."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.3,D3.PC.Im.Int.3,Statement,4,207,,Wireless network environments have perimeter firewalls that are implemented and configured to restrict unauthorized traffic. (*N/A if there are no wireless networks.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.4,D3.PC.Im.Int.4,Statement,4,208,,Wireless networks use strong encryption with encryption keys that are changed frequently. (*N/A if there are no wireless networks.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.5,D3.PC.Im.Int.5,Statement,4,209,,The broadcast range of the wireless network(s) is confined to institution- controlled boundaries. (*N/A if there are no wireless networks.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.6,D3.PC.Im.Int.6,Statement,4,210,,"Technical measures are in place to prevent the execution of unauthorized code on institution owned or managed devices, network infrastructure, and systems components."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.1,D3.PC.Im.A.1,Statement,4,211,,Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted zones.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.2,D3.PC.Im.A.2,Statement,4,212,,Only one primary function is permitted per server to prevent functions that require different security levels from co-existing on the same server.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.3,D3.PC.Im.A.3,Statement,4,213,,Anti-spoofing measures are in place to detect and block forged source IP addresses from entering the network.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.1,D3.PC.Im.Inn.1,Statement,4,214,,"The institution risk scores all of its infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.2,D3.PC.Im.Inn.2,Statement,4,215,,"Automated controls are put in place based on risk scores to infrastructure assets, including automatically disconnecting affected assets."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.3,D3.PC.Im.Inn.3,Statement,4,216,,The institution proactively seeks to identify control gaps that may be used as part of a zero-day attack.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.4,D3.PC.Im.Inn.4,Statement,4,217,,"Public-facing servers are routinely rotated and restored to a known clean
+state to limit the window of time a system is exposed to potential threats."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.1,D3.PC.Am.B.1,Statement,4,218,,"Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. (FFIEC Information Security Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.2,D3.PC.Am.B.2,Statement,4,219,,"Employee access to systems and confidential data provides for separation of duties. (FFIEC Information Security Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.3,D3.PC.Am.B.3,Statement,4,220,,"Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). (FFIEC Information Security Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.4,D3.PC.Am.B.4,Statement,4,221,,"User access reviews are performed periodically for all systems and applications based on the risk to the application or system. (FFIEC Information Security Booklet, page 18)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.5,D3.PC.Am.B.5,Statement,4,222,,"Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. (FFIEC Information Security Booklet, page 18)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.6,D3.PC.Am.B.6,Statement,4,223,,"Identification and authentication are required and managed for access to systems, applications, and hardware. (FFIEC Information Security Booklet, page 21)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.7,D3.PC.Am.B.7,Statement,4,224,,"Access controls include password complexity and limits to password attempts and reuse. (FFIEC Information Security Booklet, page 66)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.8,D3.PC.Am.B.8,Statement,4,225,,"All default passwords and unnecessary default accounts are changed before system implementation. (FFIEC Information Security Booklet, page 61)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.9,D3.PC.Am.B.9,Statement,4,226,,"Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. (FFIEC Information Security Booklet, page 21)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.10,D3.PC.Am.B.10,Statement,4,227,,"Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) (FFIEC Information Security Booklet, page 64)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.11,D3.PC.Am.B.11,Statement,4,228,,"Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. (FFIEC Information Security Booklet, page 47)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.12,D3.PC.Am.B.12,Statement,4,229,,"All passwords are encrypted in storage and in transit. (FFIEC Information Security Booklet, page 21)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.13,D3.PC.Am.B.13,Statement,4,230,,"Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). (FFIEC Information Security Booklet, page 51)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.14,D3.PC.Am.B.14,Statement,4,231,,"Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (FFIEC Information Security Booklet, page 51)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.15,D3.PC.Am.B.15,Statement,4,232,,"Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (FFIEC Information Security Booklet, page 45)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.16,D3.PC.Am.B.16,Statement,4,233,,"Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. (FFIEC Information Security Booklet, page 25)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.17,D3.PC.Am.B.17,Statement,4,234,,"Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. (FFIEC Information Security Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.18,D3.PC.Am.B.18,Statement,4,235,,"Data is disposed of or destroyed according to documented requirements and within expected time frames. (FFIEC Information Security Booklet, page 66)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.1,D3.PC.Am.E.1,Statement,4,236,,Changes to user access permissions trigger automated notices to appropriate personnel.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.2,D3.PC.Am.E.2,Statement,4,237,,"Administrators have two accounts: one for administrative use and one for general purpose, non-administrative tasks."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.3,D3.PC.Am.E.3,Statement,4,238,,"Use of customer data in non-production environments complies with legal, regulatory, and internal policy requirements for concealing or removing of sensitive data elements."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.4,D3.PC.Am.E.4,Statement,4,239,,"Physical access to high-risk or confidential systems is restricted, logged, and unauthorized access is blocked."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.5,D3.PC.Am.E.5,Statement,4,240,,Controls are in place to prevent unauthorized access to cryptographic keys.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.1,D3.PC.Am.Int.1,Statement,4,241,,The institution has implemented tools to prevent unauthorized access to or exfiltration of confidential data.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.2,D3.PC.Am.Int.2,Statement,4,242,,Controls are in place to prevent unauthorized escalation of user privileges.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.3,D3.PC.Am.Int.3,Statement,4,243,,Access controls are in place for database administrators to prevent unauthorized downloading or transmission of confidential data.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.4,D3.PC.Am.Int.4,Statement,4,244,,All physical and logical access is removed immediately upon notification of involuntary termination and within 24 hours of an employee’s voluntary departure.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.5,D3.PC.Am.Int.5,Statement,4,245,,Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.6,D3.PC.Am.Int.6,Statement,4,246,,"Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). (*N/A if no high risk systems.)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.7,D3.PC.Am.Int.7,Statement,4,247,,"Confidential data are encrypted in transit across private connections (e.g., frame relay and T1) and within the institution’s trusted zones."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.8,D3.PC.Am.Int.8,Statement,4,248,,"Controls are in place to prevent unauthorized access to collaborative computing devices and applications (e.g., networked white boards, cameras, microphones, online applications such as instant messaging and document sharing). (* N/A if collaborative computing devices are not used.)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a.1,D3.PC.Am.A.1,Statement,4,249,,Encryption of select data at rest is determined by the institution’s data classification and risk assessment.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a.2,D3.PC.Am.A.2,Statement,4,250,,"Customer authentication for high-risk transactions includes methods to prevent malware and man-in-the-middle attacks (e.g., using visual transaction signing)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.1,D3.PC.Am.Inn.1,Statement,4,251,,"Adaptive access controls de-provision or isolate an employee, third-party, or customer credentials to minimize potential damage if malicious behavior is suspected."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.2,D3.PC.Am.Inn.2,Statement,4,252,,"Unstructured confidential data are tracked and secured through an identity-aware, cross-platform storage system that protects against internal threats, monitors user access, and tracks changes."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.3,D3.PC.Am.Inn.3,Statement,4,253,,"Tokenization is used to substitute unique values for confidential information (e.g., virtual credit card)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.4,D3.PC.Am.Inn.4,Statement,4,254,,"The institution is leading efforts to create new technologies and processes for managing customer, employee, and third-party authentication and access."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.5,D3.PC.Am.Inn.5,Statement,4,255,,Real-time risk mitigation is taken based on automated risk scoring of user credentials.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.b.1,D3.PC.De.B.1,Statement,4,256,,"Controls are in place to restrict the use of removable media to authorized personnel. (FFIEC Information Security Work Program, Objective I: 4-1)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.1,D3.PC.De.E.1,Statement,4,257,,Tools automatically block attempted access from unpatched employee and third-party devices.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.2,D3.PC.De.E.2,Statement,4,258,,Tools automatically block attempted access by unregistered devices to internal networks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.3,D3.PC.De.E.3,Statement,4,259,,The institution has controls to prevent the unauthorized addition of new connections.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.4,D3.PC.De.E.4,Statement,4,260,,Controls are in place to prevent unauthorized individuals from copying confidential data to removable media.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.5,D3.PC.De.E.5,Statement,4,261,,"Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.6,D3.PC.De.E.6,Statement,4,262,,Mobile devices with access to the institution’s data are centrally managed for antivirus and patch deployment. (*N/A if mobile devices are not used.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.7,D3.PC.De.E.7,Statement,4,263,,The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A if mobile devices are not used.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.1,D3.PC.De.Int.1,Statement,4,264,,"Data loss prevention controls or devices are implemented for inbound and outbound communications (e.g., e-mail, FTP, Telnet, prevention of large file transfers)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.2,D3.PC.De.Int.2,Statement,4,265,,"Mobile device management includes integrity scanning (e.g., jailbreak/rooted detection). (*N/A if mobile devices are not used.)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.3,D3.PC.De.Int.3,Statement,4,266,,Mobile devices connecting to the corporate network for storing and accessing company information allow for remote software version/patch validation. (*N/A if mobile devices are not used.)
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a.1,D3.PC.De.A.1,Statement,4,267,,Employees’ and third parties’ devices (including mobile) without the latest security patches are quarantined and patched before the device is granted access to the network.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a.2,D3.PC.De.A.2,Statement,4,268,,"Confidential data and applications on mobile devices are only accessible via a secure, isolated sandbox or a secure container."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.inn.1,D3.PC.De.Inn.1,Statement,4,269,,"A centralized end-point management tool provides fully integrated patch, configuration, and vulnerability management, while also being able to detect malware upon arrival to prevent an exploit."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.1,D3.PC.Se.B.1,Statement,4,270,,"Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. (FFIEC Information Security Booklet, page 56)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.2,D3.PC.Se.B.2,Statement,4,271,,"The security controls of internally developed software are periodically reviewed and tested. (*N/A if there is no software development.) (FFIEC Information Security Booklet, page 59)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.3,D3.PC.Se.B.3,Statement,4,272,,"The security controls in internally developed software code are independently reviewed before migrating the code to production. (*N/A if there is no software development.) (FFIEC Development and Acquisition Booklet, page 2)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.4,D3.PC.Se.B.4,Statement,4,273,,"Intellectual property and production code are held in escrow. (*N/A if there is no production code to hold in escrow.) (FFIEC Development and Acquisition Booklet, page 39)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.e.1,D3.PC.Se.E.1,Statement,4,274,,"Security testing occurs at all post-design phases of the SDLC for all applications, including mobile applications. (*N/A if there is no software development.)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.1,D3.PC.Se.Int.1,Statement,4,275,,Processes are in place to mitigate vulnerabilities identified as part of the secure development of systems and applications.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.2,D3.PC.Se.Int.2,Statement,4,276,,"The security of applications, including Web-based applications connected to the Internet, is tested against known types of cyber attacks (e.g., SQL injection, cross-site scripting, buffer overflow) before implementation or following significant changes."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.3,D3.PC.Se.Int.3,Statement,4,277,,Software code executables and scripts are digitally signed to confirm the software author and guarantee that the code has not been altered or corrupted.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.4,D3.PC.Se.Int.4,Statement,4,278,,"A risk-based, independent information assurance function evaluates the security of internal applications."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.1,D3.PC.Se.A.1,Statement,4,279,,Vulnerabilities identified through a static code analysis are remediated before implementing newly developed or changed applications into production.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.2,D3.PC.Se.A.2,Statement,4,280,,All interdependencies between applications and services have been identified.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.3,D3.PC.Se.A.3,Statement,4,281,,Independent code reviews are completed on internally developed or vendor-provided custom applications to ensure there are no security gaps.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.inn.1,D3.PC.Se.Inn.1,Statement,4,282,,Software code is actively scanned by automated tools in the development environment so that security weaknesses can be resolved immediately during the design phase.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.1,D3.DC.Th.B.1,Statement,4,283,,"Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external- facing systems and the internal network. (FFIEC Information Security Booklet, page 61)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.2,D3.DC.Th.B.2,Statement,4,284,,"Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.3,D3.DC.Th.B.3,Statement,4,285,,"Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.4,D3.DC.Th.B.4,Statement,4,286,,"E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links). (FFIEC Information Security Booklet, page 39)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.1,D3.DC.Th.E.1,Statement,4,287,,Independent penetration testing of network boundary and critical Web- facing applications is performed routinely to identify security control gaps.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.2,D3.DC.Th.E.2,Statement,4,288,,Independent penetration testing is performed on Internet-facing applications or systems before they are launched or undergo significant change.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.3,D3.DC.Th.E.3,Statement,4,289,,Antivirus and anti-malware tools are updated automatically.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.4,D3.DC.Th.E.4,Statement,4,290,,Firewall rules are updated routinely.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.5,D3.DC.Th.E.5,Statement,4,291,,Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.6,D3.DC.Th.E.6,Statement,4,292,,Processes are in place to monitor potential insider activity that could lead to data theft or destruction.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int.1,D3.DC.Th.Int.1,Statement,4,293,,Audit or risk management resources review the penetration testing scope and results to help determine the need for rotating companies based on the quality of the work.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int.2,D3.DC.Th.Int.2,Statement,4,294,,E-mails and attachments are automatically scanned to detect malware and are blocked when malware is present.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.1,D3.DC.Th.A.1,Statement,4,295,,Weekly vulnerability scanning is rotated among environments to scan all environments throughout the year.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.2,D3.DC.Th.A.2,Statement,4,296,,"Penetration tests include cyber attack simulations and/or real-world tactics and techniques such as red team testing to detect control gaps in employee behavior, security defenses, policies, and resources."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.3,D3.DC.Th.A.3,Statement,4,297,,Automated tool(s) proactively identifies high-risk behavior signaling an employee who may pose an insider threat.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn.1,D3.DC.Th.Inn.1,Statement,4,298,,"User tasks and content (e.g., opening an e-mail attachment) are automatically isolated in a secure container or virtual environment so that malware can be analyzed but cannot access vital data, end-point operating systems, or applications on the institution’s network."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn.2,D3.DC.Th.Inn.2,Statement,4,299,,Vulnerability scanning is performed on a weekly basis across all environments.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.1,D3.DC.An.B.1,Statement,4,300,,"The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.2,D3.DC.An.B.2,Statement,4,301,,"Customer transactions generating anomalous activity alerts are monitored and reviewed. (FFIEC Wholesale Payments Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.3,D3.DC.An.B.3,Statement,4,302,,"Logs of physical and/or logical access are reviewed following events. (FFIEC Information Security Booklet, page 73)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.4,D3.DC.An.B.4,Statement,4,303,,"Access to critical systems by third parties is monitored for unauthorized or unusual activity. (FFIEC Outsourcing Booklet, page 26)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.5,D3.DC.An.B.5,Statement,4,304,,"Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.1,D3.DC.An.E.1,Statement,4,305,,"Systems are in place to detect anomalous behavior automatically during customer, employee, and third-party authentication."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.2,D3.DC.An.E.2,Statement,4,306,,Security logs are reviewed regularly.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.3,D3.DC.An.E.3,Statement,4,307,,Logs provide traceability for all system access by individual users. 
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.4,D3.DC.An.E.4,Statement,4,308,,Thresholds have been established to determine activity within logs that would warrant management response.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.1,D3.DC.An.Int.1,Statement,4,309,,Online customer transactions are actively monitored for anomalous behavior.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.2,D3.DC.An.Int.2,Statement,4,310,,Tools to detect unauthorized data mining are used.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.3,D3.DC.An.Int.3,Statement,4,311,,Tools actively monitor security logs for anomalous behavior and alert within established parameters.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.4,D3.DC.An.Int.4,Statement,4,312,,Audit logs are backed up to a centralized log server or media that is difficult to alter.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.5,D3.DC.An.Int.5,Statement,4,313,,Thresholds for security logging are evaluated periodically.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.6,D3.DC.An.Int.6,Statement,4,314,,"Anomalous activity and other network and system alerts are correlated across business units to detect and prevent multifaceted attacks (e.g., simultaneous account takeover and DDoS attack)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.1,D3.DC.An.A.1,Statement,4,315,,An automated tool triggers system and/or fraud alerts when customer logins occur within a short period of time but from physically distant IP locations.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.2,D3.DC.An.A.2,Statement,4,316,,External transfers from customer accounts generate alerts and require review and authorization if anomalous behavior is detected.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.3,D3.DC.An.A.3,Statement,4,317,,"A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.4,D3.DC.An.A.4,Statement,4,318,,An automated tool(s) is in place to detect and prevent data mining by insider threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.5,D3.DC.An.A.5,Statement,4,319,,Tags on fictitious confidential data or files are used to provide advanced alerts of potential malicious activity when the data is accessed.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn.1,D3.DC.An.Inn.1,Statement,4,320,,The institution has a mechanism for real-time automated risk scoring of threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn.2,D3.DC.An.Inn.2,Statement,4,321,,The institution is developing new technologies that will detect potential insider threats and block activity in real time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.1,D3.DC.Ev.B.1,Statement,4,322,,"A normal network activity baseline is established. (FFIEC Information
+Security Booklet, page 77)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.2,D3.DC.Ev.B.2,Statement,4,323,,"Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. (FFIEC Information Security Booklet, page 78)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.3,D3.DC.Ev.B.3,Statement,4,324,,"Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M-9)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.4,D3.DC.Ev.B.4,Statement,4,325,,"Responsibilities for monitoring and reporting suspicious systems activity have been assigned. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.5,D3.DC.Ev.B.5,Statement,4,326,,"The physical environment is monitored to detect potential unauthorized access. (FFIEC Information Security Booklet, page 47)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.e.1,D3.DC.Ev.E.1,Statement,4,327,,"A process is in place to correlate event information from multiple sources
+(e.g., network, application, or firewall)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.1,D3.DC.Ev.Int.1,Statement,4,328,,"Controls or tools (e.g., data loss prevention) are in place to detect potential unauthorized or unintentional transmissions of confidential data."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.2,D3.DC.Ev.Int.2,Statement,4,329,,Event detection processes are proven reliable.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.3,D3.DC.Ev.Int.3,Statement,4,330,,Specialized security monitoring is used for critical assets throughout the infrastructure.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.1,D3.DC.Ev.A.1,Statement,4,331,,"Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.2,D3.DC.Ev.A.2,Statement,4,332,,Real-time network monitoring and detection is implemented and incorporates sector-wide event information.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.3,D3.DC.Ev.A.3,Statement,4,333,,"Real-time alerts are automatically sent when unauthorized software, hardware, or changes occur."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.4,D3.DC.Ev.A.4,Statement,4,334,,Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn.1,D3.DC.Ev.Inn.1,Statement,4,335,,The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn.2,D3.DC.Ev.Inn.2,Statement,4,336,,The institution is leading the development effort to design new technologies that will detect potential insider threats and block activity in real time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.1,D3.CC.Pa.B.1,Statement,4,337,,"A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. (FFIEC Information Security Booklet, page 62)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.2,D3.CC.Pa.B.2,Statement,4,338,,"Patches are tested before being applied to systems and/or software.  (FFIEC Operations Booklet, page 22)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.3,D3.CC.Pa.B.3,Statement,4,339,,"Patch management reports are reviewed and reflect missing security patches. (FFIEC Development and Acquisition Booklet, page 50)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.1,D3.CC.Pa.E.1,Statement,4,340,,"A formal process is in place to acquire, test, and deploy software patches based on criticality."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.2,D3.CC.Pa.E.2,Statement,4,341,,Systems are configured to retrieve patches automatically. 
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.3,D3.CC.Pa.E.3,Statement,4,342,,Operational impact is evaluated before deploying security patches.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.4,D3.CC.Pa.E.4,Statement,4,343,,An automated tool(s) is used to identify missing security patches as well as the number of days since each patch became available.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.5,D3.CC.Pa.E.5,Statement,4,344,,Missing patches across all environments are prioritized and tracked.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.int.1,D3.CC.Pa.Int.1,Statement,4,345,,Patches for high-risk vulnerabilities are tested and applied when released or the risk is accepted and accountability assigned.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a.1,D3.CC.Pa.A.1,Statement,4,346,,"Patch monitoring software is installed on all servers to identify any missing patches for the operating system software, middleware, database, and other key software."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a.2,D3.CC.Pa.A.2,Statement,4,347,,"The institution monitors patch management reports to ensure security patches are tested and implemented within aggressive time frames (e.g., 0-30 days)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn.1,D3.CC.Pa.Inn.1,Statement,4,348,,The institution develops security patches or bug fixes or contributes to open source code development for systems it uses.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn.2,D3.CC.Pa.Inn.2,Statement,4,349,,Segregated or separate systems are in place that mirror production systems allowing for rapid testing and implementation of patches and provide for rapid fallback when needed.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.b.1,D3.CC.Re.B.1,Statement,4,350,,"Issues identified in assessments are prioritized and resolved based on criticality and within the time frames established in the response to the assessment report. (FFIEC Information Security Booklet, page 87)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e.1,D3.CC.Re.E.1,Statement,4,351,,"Data is destroyed or wiped on hardware and portable/mobile media when a device is missing, stolen, or no longer needed."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e.2,D3.CC.Re.E.2,Statement,4,352,,Formal processes are in place to resolve weaknesses identified during penetration testing.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.1,D3.CC.Re.Int.1,Statement,4,353,,Remediation efforts are confirmed by conducting a follow-up vulnerability scan.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.2,D3.CC.Re.Int.2,Statement,4,354,,"Penetration testing is repeated to confirm that medium- and high-risk, exploitable vulnerabilities have been resolved."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.3,D3.CC.Re.Int.3,Statement,4,355,,"Security investigations, forensic analysis, and remediation are performed by qualified staff or third parties."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.4,D3.CC.Re.Int.4,Statement,4,356,,"Generally accepted and appropriate forensic procedures, including chain of custody, are used to gather and present evidence to support potential legal action."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.5,D3.CC.Re.Int.5,Statement,4,357,,The maintenance and repair of organizational assets are performed by authorized individuals with approved and controlled tools.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.6,D3.CC.Re.Int.6,Statement,4,358,,The maintenance and repair of organizational assets are logged in a timely manner.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.a.1,D3.CC.Re.A.1,Statement,4,359,,"All medium and high risk issues identified in penetration testing, vulnerability scanning, and other independent testing are escalated to the board or an appropriate board committee for risk acceptance if not resolved in a timely manner."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.inn.1,D3.CC.Re.Inn.1,Statement,4,360,,The institution is developing technologies that will remediate systems damaged by zero-day attacks to maintain current recovery time objectives.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.1,D4.C.Co.B.1,Statement,4,361,,"The critical business processes that are dependent on external connectivity have been identified. (FFIEC Information Security Booklet, page 9)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.2,D4.C.Co.B.2,Statement,4,362,,"The institution ensures that third-party connections are authorized. (FFIEC Information Security Booklet, page 17)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.3,D4.C.Co.B.3,Statement,4,363,,"A network diagram is in place and identifies all external connections. (FFIEC Information Security Booklet, page 9)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.4,D4.C.Co.B.4,Statement,4,364,,"Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.1,D4.C.Co.E.1,Statement,4,365,,Critical business processes have been mapped to the supporting external connections.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.2,D4.C.Co.E.2,Statement,4,366,,The network diagram is updated when connections with third parties change or at least annually.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.3,D4.C.Co.E.3,Statement,4,367,,Network and systems diagrams are stored in a secure manner with proper restrictions on access.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.4,D4.C.Co.E.4,Statement,4,368,,Controls for primary and backup third-party connections are monitored and tested on a regular basis.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.1,D4.C.Co.Int.1,Statement,4,369,,"A validated asset inventory is used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, and connectivity."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.2,D4.C.Co.Int.2,Statement,4,370,,Security controls are designed and verified to detect and prevent intrusions from third-party connections.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.3,D4.C.Co.Int.3,Statement,4,371,,"Monitoring controls cover all external connections (e.g., third-party service providers, business partners, customers)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.4,D4.C.Co.Int.4,Statement,4,372,,Monitoring controls cover all internal network-to-network connections.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a.1,D4.C.Co.A.1,Statement,4,373,,The security architecture is validated and documented before network connection infrastructure changes.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a.2,D4.C.Co.A.2,Statement,4,374,,The institution works closely with third-party service providers to maintain and improve the security of external connections.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn.1,D4.C.Co.Inn.1,Statement,4,375,,"Diagram(s) of external connections is interactive, shows real-time changes to the network connection infrastructure, new connections, and volume fluctuations, and alerts when risks arise."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn.2,D4.C.Co.Inn.2,Statement,4,376,,The institution's connections can be segmented or severed instantaneously to prevent contagion from cyber attacks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.1,D4.RM.Dd.B.1,Statement,4,377,,"Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (FFIEC Information Security Booklet, page 69)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.2,D4.RM.Dd.B.2,Statement,4,378,,"A list of third-party service providers is maintained. (FFIEC Outsourcing Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.3,D4.RM.Dd.B.3,Statement,4,379,,"A risk assessment is conducted to identify criticality of service providers. (FFIEC Outsourcing Booklet, page 6)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e.1,D4.RM.Dd.E.1,Statement,4,380,,A formal process exists to analyze assessments of third-party cybersecurity controls.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e.2,D4.RM.Dd.E.2,Statement,4,381,,The board or an appropriate board committee reviews a summary of due diligence results including management’s recommendations to use third parties that will affect the institution’s inherent risk profile.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int.1,D4.RM.Dd.Int.1,Statement,4,382,,"A process is in place to confirm that the institution’s third-party service providers conduct due diligence of their third parties (e.g., subcontractors)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int.2,D4.RM.Dd.Int.2,Statement,4,383,,"Pre-contract, physical site visits of high-risk vendors are conducted by the institution or by a qualified third party."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a.1,D4.RM.Dd.A.1,Statement,4,384,,A continuous process improvement program is in place for third-party due diligence activity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a.2,D4.RM.Dd.A.2,Statement,4,385,,Audits of high-risk vendors are conducted on an annual basis.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn.1,D4.RM.Dd.Inn.1,Statement,4,386,,The institution promotes sector-wide efforts to build due diligence mechanisms that lead to in-depth and efficient security and resilience reviews.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn.2,D4.RM.Dd.Inn.2,Statement,4,387,,The institution is leading efforts to develop new auditable processes and for conducting due diligence and ongoing monitoring of cybersecurity risks posed by third parties.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.1,D4.RM.Co.B.1,Statement,4,388,,"Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. (FFIEC Information Security Booklet, page 7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.2,D4.RM.Co.B.2,Statement,4,389,,"Contracts acknowledge that the third party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits. (FFIEC Information Security Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.3,D4.RM.Co.B.3,Statement,4,390,,"Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. (FFIEC Information Security Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.4,D4.RM.Co.B.4,Statement,4,391,,"Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. (FFIEC Outsourcing Booklet, page 12)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.5,D4.RM.Co.B.5,Statement,4,392,,"Contracts establish responsibilities for responding to security incidents. (FFIEC E-Banking Booklet, page 22)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.6,D4.RM.Co.B.6,Statement,4,393,,"Contracts specify the security requirements for the return or destruction of data upon contract termination. (FFIEC Outsourcing Booklet, page 15)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.1,D4.RM.Co.E.1,Statement,4,394,,"Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.2,D4.RM.Co.E.2,Statement,4,395,,Responsibility for notification of direct and indirect security incidents and vulnerabilities is documented in contracts or service-level agreements (SLAs).
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.3,D4.RM.Co.E.3,Statement,4,396,,Contracts stipulate geographic limits on where data can be stored or transmitted.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.int.1,D4.RM.Co.Int.1,Statement,4,397,,Third-party SLAs or similar means are in place that require timely notification of security events.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a.1,D4.RM.Co.A.1,Statement,4,398,,"Contracts require third-party service provider’s security policies meet or
+exceed those of the institution."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a.2,D4.RM.Co.A.2,Statement,4,399,,A third-party termination/exit strategy has been established and validated with management.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.inn.1,D4.RM.Co.Inn.1,Statement,4,400,,The institution promotes a sector-wide effort to influence contractual requirements for critical third parties to the industry.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.1,D4.RM.Om.B.1,Statement,4,401,,"The third-party risk assessment is updated regularly. (FFIEC Outsourcing Booklet, page 3)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.2,D4.RM.Om.B.2,Statement,4,402,,"Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. (FFIEC Information Security Booklet, page 86)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.3,D4.RM.Om.B.3,Statement,4,403,,"Ongoing monitoring practices include reviewing critical third-parties’ resilience plans. (FFIEC Outsourcing Booklet, page 19)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.1,D4.RM.Om.E.1,Statement,4,404,,"A process to identify new third-party relationships is in place, including identifying new relationships that were established without formal approval."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.2,D4.RM.Om.E.2,Statement,4,405,,A formal program assigns responsibility for ongoing oversight of third- party access.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.3,D4.RM.Om.E.3,Statement,4,406,,"Monitoring of third parties is scaled, in terms of depth and frequency, according to the risk of the third parties."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.4,D4.RM.Om.E.4,Statement,4,407,,Automated reminders or ticklers are in place to identify when required third-party information needs to be obtained or analyzed.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int.1,D4.RM.Om.Int.1,Statement,4,408,,Third-party employee access to the institution's confidential data are tracked actively based on the principles of least privilege.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int.2,D4.RM.Om.Int.2,Statement,4,409,,Periodic on-site assessments of high-risk vendors are conducted to ensure appropriate security controls are in place.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.a.1,D4.RM.Om.A.1,Statement,4,410,,Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.inn.1,D4.RM.Om.Inn.1,Statement,4,411,,The institution is leading efforts to develop new auditable processes for ongoing monitoring of cybersecurity risks posed by third parties.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.1,D5.IR.Pl.B.1,Statement,4,412,,"The institution has documented how it will react and respond to cyber incidents. (FFIEC Business Continuity Planning Booklet, page 4)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.2,D5.IR.Pl.B.2,Statement,4,413,,"Communication channels exist to provide employees a means for reporting information security events in a timely manner. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.3,D5.IR.Pl.B.3,Statement,4,414,,"Roles and responsibilities for incident response team members are defined. (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.4,D5.IR.Pl.B.4,Statement,4,415,,"The response team includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution (e.g., management, legal, public relations, as well as information technology). (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.5,D5.IR.Pl.B.5,Statement,4,416,,"A formal backup and recovery plan exists for all critical business lines. (FFIEC Business Continuity Planning Booklet, page 4)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.6,D5.IR.Pl.B.6,Statement,4,417,,"The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. (FFIEC Information Security Booklet, page 71)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.1,D5.IR.Pl.E.1,Statement,4,418,,"The remediation plan and process outlines the mitigating actions, resources, and time parameters."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.2,D5.IR.Pl.E.2,Statement,4,419,,"The corporate disaster recovery, business continuity, and crisis management plans have integrated consideration of cyber incidents."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.3,D5.IR.Pl.E.3,Statement,4,420,,Alternative processes have been established to continue critical activity within a reasonable time period.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.4,D5.IR.Pl.E.4,Statement,4,421,,Business impact analyses have been updated to include cybersecurity.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.5,D5.IR.Pl.E.5,Statement,4,422,,"Due diligence has been performed on technical sources, consultants, or forensic service firms that could be called to assist the institution during or following an incident."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.1,D5.IR.Pl.Int.1,Statement,4,423,,A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber attack.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.2,D5.IR.Pl.Int.2,Statement,4,424,,Plans are in place to re-route or substitute critical functions and/or services that may be affected by a successful attack on Internet-facing systems.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.3,D5.IR.Pl.Int.3,Statement,4,425,,A direct cooperative or contractual agreement(s) is in place with an incident response organization(s) or provider(s) to assist rapidly with mitigation efforts.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.4,D5.IR.Pl.Int.4,Statement,4,426,,Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the institution’s risk mitigation capabilities and response plan.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.1,D5.IR.Pl.A.1,Statement,4,427,,"Methods for responding to and recovering from cyber incidents are tightly woven throughout the business units’ disaster recovery, business continuity, and crisis management plans."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.2,D5.IR.Pl.A.2,Statement,4,428,,"Multiple systems, programs, or processes are implemented into a comprehensive cyber resilience program to sustain, minimize, and recover operations from an array of potentially disruptive and destructive cyber incidents."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.3,D5.IR.Pl.A.3,Statement,4,429,,A process is in place to continuously improve the resilience plan.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn.1,D5.IR.Pl.Inn.1,Statement,4,430,,"The incident response plan is designed to ensure recovery from disruption of services, assurance of data integrity, and recovery of lost or corrupted data following a cybersecurity incident."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn.2,D5.IR.Pl.Inn.2,Statement,4,431,,The incident response process includes detailed actions and rule- based triggers for automated response.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.1,D5.IR.Te.B.1,Statement,4,432,,"Scenarios are used to improve incident detection and response.
+(FFIEC Information Security Booklet, page 71)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.2,D5.IR.Te.B.2,Statement,4,433,,"Business continuity testing involves collaboration with critical third parties. (FFIEC Business Continuity Planning Booklet, page J-6)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.3,D5.IR.Te.B.3,Statement,4,434,,"Systems, applications, and data recovery is tested at least annually.  (FFIEC Business Continuity Planning Booklet, page J-7)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.1,D5.IR.Te.E.1,Statement,4,435,,"Recovery scenarios include plans to recover from data destruction and impacts to data integrity, data loss, and system and data availability."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.2,D5.IR.Te.E.2,Statement,4,436,,Widely reported events are used to evaluate and improve the institution's response.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.3,D5.IR.Te.E.3,Statement,4,437,,Information backups are tested periodically to verify they are accessible and readable.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.1,D5.IR.Te.Int.1,Statement,4,438,,Cyber-attack scenarios are analyzed to determine potential impact to critical business processes.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.2,D5.IR.Te.Int.2,Statement,4,439,,"The institution participates in sector-specific cyber exercises or scenarios (e.g., FS-ISAC Cyber Attack (against) Payment Processors (CAPP))."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.3,D5.IR.Te.Int.3,Statement,4,440,,Resilience testing is based on analysis and identification of realistic and highly likely threats as well as new and emerging threats facing the institution.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.4,D5.IR.Te.Int.4,Statement,4,441,,"The critical online systems and processes are tested to withstand stresses for extended periods (e.g., DDoS)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.5,D5.IR.Te.Int.5,Statement,4,442,,The results of cyber event exercises are used to improve the incident response plan and automated triggers.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.1,D5.IR.Te.A.1,Statement,4,443,,Resilience testing is comprehensive and coordinated across all critical business functions.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.2,D5.IR.Te.A.2,Statement,4,444,,The institution validates that it is able to recover from cyber events similar to by known sophisticated attacks at other organizations.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.3,D5.IR.Te.A.3,Statement,4,445,,Incident response testing evaluates the institution from an attacker's perspective to determine how the institution or its assets at critical third parties may be targeted.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.4,D5.IR.Te.A.4,Statement,4,446,,The institution corrects root causes for problems discovered during cybersecurity resilience testing.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.5,D5.IR.Te.A.5,Statement,4,447,,Cybersecurity incident scenarios involving significant financial loss are used to stress test the institution's risk management.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.1,D5.IR.Te.Inn.1,Statement,4,448,,The institution tests the ability to shift business processes or functions between different processing centers or technology systems for cyber incidents without interruption to business or loss of productivity or data.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.2,D5.IR.Te.Inn.2,Statement,4,449,,The institution has validated that it is able to remediate systems damaged by zero-day attacks to maintain current recovery time objectives.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.3,D5.IR.Te.Inn.3,Statement,4,450,,The institution is leading the development of more realistic test environments.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.4,D5.IR.Te.Inn.4,Statement,4,451,,Cyber incident scenarios are used to stress test potential financial losses across the sector.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.1,D5.DR.De.B.1,Statement,4,452,,"Alert parameters are set for detecting information security incidents that prompt mitigating actions. (FFIEC Information Security Booklet, page 43)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.2,D5.DR.De.B.2,Statement,4,453,,"System performance reports contain information that can be used as a risk indicator to detect information security incidents. (FFIEC Information Security Booklet, page 86)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.3,D5.DR.De.B.3,Statement,4,454,,"Tools and processes are in place to detect, alert, and trigger the incident response program. (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.e.1,D5.DR.De.E.1,Statement,4,455,,The institution has processes to detect and alert the incident response team when potential insider activity manifests that could lead to data theft or destruction.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.1,D5.DR.De.Int.1,Statement,4,456,,The incident response program is triggered when anomalous behaviors and attack patterns or signatures are detected.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.2,D5.DR.De.Int.2,Statement,4,457,,"The institution has the ability to discover infiltration, before the attacker traverses across systems, establishes a foothold, steals information, or causes damage to data and systems."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.3,D5.DR.De.Int.3,Statement,4,458,,Incidents are detected in real time through automated processes that include instant alerts to appropriate personnel who can respond.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.4,D5.DR.De.Int.4,Statement,4,459,,"Network and system alerts are correlated across business units to better detect and prevent multifaceted attacks (e.g., simultaneous DDoS attack and account takeover)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.5,D5.DR.De.Int.5,Statement,4,460,,Incident detection processes are capable of correlating events across the enterprise.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a.1,D5.DR.De.A.1,Statement,4,461,,Sophisticated and adaptive technologies are deployed that can detect and alert the incident response team of specific tasks when threat indicators across the enterprise indicate potential external and internal threats.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a.2,D5.DR.De.A.2,Statement,4,462,,Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert incident response teams in real time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.inn.1,D5.DR.De.Inn.1,Statement,4,463,,The institution is able to detect and block zero-day attempts and inform management and the incident response team in real time.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.b.1,D5.DR.Re.B.1,Statement,4,464,,"Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer information. (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.1,D5.DR.Re.E.1,Statement,4,465,,"The incident response plan is designed to prioritize incidents, enabling a rapid response for significant cybersecurity incidents or vulnerabilities."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.2,D5.DR.Re.E.2,Statement,4,466,,A process is in place to help contain incidents and restore operations with minimal service disruption.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.3,D5.DR.Re.E.3,Statement,4,467,,"Containment and mitigation strategies are developed for multiple incident types (e.g., DDoS, malware)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.4,D5.DR.Re.E.4,Statement,4,468,,Procedures include containment strategies and notifying potentially impacted third parties.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.5,D5.DR.Re.E.5,Statement,4,469,,Processes are in place to trigger the incident response program when an incident occurs at a third party.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.6,D5.DR.Re.E.6,Statement,4,470,,Records are generated to support incident investigation and mitigation. 
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.7,D5.DR.Re.E.7,Statement,4,471,,"The institution calls upon third parties, as needed, to provide mitigation services"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.8,D5.DR.Re.E.8,Statement,4,472,,Analysis of events is used to improve the institution's security measures and policies.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.1,D5.DR.Re.Int.1,Statement,4,473,,Analysis of security incidents is performed in the early stages of an intrusion to minimize the impact of the incident.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.2,D5.DR.Re.Int.2,Statement,4,474,,Any changes to systems/applications or to access entitlements necessary for incident management are reviewed by management for formal approval before implementation.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.3,D5.DR.Re.Int.3,Statement,4,475,,"Processes are in place to ensure assets affected by a security incident that cannot be returned to operational status are quarantined, removed, disposed of, and/or replaced."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.4,D5.DR.Re.Int.4,Statement,4,476,,Processes are in place to ensure that restored assets are appropriately reconfigured and thoroughly tested before being placed back into operation.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.1,D5.DR.Re.A.1,Statement,4,477,,The incident management function collaborates effectively with the cyber threat intelligence function during an incident.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.2,D5.DR.Re.A.2,Statement,4,478,,"Links between threat intelligence, network operations, and incident response allow for proactive response to potential incidents."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.3,D5.DR.Re.A.3,Statement,4,479,,Technical measures apply defense-in-depth techniques such as deep- packet inspection and black holing for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns and/or DDoS attacks.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn.1,D5.DR.Re.Inn.1,Statement,4,480,,"The institution’s risk management of significant cyber incidents results in
+limited to no disruptions to critical services."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn.2,D5.DR.Re.Inn.2,Statement,4,481,,"The technology infrastructure has been engineered to limit the effects of a cyber attack on the production environment from migrating to the backup environment (e.g., air-gapped environment and processes)."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.1,D5.ER.Es.B.1,Statement,4,482,,"A process exists to contact personnel who are responsible for analyzing and responding to an incident. (FFIEC Information Security Booklet, page 83)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.2,D5.ER.Es.B.2,Statement,4,483,,"Procedures exist to notify customers, regulators, and law enforcement as required or necessary when the institution becomes aware of an incident involving the unauthorized access to or use of sensitive customer information. (FFIEC Information Security Booklet, page 84)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.3,D5.ER.Es.B.3,Statement,4,484,,"The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. (FFIEC Information Security Booklet, page 5)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.4,D5.ER.Es.B.4,Statement,4,485,,"Incidents are classified, logged, and tracked. (FFIEC Operations Booklet, page 28)"
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.1,D5.ER.Es.E.1,Statement,4,486,,Criteria have been established for escalating cyber incidents or vulnerabilities to the board and senior management based on the potential impact and criticality of the risk.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.2,D5.ER.Es.E.2,Statement,4,487,,"Regulators, law enforcement, and service providers, as appropriate, are notified when the institution is aware of any unauthorized access to systems or a cyber incident occurs that could result in degradation of services."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.3,D5.ER.Es.E.3,Statement,4,488,,Tracked cyber incidents are correlated for trend analysis and reporting.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.1,D5.ER.Es.Int.1,Statement,4,489,,"Employees that are essential to mitigate the risk (e.g., fraud, business resilience) know their role in incident escalation."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.2,D5.ER.Es.Int.2,Statement,4,490,,"A communication plan is used to notify other organizations, including third parties, of incidents that may affect them or their customers."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.3,D5.ER.Es.Int.3,Statement,4,491,,An external communication plan is used for notifying media regarding incidents when applicable.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a.1,D5.ER.Es.A.1,Statement,4,492,,The institution has established quantitative and qualitative metrics for the cybersecurity incident response process.
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a.2,D5.ER.Es.A.2,Statement,4,493,,"Detailed metrics, dashboards, and/or scorecards outlining cyber incidents and events are provided to management and are part of the board meeting package."
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.inn.1,D5.ER.Es.Inn.1,Statement,4,494,,A mechanism is in place to provide instantaneous notification of incidents to management and essential employees through multiple communication channels with tracking and verification of receipt.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc,CC,Category,0,1,Common Criteria,
+aicpa_tsc_v2017,aicpa_tsc_v2017:a,A,Category,0,2,Availability,
+aicpa_tsc_v2017,aicpa_tsc_v2017:c,C,Category,0,3,Confidentiality,
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi,PI,Category,0,4,Processing Integrity,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p,P,Category,0,5,Privacy,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1,CC1,Group,1,1,Control Environment,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2,CC2,Group,1,2,Communication and Information,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3,CC3,Group,1,3,Risk Assessment,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4,CC4,Group,1,4,Monitoring Activities,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5,CC5,Group,1,5,Control Activities,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6,CC6,Group,1,6,Logical and Physical Access Controls,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7,CC7,Group,1,7,System Operations,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8,CC8,Group,1,8,Change Management,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9,CC9,Group,1,9,Risk Mitigation,
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1,A1,Group,1,10,Availability,
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1,C1,Group,1,11,Confidentiality,
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1,PI1,Group,1,12,Processing Integrity,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1,P1,Group,1,13,Notice and Communication of Objectives Related to Privacy,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2,P2,Group,1,14,Choice and Consent,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3,P3,Group,1,15,Collection,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4,P4,Group,1,16,"Use, Retention, and Disposal",
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5,P5,Group,1,17,Access,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6,P6,Group,1,18,Disclosure and Notification,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7,P7,Group,1,19,Quality,
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8,P8,Group,1,20,Monitoring and Enforcement,
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1,CC1.1,Criteria,2,1,,COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2,CC1.2,Criteria,2,2,,COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3,CC1.3,Criteria,2,3,,"COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4,CC1.4,Criteria,2,4,,"COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5,CC1.5,Criteria,2,5,,COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1,CC2.1,Criteria,2,6,,"COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2,CC2.2,Criteria,2,7,,"COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3,CC2.3,Criteria,2,8,,COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1,CC3.1,Criteria,2,9,,COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2,CC3.2,Criteria,2,10,,COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3,CC3.3,Criteria,2,11,,COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4,CC3.4,Criteria,2,12,,COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1,CC4.1,Criteria,2,13,,"COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2,CC4.2,Criteria,2,14,,"COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1,CC5.1,Criteria,2,15,,COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2,CC5.2,Criteria,2,16,,COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3,CC5.3,Criteria,2,17,,COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1,CC6.1,Criteria,2,18,,"The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives"
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2,CC6.2,Criteria,2,19,,"Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For
+those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3,CC6.3,Criteria,2,20,,"The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4,CC6.4,Criteria,2,21,,"The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5,CC6.5,Criteria,2,22,,The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6 ,CC6.6 ,Criteria,2,23,,The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6,CC6.6,Criteria,2,24,,The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7,CC6.7,Criteria,2,25,,"The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8,CC6.8,Criteria,2,26,,The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1,CC7.1,Criteria,2,27,,"To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2,CC7.2,Criteria,2,28,,"The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3,CC7.3,Criteria,2,29,,"The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4,CC7.4,Criteria,2,30,,"The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5,CC7.5,Criteria,2,31,,"The entity identifies, develops, and implements activities to recover from identified security incidents."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1,CC8.1,Criteria,2,32,,"The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1,CC9.1,Criteria,2,33,,"The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2,CC9.2,Criteria,2,34,,The entity assesses and manages risks associated with vendors and business partners.
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1,A1.1,Criteria,2,35,,"The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2,A1.2,Criteria,2,36,,"The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3,A1.3,Criteria,2,37,,The entity tests recovery plan procedures supporting system recovery to meet its objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1,C1.1,Criteria,2,38,,The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2,C1.2,Criteria,2,39,,The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.1,PI1.1,Criteria,2,40,,Identifies Information Specifications—The entity identifies information specifications required to support the use of products and services.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2,PI1.2,Criteria,2,41,,"The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the
+entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3,PI1.3,Criteria,2,42,,"The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4,PI1.4,Criteria,2,43,,"The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5,PI1.5,Criteria,2,44,,"The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1,P1.1,Criteria,2,45,,"The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1,P2.1,Criteria,2,46,,"The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1,P3.1,Criteria,2,47,,Personal information is collected consistent with the entity’s objectives related to privacy.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2,P3.2,Criteria,2,48,,"For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.1,P4.1,Criteria,2,49,,The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2,P4.2,Criteria,2,50,,The entity retains personal information consistent with the entity’s objectives related to privacy.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3,P4.3,Criteria,2,51,,The entity securely disposes of personal information to meet the entity’s objectives related to privacy
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1,P5.1,Criteria,2,52,,"The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2,P5.2,Criteria,2,53,,"The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1,P6.1,Criteria,2,54,,"The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy"
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.2,P6.2,Criteria,2,55,,"The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy"
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.3,P6.3,Criteria,2,56,,"The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4,P6.4,Criteria,2,57,,"The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5,P6.5,Criteria,2,58,,"The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in
+accordance with established incident response procedures to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6,P6.6,Criteria,2,59,,"The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7,P6.7,Criteria,2,60,,"The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1,P7.1,Criteria,2,61,,"The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy"
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1,P8.1,Criteria,2,62,,"The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.1,CC1.1.1,Point of Focus,3,1,Sets the Tone at the Top,"The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.2,CC1.1.2,Point of Focus,3,2,Establishes Standards of Conduct,The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.3,CC1.1.3,Point of Focus,3,3,Evaluates Adherence to Standards of Conduct,Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.4,CC1.1.4,Point of Focus,3,4,Addresses Deviations in a Timely Manner,Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.5,CC1.1.5,Point of Focus,3,5,Considers Contractors and Vendor Employees in Demonstrating Its Commitment,"Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.1,CC1.2.1,Point of Focus,3,6,Establishes Oversight Responsibilities,The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.2,CC1.2.2,Point of Focus,3,7,Applies Relevant Expertise,"The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.3,CC1.2.3,Point of Focus,3,8,Operates Independently,The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.4,CC1.2.4,Point of Focus,3,9,Supplements Board Expertise,"The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.1,CC1.3.1,Point of Focus,3,10,Considers All Structures of the Entity,"Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.2,CC1.3.2,Point of Focus,3,11,Establishes Reporting Lines,Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.3,CC1.3.3,Point of Focus,3,12,"Defines, Assigns, and Limits Authorities and Responsibilities","Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.4,CC1.3.4,Point of Focus,3,13,Addresses Specific Requirements When Defining Authorities and Responsibilities,"Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.5,CC1.3.5,Point of Focus,3,14,"Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities","Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.1,CC1.4.1,Point of Focus,3,15,Establishes Policies and Practices,Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.2,CC1.4.2,Point of Focus,3,16,Evaluates Competence and Addresses Shortcomings,The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.3,CC1.4.3,Point of Focus,3,17,"Attracts, Develops, and Retains Individuals","The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.4,CC1.4.4,Point of Focus,3,18,Plans and Prepares for Succession,Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.5,CC1.4.5,Point of Focus,3,19,Considers the Background of Individuals,"The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.6,CC1.4.6,Point of Focus,3,20,Considers the Technical Competency of Individuals,"The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.7,CC1.4.7,Point of Focus,3,21,Provides Training to Maintain Technical Competencies,"The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.1,CC1.5.1,Point of Focus,3,22,"Enforces Accountability Through Structures, Authorities, and Responsibilities",Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.2,CC1.5.2,Point of Focus,3,23,"Establishes Performance Measures, Incentives, and Rewards","Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.3,CC1.5.3,Point of Focus,3,24,"Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance",Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.4,CC1.5.4,Point of Focus,3,25,Considers Excessive Pressures,"Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.5,CC1.5.5,Point of Focus,3,26,Evaluates Performance and Rewards or Disciplines Individuals,"Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.1,CC2.1.1,Point of Focus,3,27,Identifies Information Requirements,A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.2,CC2.1.2,Point of Focus,3,28,Captures Internal and External Sources of Data,Information systems capture internal and external sources of data.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.3,CC2.1.3,Point of Focus,3,29,Processes Relevant Data Into Information,Information systems process and transform relevant data into information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.4,CC2.1.4,Point of Focus,3,30,Maintains Quality Throughout Processing,"Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.1,CC2.2.1,Point of Focus,3,31,Communicates Internal Control Information,A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.2,CC2.2.2,Point of Focus,3,32,Communicates With the Board of Directors,Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.3,CC2.2.3,Point of Focus,3,33,Provides Separate Communication Lines,"Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.4,CC2.2.4,Point of Focus,3,34,Selects Relevant Method of Communication,"The method of communication considers the timing, audience, and nature of the information."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.5,CC2.2.5,Point of Focus,3,35,Communicates Responsibilities,"Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.6,CC2.2.6,Point of Focus,3,36,"Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters","Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.7,CC2.2.7,Point of Focus,3,37,Communicates Objectives and Changes to Objectives ,The entity communicates its objectives and changes to those objectives to personnel in a timely manner. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.8,CC2.2.8,Point of Focus,3,38,Communicates Information to Improve Security Knowledge and Awareness,The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.9,CC2.2.9,Point of Focus,3,39,Communicates Information About System Operation and Boundaries,The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.10,CC2.2.10,Point of Focus,3,40,Communicates System Objectives,The entity communicates its objectives to personnel to enable them to carry out their responsibilities. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.11,CC2.2.11,Point of Focus,3,41,Communicates System Changes,System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.1,CC2.3.1,Point of Focus,3,42,Communicates to External Parties,"Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.2,CC2.3.2,Point of Focus,3,43,Enables Inbound Communications,"Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.3,CC2.3.3,Point of Focus,3,44,Communicates With the Board of Directors,Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.4,CC2.3.4,Point of Focus,3,45,Provides Separate Communication Lines,"Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.5,CC2.3.5,Point of Focus,3,46,Selects Relevant Method of Communication,"The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.6,CC2.3.6,Point of Focus,3,47,Communicates Objectives Related to Confidentiality and Changes to Objectives,"The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.7,CC2.3.7,Point of Focus,3,48,Communicates Objectives Related to Privacy and Changes to Objectives,"The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.8,CC2.3.8,Point of Focus,3,49,Communicates Information About System Operation and Boundaries,The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.9,CC2.3.9,Point of Focus,3,50,Communicates System Objectives,The entity communicates its system objectives to appropriate external users. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.10,CC2.3.10,Point of Focus,3,51,Communicates System Responsibilities,"External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.11,CC2.3.11,Point of Focus,3,52,"Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters","External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.1,CC3.1.1,Point of Focus,3,53,Reflects Management's Choices,"Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.2,CC3.1.2,Point of Focus,3,54,Considers Tolerances for Risk,Management considers the acceptable levels of variation relative to the achievement of operations objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.3,CC3.1.3,Point of Focus,3,55,Includes Operations and Financial Performance Goals,The organization reflects the desired level of operations and financial performance for the entity within operations objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.4,CC3.1.4,Point of Focus,3,56,Forms a Basis for Committing of Resources,Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.5,CC3.1.5,Point of Focus,3,57,Complies With Applicable Accounting Standards,Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.6,CC3.1.6,Point of Focus,3,58,Considers Materiality,Management considers materiality in financial statement presentation.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.7,CC3.1.7,Point of Focus,3,59,Reflects Entity Activities,External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.8,CC3.1.8,Point of Focus,3,60,Complies With Externally Established Frameworks,Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.9,CC3.1.9,Point of Focus,3,61,Considers the Required Level of Precision,Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.10,CC3.1.10,Point of Focus,3,62,Reflects Entity Activities,External reporting reflects the underlying transactions and events within a range of acceptable limits.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.11,CC3.1.11,Point of Focus,3,63,Reflects Management's Choices,Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.12,CC3.1.12,Point of Focus,3,64,Considers the Required Level of Precision,Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.13,CC3.1.13,Point of Focus,3,65,Reflects Entity Activities,Internal reporting reflects the underlying transactions and events within a range of acceptable limits.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.14,CC3.1.14,Point of Focus,3,66,Reflects External Laws and Regulations,"Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.15,CC3.1.15,Point of Focus,3,67,Considers Tolerances for Risk,Management considers the acceptable levels of variation relative to the achievement of operations objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.16,CC3.1.16,Point of Focus,3,68,Establishes Sub-objectives to Support Objectives,"Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.1,CC3.2.1,Point of Focus,3,69,"Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels","The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.2,CC3.2.2,Point of Focus,3,70,Analyzes Internal and External Factors,Risk identification considers both internal and external factors and their impact on the achievement of objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.3,CC3.2.3,Point of Focus,3,71,Involves Appropriate Levels of Management,The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.4,CC3.2.4,Point of Focus,3,72,Estimates Significance of Risks Identified,Identified risks are analyzed through a process that includes estimating the potential significance of the risk. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.5,CC3.2.5,Point of Focus,3,73,Determines How to Respond to Risks,"Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.6,CC3.2.6,Point of Focus,3,74,Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities,"The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.7,CC3.2.7,Point of Focus,3,75,"Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties","The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.8,CC3.2.8,Point of Focus,3,76,Considers the Significance of the Risk,"The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.1,CC3.3.1,Point of Focus,3,77,Considers Various Types of Fraud,"The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.2,CC3.3.2,Point of Focus,3,78,Assesses Incentives and Pressures,The assessment of fraud risks considers incentives and pressures.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.3,CC3.3.3,Point of Focus,3,79,Assesses Opportunities,"The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.4,CC3.3.4,Point of Focus,3,80,Assesses Attitudes and Rationalizations,The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.5,CC3.3.5,Point of Focus,3,81,Considers the Risks Related to the Use of IT and Access to Information,The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.1,CC3.4.1,Point of Focus,3,82,Assesses Changes in the External Environment,"The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.2,CC3.4.2,Point of Focus,3,83,Assesses Changes in the Business Model,"The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.3,CC3.4.3,Point of Focus,3,84,Assesses Changes in Leadership,The entity considers changes in management and respective attitudes and philosophies on the system of internal control.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.4,CC3.4.4,Point of Focus,3,85,Assess Changes in Systems and Technology,The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.5,CC3.4.5,Point of Focus,3,86,Assess Changes in Vendor and Business Partner Relationships,The risk identification process considers changes in vendor and business partner relationships. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.1,CC4.1.1,Point of Focus,3,87,Considers a Mix of Ongoing and Separate Evaluations,Management includes a balance of ongoing and separate evaluations.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.2,CC4.1.2,Point of Focus,3,88,Considers Rate of Change,Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.3,CC4.1.3,Point of Focus,3,89,Establishes Baseline Understanding,The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.4,CC4.1.4,Point of Focus,3,90,Uses Knowledgeable Personnel,Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.5,CC4.1.5,Point of Focus,3,91,Integrates With Business Processes,Ongoing evaluations are built into the business processes and adjust to changing conditions.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.6,CC4.1.6,Point of Focus,3,92,Adjusts Scope and Frequency,Management varies the scope and frequency of separate evaluations depending on risk.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.7,CC4.1.7,Point of Focus,3,93,Objectively Evaluates,Separate evaluations are performed periodically to provide objective feedback.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.8,CC4.1.8,Point of Focus,3,94,Considers Different Types of Ongoing and Separate Evaluations,"Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.1,CC4.2.1,Point of Focus,3,95,Assesses Results,"Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.2,CC4.2.2,Point of Focus,3,96,Communicates Deficiencies,"Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.3,CC4.2.3,Point of Focus,3,97,Monitors Corrective Action,Management tracks whether deficiencies are remedied on a timely basis.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.1,CC5.1.1,Point of Focus,3,98,Integrates With Risk Assessment,Control activities help ensure that risk responses that address and mitigate risks are carried out.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.2,CC5.1.2,Point of Focus,3,99,Considers Entity-Specific Factors,"Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.3,CC5.1.3,Point of Focus,3,100,Determines Relevant Business Processes,Management determines which relevant business processes require control activities.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.4,CC5.1.4,Point of Focus,3,101,Evaluates a Mix of Control Activity Types,"Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.5,CC5.1.5,Point of Focus,3,102,Considers at What Level Activities Are Applied,Management considers control activities at various levels in the entity.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.6,CC5.1.6,Point of Focus,3,103,Addresses Segregation of Duties,"Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.1,CC5.2.1,Point of Focus,3,104,Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls,"Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.2,CC5.2.2,Point of Focus,3,105,Establishes Relevant Technology Infrastructure Control Activities,"Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.3,CC5.2.3,Point of Focus,3,106,Establishes Relevant Security Management Process Controls Activities,Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.4,CC5.2.4,Point of Focus,3,107,"Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities","Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.1,CC5.3.1,Point of Focus,3,108,Establishes Policies and Procedures to Support Deployment of Management ‘s Directives,Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.2,CC5.3.2,Point of Focus,3,109,Establishes Responsibility and Accountability for Executing Policies and Procedures,Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.3,CC5.3.3,Point of Focus,3,110,Performs in a Timely Manner,Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.4,CC5.3.4,Point of Focus,3,111,Takes Corrective Action,Responsible personnel investigate and act on matters identified as a result of executing control activities.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.5,CC5.3.5,Point of Focus,3,112,Performs Using Competent Personnel,Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.6,CC5.3.6,Point of Focus,3,113,Reassesses Policies and Procedures,Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.1,CC6.1.1,Point of Focus,3,114,Identifies and Manages the Inventory of Information Assets,"The entity identifies, inventories, classifies, and manages information assets.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.2,CC6.1.2,Point of Focus,3,115,Restricts  Logical Access,"Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.3,CC6.1.3,Point of Focus,3,116,Identifies and Authenticates Users,"Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.4,CC6.1.4,Point of Focus,3,117,Considers Network Segmentation,Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.5,CC6.1.5,Point of Focus,3,118,Manages Points of Access,"Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.6,CC6.1.6,Point of Focus,3,119,Restricts Access to Information Assets,"Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.7,CC6.1.7,Point of Focus,3,120,Manages Identification and Authentication,"Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.8,CC6.1.8,Point of Focus,3,121,Manages Credentials for Infrastructure and Software,"New internal and external infrastructure and software  are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.9,CC6.1.9,Point of Focus,3,122,Uses Encryption to Protect Data,"The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.10,CC6.1.10,Point of Focus,3,123,Protects Encryption Keys,"Processes are in place to protect encryption keys during generation, storage, use, and destruction."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.1,CC6.2.1,Point of Focus,3,124,Controls Access Credentials to Protected Assets,Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.2,CC6.2.2,Point of Focus,3,125,Removes Access to Protected Assets When Appropriate,Processes are in place to remove credential access when an individual no longer requires such access.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.3,CC6.2.3,Point of Focus,3,126,Reviews Appropriateness of Access Credentials,The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.1,CC6.3.1,Point of Focus,3,127,Creates or Modifies Access to Protected Information Assets,Processes are in place to create or modify access to protected information assets based on authorization  from the asset’s owner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.2,CC6.3.2,Point of Focus,3,128,Removes Access to Protected Information Assets,Processes are in place to remove access to protected information assets when an individual no longer requires access.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.3,CC6.3.3,Point of Focus,3,129,Uses Role-Based Access Controls,Role-based access control is utilized to support segregation of incompatible functions.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.1,CC6.4.1,Point of Focus,3,130,Creates or Modifies Physical Access,"Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.2,CC6.4.2,Point of Focus,3,131,Removes Physical Access,Processes are in place to remove access to physical resources when an individual no longer requires access.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.3,CC6.4.3,Point of Focus,3,132,Reviews Physical Access,Processes are in place to periodically review physical access to ensure consistency with job responsibilities.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5.1,CC6.5.1,Point of Focus,3,133,Identifies Data and Software for Disposal,Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5.2,CC6.5.2,Point of Focus,3,134,Removes Data and Software From Entity Control,Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.1,CC6.6.1,Point of Focus,3,135,Restricts Access,"The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.2,CC6.6.2,Point of Focus,3,136,Protects Identification and Authentication Credentials,Identification and authentication credentials are protected during transmission outside its system boundaries.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.3,CC6.6.3,Point of Focus,3,137,Requires Additional Authentication or Credentials,Additional authentication information or credentials are required when accessing the system from outside its boundaries.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.4,CC6.6.4,Point of Focus,3,138,Implements Boundary Protection Systems,"Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.1,CC6.7.1,Point of Focus,3,139,Restricts the Ability to Perform Transmission,"Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.2,CC6.7.2,Point of Focus,3,140,Uses Encryption Technologies or Secure Communication Channels to Protect Data,Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.3,CC6.7.3,Point of Focus,3,141,Protects Removal Media,"Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.4,CC6.7.4,Point of Focus,3,142,Protects Mobile Devices,"Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.1,CC6.8.1,Point of Focus,3,143,Restricts Application and Software Installation,The ability to install applications and software is restricted to authorized individuals.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.2,CC6.8.2,Point of Focus,3,144,Detects Unauthorized Changes to Software and Configuration Parameters,Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.3,CC6.8.3,Point of Focus,3,145,Uses a Defined Change Control Process,A management-defined change control process is used for the implementation of software. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.4,CC6.8.4,Point of Focus,3,146,Uses Antivirus and Anti-Malware Software,Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.5,CC6.8.5,Point of Focus,3,147,Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software,Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.1,CC7.1.1,Point of Focus,3,148,Uses Defined Configuration Standards,Management has defined configuration standards. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.2,CC7.1.2,Point of Focus,3,149,Monitors Infrastructure and Software,"The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.3,CC7.1.3,Point of Focus,3,150,Implements Change-Detection Mechanisms,"The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.4,CC7.1.4,Point of Focus,3,151,Detects Unknown or Unauthorized Components,Procedures are in place to detect the introduction of unknown or unauthorized components.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.5,CC7.1.5,Point of Focus,3,152,Conducts Vulnerability Scans,The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.1,CC7.2.1,Point of Focus,3,153,"Implements Detection Policies, Procedures, and Tools","Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.2,CC7.2.2,Point of Focus,3,154,Designs Detection Measures,Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.3,CC7.2.3,Point of Focus,3,155,Implements Filters to Analyze Anomalies,"Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.4,CC7.2.4,Point of Focus,3,156,Monitors Detection Tools for Effective Operation,Management has implemented processes to monitor the effectiveness of detection tools.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.1,CC7.3.1,Point of Focus,3,157,Responds to Security Incidents,Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.2,CC7.3.2,Point of Focus,3,158,Communicates and Reviews Detected Security Events,"Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.3,CC7.3.3,Point of Focus,3,159,Develops and Implements Procedures to Analyze Security Incidents,Procedures are in place to analyze security incidents and determine system impact.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.4,CC7.3.4,Point of Focus,3,160,Assesses the Impact on Personal Information,Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.5,CC7.3.5,Point of Focus,3,161,Determines Personal Information Used or Disclosed,"When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.1,CC7.4.1,Point of Focus,3,162,Assigns Roles and Responsibilities,"Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.2,CC7.4.2,Point of Focus,3,163,Contains Security Incidents,Procedures are in place to contain security incidents that actively threaten entity objectives. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.3,CC7.4.3,Point of Focus,3,164,Mitigates Ongoing Security Incidents,Procedures are in place to mitigate the effects of ongoing security incidents.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.4,CC7.4.4,Point of Focus,3,165,Ends Threats Posed by Security Incidents,"Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.5,CC7.4.5,Point of Focus,3,166,Restores Operations,Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.6,CC7.4.6,Point of Focus,3,167,Develops and Implements Communication Protocols for Security Incidents,Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.7,CC7.4.7,Point of Focus,3,168,Obtains Understanding of Nature of Incident and Determines Containment Strategy,"An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.8,CC7.4.8,Point of Focus,3,169,Remediates Identified Vulnerabilities,Identified vulnerabilities are remediated through the development and execution of remediation activities.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.9,CC7.4.9,Point of Focus,3,170,Communicates Remediation Activities,Remediation activities are documented and communicated in accordance with the incident response program. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.10,CC7.4.10,Point of Focus,3,171,Evaluates the Effectiveness of Incident Response,The design of incident response activities is evaluated for effectiveness on a periodic basis.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.11,CC7.4.11,Point of Focus,3,172,Periodically Evaluates Incidents,"Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.12,CC7.4.12,Point of Focus,3,173,Communicates Unauthorized Use and Disclosure,"Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.13,CC7.4.13,Point of Focus,3,174,Application of Sanctions,"The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.1,CC7.5.1,Point of Focus,3,175,Restores the Affected Environment,"The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.2,CC7.5.2,Point of Focus,3,176,Communicates Information About the Event,"Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external).   "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.3,CC7.5.3,Point of Focus,3,177,Determines Root Cause of the Event,The root cause of the event is determined. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.4,CC7.5.4,Point of Focus,3,178,Implements Changes to Prevent and Detect Recurrences,"Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.5,CC7.5.5,Point of Focus,3,179,Improves Response and Recovery Procedures,"Lessons learned are analyzed, and the incident response plan and recovery procedures are improved. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.6,CC7.5.6,Point of Focus,3,180,Implements Incident Recovery Plan Testing,Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.1,CC8.1.1,Point of Focus,3,181,Manages Changes Throughout the System Lifecycle,"A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.2,CC8.1.2,Point of Focus,3,182,Authorizes Changes,A process is in place to authorize system changes prior to development.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.3,CC8.1.3,Point of Focus,3,183,Designs and Develops Changes,A process is in place to design and develop system changes.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.4,CC8.1.4,Point of Focus,3,184,Documents Changes,A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.5,CC8.1.5,Point of Focus,3,185,Tracks System Changes,A process is in place to track system changes prior to implementation. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.6,CC8.1.6,Point of Focus,3,186,Configures Software,A process is in place to select and implement the configuration parameters used to control the functionality of software. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.7,CC8.1.7,Point of Focus,3,187,Tests System Changes,A process is in place to test system changes prior to implementation. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.8,CC8.1.8,Point of Focus,3,188,Approves System Changes,A process is in place to approve system changes prior to implementation.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.9,CC8.1.9,Point of Focus,3,189,Deploys System Changes,A process is in place to implement system changes.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.10,CC8.1.10,Point of Focus,3,190,Identifies and Evaluates System Changes,"Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle."
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.11,CC8.1.11,Point of Focus,3,191,"Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents","Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.12,CC8.1.12,Point of Focus,3,192,Creates Baseline Configuration of IT Technology,A baseline configuration of IT and control systems is created and maintained.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.13,CC8.1.13,Point of Focus,3,193,Provides for Changes Necessary in Emergency Situations ,"A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.14,CC8.1.14,Point of Focus,3,194,Protects Confidential Information,"The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.15,CC8.1.15,Point of Focus,3,195,Protects Personal Information,"The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1.1,CC9.1.1,Point of Focus,3,196,Considers Mitigation of Risks of Business Disruption,"Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1.2,CC9.1.2,Point of Focus,3,197,Considers the Use of Insurance to Mitigate Financial Impact Risks,The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.1,CC9.2.1,Point of Focus,3,198,Establishes Requirements for Vendor and Business Partner Engagements,"The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.2,CC9.2.2,Point of Focus,3,199,Assesses Vendor and Business Partner Risks,"The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.3,CC9.2.3,Point of Focus,3,200,Assigns Responsibility and Accountability for Managing Vendors and Business Partners,The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.4,CC9.2.4,Point of Focus,3,201,Establishes Communication Protocols for Vendors and Business Partners,The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.5,CC9.2.5,Point of Focus,3,202,Establishes Exception Handling Procedures From Vendors and Business Partners ,The entity establishes exception handling procedures for service or product issues related to vendors and business partners. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.6,CC9.2.6,Point of Focus,3,203,Assesses Vendor and Business Partner Performance,The entity periodically assesses the performance of vendors and business partners. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.7,CC9.2.7,Point of Focus,3,204,Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments,The entity implements procedures for addressing issues identified with vendor and business partner relationships.   
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.8,CC9.2.8,Point of Focus,3,205,Implements Procedures for Terminating Vendor and Business Partner Relationships , The entity implements procedures for terminating vendor and business partner relationships.
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.9,CC9.2.9,Point of Focus,3,206,Obtains Confidentiality Commitments from Vendors and Business Partners,The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.10,CC9.2.10,Point of Focus,3,207,Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners ,"On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.11,CC9.2.11,Point of Focus,3,208,Obtains Privacy Commitments from Vendors and Business Partners,"The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.12,CC9.2.12,Point of Focus,3,209,Assesses Compliance with Privacy Commitments of Vendors and Business Partners,"On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary."
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.1,A1.1.1,Point of Focus,3,210,Measures Current Usage,The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.2,A1.1.2,Point of Focus,3,211,Forecasts Capacity,The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.3,A1.1.3,Point of Focus,3,212,Makes Changes Based on Forecasts,The system change management process is initiated when forecasted usage exceeds capacity tolerances. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.1,A1.2.1,Point of Focus,3,213,Identifies Environmental Threats,"As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.2,A1.2.2,Point of Focus,3,214,Designs Detection Measures,Detection measures are implemented to identify anomalies that could result from environmental threat events. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.3,A1.2.3,Point of Focus,3,215,Implements and Maintains Environmental Protection Mechanisms,Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.4,A1.2.4,Point of Focus,3,216,Implements Alerts to Analyze Anomalies,Management implements alerts that are communicated to personnel for analysis to identify environmental threat events.
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.5,A1.2.5,Point of Focus,3,217,Responds to Environmental Threat Events,"Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem)."
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.6,A1.2.6,Point of Focus,3,218,Communicates and Reviews Detected Environmental Threat Events,"Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary."
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.7,A1.2.7,Point of Focus,3,219,Determines Data Requiring Backup,Data is evaluated to determine whether backup is required. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.8,A1.2.8,Point of Focus,3,220,Performs Data Backup,"Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.9,A1.2.9,Point of Focus,3,221,Addresses Offsite Storage,Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.10,A1.2.10,Point of Focus,3,222,Implements Alternate Processing Infrastructure,Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.  
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3.1,A1.3.1,Point of Focus,3,223,Implements Business Continuity Plan Testing,Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3.2,A1.3.2,Point of Focus,3,224,Tests Integrity and Completeness of Back-Up Data,The integrity and completeness of back-up information is tested on a periodic basis. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1.1,C1.1.1,Point of Focus,3,225,Identifies Confidential information,Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1.2,C1.1.2,Point of Focus,3,226,Protects Confidential Information from Destruction,Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2.1,C1.2.1,Point of Focus,3,227,Identifies Confidential Information for Destruction,Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2.2,C1.2.2,Point of Focus,3,228,Destroys Confidential Information,Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.1.1,PI1.1.1,Point of Focus,3,229,Defines Data Necessary to Support a Product or Service,"When data is provided as part of a service or product or as part of a reporting obligation related to a product or service:
+(1)    The definition of the data is available to the users of the data
+(2)    The definition of the data includes the following information:
+—    The population of events or instances included in the data
+—    The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day)
+—    Source(s) of the data
+—    The unit(s) of measurement of data elements (for example, fields)
+—    The accuracy/correctness/precision of measurement
+—    The uncertainty or confidence interval inherent in each data element and in the population of those elements
+—    The date the data was observed or the period of time during which the events relevant to the data occurred
+—    The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population
+(3)    The definition is complete and accurate.
+(4)    The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (meta-data) that has not been included within the data.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.1,PI1.2.1,Point of Focus,3,230,Defines Characteristics of Processing Inputs,The characteristics of processing inputs that are necessary to meet requirements are defined.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.2,PI1.2.2,Point of Focus,3,231,Evaluates Processing Inputs,Processing inputs are evaluated for compliance with defined input requirements.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.3,PI1.2.3,Point of Focus,3,232,Creates and Maintains Records of System Inputs,Records of system input activities are created and maintained completely and accurately in a timely manner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.1,PI1.3.1,Point of Focus,3,233,Defines Processing Specifications,The processing specifications that are necessary to meet product or service requirements are defined.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.2,PI1.3.2,Point of Focus,3,234,Defines Processing Activities,Processing activities are defined to result in products or services that meet specifications.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.3,PI1.3.3,Point of Focus,3,235,Detects and Corrects Production Errors,Errors in the production process are detected and corrected in a timely manner. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.4,PI1.3.4,Point of Focus,3,236,Records System Processing Activities,System processing activities are recorded completely and accurately in a timely manner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.5,PI1.3.5,Point of Focus,3,237,Processes Inputs,"Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.1,PI1.4.1,Point of Focus,3,238,Protects Output,"Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.2,PI1.4.2,Point of Focus,3,239,Distributes Output Only to Intended Parties,Output is distributed or made available only to intended parties.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.3,PI1.4.3,Point of Focus,3,240,Distributes Output Completely and Accurately,"Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.4,PI1.4.4,Point of Focus,3,241,Creates and Maintains Records of System Output Activities,Records of system output activities are created and maintained completely and accurately in a timely manner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.1,PI1.5.1,Point of Focus,3,242,Protects Stored Items,"Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications."
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.2,PI1.5.2,Point of Focus,3,243,Archives and Protects System Records,"System records are archived, and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.3,PI1.5.3,Point of Focus,3,244,Stores Data Completely and Accurately,"Procedures are in place to provide for the complete, accurate, and timely storage of data. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.4,PI1.5.4,Point of Focus,3,245,Creates and Maintains Records of System Storage Activities,Records of system storage activities are created and maintained completely and accurately in a timely manner.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.1,P1.1.1,Point of Focus,3,246,Communicates to Data Subjects,"Notice is provided to data subjects regarding the following:
+—    Purpose for collecting personal information
+—    Choice and consent
+—    Types of personal information collected
+—    Methods of collection (for example, use of cookies or other tracking techniques)
+—    Use, retention, and disposal
+—    Access
+—    Disclosure to third parties
+—    Security for privacy
+—    Quality, including data subjects’ responsibilities for quality
+—    Monitoring and enforcement
+If personal information is collected from sources other than the individual, such sources are described in the privacy notice."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.2,P1.1.2,Point of Focus,3,247,Provides Notice to Data Subjects,"Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.3,P1.1.3,Point of Focus,3,248,Covers Entities and Activities in Notice ,An objective description of the entities and activities covered is included in the entity’s privacy notice.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.4,P1.1.4,Point of Focus,3,249,Uses Clear and Conspicuous Language,The entity’s privacy notice is conspicuous and uses clear language.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.1,P2.1.1,Point of Focus,3,250,Communicates to Data Subjects,"Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.2,P2.1.2,Point of Focus,3,251,Communicates Consequences of Denying or Withdrawing Consent,"When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.3,P2.1.3,Point of Focus,3,252,Obtains Implicit or Explicit Consent,Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.4,P2.1.4,Point of Focus,3,253,Documents and Obtains Consent for New Purposes and Uses,"If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.5,P2.1.5,Point of Focus,3,254,Obtains Explicit Consent for Sensitive Information,"Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.6,P2.1.6,Point of Focus,3,255,Obtains Consent for Data Transfers,Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.1,P3.1.1,Point of Focus,3,256,Limits the Collection of Personal Information,The collection of personal information is limited to that necessary to meet the entity’s objectives.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.2,P3.1.2,Point of Focus,3,257,Collects Information by Fair and Lawful Means,"Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.3,P3.1.3,Point of Focus,3,258,Collects Information From Reliable Sources,"Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.4,P3.1.4,Point of Focus,3,259,Informs Data Subjects When Additional Information Is Acquired,Data subjects are informed if the entity develops or acquires additional information about them for its use. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2.1,P3.2.1,Point of Focus,3,260,Obtains Explicit Consent for Sensitive Information,"Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2.2,P3.2.2,Point of Focus,3,261,Documents Explicit Consent to Retain Information,"Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.1.1,P4.1.1,Point of Focus,3,262,Uses Personal Information for Intended Purposes,Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2.1,P4.2.1,Point of Focus,3,263,Retains Personal Information,"Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2.2,P4.2.2,Point of Focus,3,264,Protects Personal Information,Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information. 
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.1,P4.3.1,Point of Focus,3,265,"Captures, Identifies, and Flags Requests for Deletion","Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.2,P4.3.2,Point of Focus,3,266,"Disposes of, Destroys, and Redacts Personal Information","Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.3,P4.3.3,Point of Focus,3,267,Destroys Personal Information,Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.1,P5.1.1,Point of Focus,3,268,Authenticates Data Subjects’ Identity,The identity of data subjects who request access to their personal information is authenticated before they are given access to that information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.2,P5.1.2,Point of Focus,3,269,Permits Data Subjects Access to Their Personal Information,"Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.3,P5.1.3,Point of Focus,3,270,Provides Understandable Personal Information Within Reasonable Time,"Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.4,P5.1.4,Point of Focus,3,271,Informs Data Subjects If Access Is Denied,"When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.1,P5.2.1,Point of Focus,3,272,Communicates Denial of Access Requests,"Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.2,P5.2.2,Point of Focus,3,273,Permits Data Subjects to Update or Correct Personal Information,Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.3,P5.2.3,Point of Focus,3,274,Communicates Denial of Correction Requests,"Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.1,P6.1.1,Point of Focus,3,275,Communicates Privacy Policies to Third Parties,Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.2,P6.1.2,Point of Focus,3,276,Discloses Personal Information Only When Appropriate,"Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.3,P6.1.3,Point of Focus,3,277,Discloses Personal Information Only to Appropriate Third Parties,"Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.4,P6.1.4,Point of Focus,3,278,Discloses Information to Third Parties for New Purposes and Uses,Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.2.1,P6.2.1,Point of Focus,3,279,Creates and Retains Record of Authorized Disclosures,"The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely. "
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.3.1,P6.3.1,Point of Focus,3,280,Creates and Retains Record of Detected or Reported Unauthorized Disclosures,"The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4.1,P6.4.1,Point of Focus,3,281,Discloses Personal Information Only to Appropriate Third Parties,"Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4.2,P6.4.2,Point of Focus,3,282,Remediates Misuse of Personal Information by a Third Party ,The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5.1,P6.5.1,Point of Focus,3,283,Remediates Misuse of Personal Information by a Third Party,The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5.2,P6.5.2,Point of Focus,3,284,Reports Actual or Suspected Unauthorized Disclosures,A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6.1,P6.6.1,Point of Focus,3,285,Remediates Misuse of Personal Information by a Third Party,The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6.2,P6.6.2,Point of Focus,3,286,Provides Notice of Breaches and Incidents,"The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.  "
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7.1,P6.7.1,Point of Focus,3,287,Identifies Types of Personal Information and Handling Process,"The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7.2,P6.7.2,Point of Focus,3,288,"Captures, Identifies, and Communicates Requests for Information","Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1.1,P7.1.1,Point of Focus,3,289,Ensures Accuracy and Completeness of Personal Information,Personal information is accurate and complete for the purposes for which it is to be used.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1.2,P7.1.2,Point of Focus,3,290,Ensures Relevance of Personal Information,Personal information is relevant to the purposes for which it is to be used.
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.1,P8.1.1,Point of Focus,3,291,Communicates to Data Subjects,"Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.2,P8.1.2,Point of Focus,3,292,"Addresses Inquiries, Complaints, and Disputes","A process is in place to address inquiries, complaints, and disputes."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.3,P8.1.3,Point of Focus,3,293,Documents and Communicates Dispute Resolution and Recourse,"Each complaint is addressed, and the resolution is documented and communicated to the individual."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.4,P8.1.4,Point of Focus,3,294,Documents and Reports Compliance Review Results,"Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.5,P8.1.5,Point of Focus,3,295,Documents and Reports Instances of Noncompliance,"Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis."
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.6,P8.1.6,Point of Focus,3,296,Performs Ongoing Monitoring,Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.
+scf,scf:gov,GOV,Domains & Principles,0,1,Security & Privacy Governance,"Security & Privacy by Design (S|P) Principles:
+Execute a documented, risk-based program that supports business objectives while encompassing appropriate security and privacy principles that addresses applicable statutory, regulatory and contractual obligations.
+
+Principle Intent:
+Organizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management."
+scf,scf:ast,AST,Domains & Principles,0,2,Asset Management,"Security & Privacy by Design (S|P) Principles:
+Manage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.
+
+Principle Intent:
+Organizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets."
+scf,scf:bcd,BCD,Domains & Principles,0,3,Business Continuity & Disaster Recovery,"Security & Privacy by Design (S|P) Principles:
+Maintain a resilient capability to sustain business-critical functions while successfully responding to and recovering from incidents through well-documented and exercised processes.
+
+Principle Intent:
+Organizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery."
+scf,scf:cap,CAP,Domains & Principles,0,4,Capacity & Performance Planning,"Security & Privacy by Design (S|P) Principles:
+Govern the current and future capacities and performance of technology assets.
+
+Principle Intent:
+Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance."
+scf,scf:chg,CHG,Domains & Principles,0,5,Change Management,"Security & Privacy by Design (S|P) Principles:
+Manage change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur. 
+
+Principle Intent:
+Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues."
+scf,scf:cld,CLD,Domains & Principles,0,6,Cloud Security,"Security & Privacy by Design (S|P) Principles:
+Govern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal cybersecurity and privacy controls.
+
+Principle Intent:
+Organizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed. "
+scf,scf:cpl,CPL,Domains & Principles,0,7,Compliance,"Security & Privacy by Design (S|P) Principles:
+Oversee the execution of cybersecurity and privacy controls to ensure appropriate evidence required due care and due diligence exists to meet compliance with applicable statutory, regulatory and contractual obligations.
+
+Principle Intent:
+Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards."
+scf,scf:cfg,CFG,Domains & Principles,0,8,Configuration Management,"Security & Privacy by Design (S|P) Principles:
+Enforce secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.
+
+Principle Intent:
+Organizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code."
+scf,scf:mon,MON,Domains & Principles,0,9,Continuous Monitoring,"Security & Privacy by Design (S|P) Principles:
+Maintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services. 
+
+Principle Intent:
+Organizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources."
+scf,scf:cry,CRY,Domains & Principles,0,10,Cryptographic Protections,"Security & Privacy by Design (S|P) Principles:
+Utilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.
+
+Principle Intent:
+Organizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data."
+scf,scf:dch,DCH,Domains & Principles,0,11,Data Classification & Handling,"Security & Privacy by Design (S|P) Principles:
+Enforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can 
+
+Principle Intent:
+Organizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data."
+scf,scf:emb,EMB,Domains & Principles,0,12,Embedded Technology,"Security & Privacy by Design (S|P) Principles:
+Provide additional scrutiny to reduce the risks associated with embedded technology, based on the potential damages posed from malicious use of the technology.
+
+Principle Intent:
+Organizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices."
+scf,scf:end,END,Domains & Principles,0,13,Endpoint Security,"Security & Privacy by Design (S|P) Principles:
+Harden endpoint devices to protect against reasonable threats to those devices and the data those devices store, transmit and process. 
+
+Principle Intent:
+Organizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations."
+scf,scf:hrs,HRS,Domains & Principles,0,14,Human Resources Security,"Security & Privacy by Design (S|P) Principles:
+Execute sound hiring practices and ongoing personnel management to cultivate a security and privacy-minded workforce.
+
+Principle Intent:
+Organizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration."
+scf,scf:iac,IAC,Domains & Principles,0,15,Identification & Authentication,"Security & Privacy by Design (S|P) Principles:
+Enforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability.
+
+Principle Intent:
+Organizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only."
+scf,scf:iro,IRO,Domains & Principles,0,16,Incident Response,"Security & Privacy by Design (S|P) Principles:
+Maintain a viable incident response capability that trains personnel on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with a documented Incident Response Plan (IRP). 
+
+Principle Intent:
+Organizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents."
+scf,scf:iao,IAO,Domains & Principles,0,17,Information Assurance,"Security & Privacy by Design (S|P) Principles:
+Execute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity and privacy controls, prior to a system, application or service being used in a production environment.
+
+Principle Intent:
+Organizations ensure the adequately of security and controls are appropriate in both development and production environments."
+scf,scf:mnt,MNT,Domains & Principles,0,18,Maintenance,"Security & Privacy by Design (S|P) Principles:
+Proactively maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties. 
+
+Principle Intent:
+Organizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets."
+scf,scf:mdm,MDM,Domains & Principles,0,19,Mobile Device Management,"Security & Privacy by Design (S|P) Principles:
+Implement measures to restrict mobile device connectivity with critical infrastructure and sensitive data that limit the attack surface and potential data exposure from mobile device usage.
+
+Principle Intent:
+Organizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices."
+scf,scf:net,NET,Domains & Principles,0,20,Network Security,"Security & Privacy by Design (S|P) Principles:
+Architect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services. 
+
+Principle Intent:
+Organizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks."
+scf,scf:pes,PES,Domains & Principles,0,21,Physical & Environmental Security,"Security & Privacy by Design (S|P) Principles:
+Protect physical environments through layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage. 
+
+Principle Intent:
+Organizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats."
+scf,scf:pri,PRI,Domains & Principles,0,22,Privacy,"Security & Privacy by Design (S|P) Principles:
+Align privacy practices with industry-recognized privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services.
+
+Principle Intent:
+Organizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Data (PD) that implements the concept of privacy by design and by default."
+scf,scf:prm,PRM,Domains & Principles,0,23,Project & Resource Management,"Security & Privacy by Design (S|P) Principles:
+Operationalize a viable strategy to achieve cybersecurity & privacy objectives that establishes cybersecurity as a key stakeholder within project management practices to ensure the delivery of resilient and secure solutions.
+
+Principle Intent:
+Organizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution."
+scf,scf:rsk,RSK,Domains & Principles,0,24,Risk Management,"Security & Privacy by Design (S|P) Principles:
+Proactively identify, assess, prioritize and remediate risk through alignment with industry-recognized risk management principles to ensure risk decisions adhere to the organization's risk threshold.
+
+Principle Intent:
+Organizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk."
+scf,scf:sea,SEA,Domains & Principles,0,25,Secure Engineering & Architecture,"Security & Privacy by Design (S|P) Principles:
+Utilize industry-recognized secure engineering and architecture principles to deliver secure and resilient systems, applications and services.
+
+Principle Intent:
+Organizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments."
+scf,scf:ops,OPS,Domains & Principles,0,26,Security Operations,"Security & Privacy by Design (S|P) Principles:
+Execute the delivery of security and privacy operations to provide quality services and secure systems, applications and services that meet the organization's business needs.
+
+Principle Intent:
+Organizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity, physical security and privacy operations."
+scf,scf:sat,SAT,Domains & Principles,0,27,Security Awareness & Training,"Security & Privacy by Design (S|P) Principles:
+Foster a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.
+
+Principle Intent:
+Organizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training."
+scf,scf:tda,TDA,Domains & Principles,0,28,Technology Development & Acquisition,"Security & Privacy by Design (S|P) Principles:
+Develop and test systems, applications or services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design weaknesses.
+
+Principle Intent:
+Organizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated."
+scf,scf:tpm,TPM,Domains & Principles,0,29,Third-Party Management,"Security & Privacy by Design (S|P) Principles:
+Execute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery.
+
+Principle Intent:
+Organizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become compromised, untrustworthy or defunct."
+scf,scf:thr,THR,Domains & Principles,0,30,Threat Management ,"Security & Privacy by Design (S|P) Principles:
+Proactively identify and assess technology-related threats, to both assets and business processes, to determine the applicable risk and necessary corrective action.
+
+Principle Intent:
+Organizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes."
+scf,scf:vpm,VPM,Domains & Principles,0,31,Vulnerability & Patch Management,"Security & Privacy by Design (S|P) Principles:
+Leverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors.
+
+Principle Intent:
+Organizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized."
+scf,scf:web,WEB,Domains & Principles,0,32,Web Security,"Security & Privacy by Design (S|P) Principles:
+Ensure the security and resilience of Internet-facing technologies through secure configuration management practices and monitoring for anomalous activity.
+
+Principle Intent:
+Organizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities."
+scf,scf:gov-01,GOV-01,Controls,1,1,Security & Privacy Governance Program ,"Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.
+
+Methods To Comply With SCF Controls:
+- Steering committee
+- Digital Security Program (DSP)
+- Cybersecurity & Data Protection Program (CDPP)"
+scf,scf:gov-01.1,GOV-01.1,Controls,1,2,Steering Committee,"Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.
+
+Methods To Comply With SCF Controls:
+- Steering committee
+- Digital Security Program (DSP)
+- Cybersecurity & Data Protection Program (CDPP)"
+scf,scf:gov-01.2,GOV-01.2,Controls,1,3,Status Reporting To Governing Body,Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity and privacy program.
+scf,scf:gov-02,GOV-02,Controls,1,4,Publishing Security & Privacy Documentation ,"Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.
+
+Methods To Comply With SCF Controls:
+- Steering committee
+- Digital Security Program (DSP)
+- Cybersecurity & Data Protection Program (CDPP)
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)
+- Wiki
+- SharePoint"
+scf,scf:gov-03,GOV-03,Controls,1,5,Periodic Review & Update of Security & Privacy Program,"Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. 
+
+Methods To Comply With SCF Controls:
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)
+- Steering committee"
+scf,scf:gov-04,GOV-04,Controls,1,6,Assigned Security & Privacy Responsibilities ,"Mechanisms exist to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program. 
+
+Methods To Comply With SCF Controls:
+- NIST NICE Framework
+- Chief Information Security Officer (CISO)"
+scf,scf:gov-05,GOV-05,Controls,1,7,Measures of Performance ,"Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.
+
+Methods To Comply With SCF Controls:
+- Metrics
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)
+- Enterprise Risk Management (ERM) solution"
+scf,scf:gov-05.1,GOV-05.1,Controls,1,8,Key Performance Indicators (KPIs),"Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and privacy program.
+
+Methods To Comply With SCF Controls:
+- Key Performance Indicators (KPIs)"
+scf,scf:gov-05.2,GOV-05.2,Controls,1,9,Key Risk Indicators (KRIs),"Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.
+
+Methods To Comply With SCF Controls:
+- Key Risk Indicators (KRIs)"
+scf,scf:gov-06,GOV-06,Controls,1,10,Contacts With Authorities ,"Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.
+
+Methods To Comply With SCF Controls:
+- Threat intelligence personnel
+- Integrated Security Incident Response Team (ISIRT)"
+scf,scf:gov-07,GOV-07,Controls,1,11,Contacts With Groups & Associations ,"Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: 
+
+Methods To Comply With SCF Controls:
+- SANS
+- CISO Executive Network
+- ISACA chapters
+- IAPP chapters
+- ISAA chapters"
+scf,scf:gov-08,GOV-08,Controls,1,12,Defining Business Context & Mission,Mechanisms exist to define the context of its business model and document the mission of the organization.
+scf,scf:gov-09,GOV-09,Controls,1,13,Define Control Objectives,"Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system."
+scf,scf:gov-10,GOV-10,Controls,1,14,Data Governance,"Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations."
+scf,scf:gov-11,GOV-11,Controls,1,15,Purpose Validation,Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose.
+scf,scf:gov-12,GOV-12,Controls,1,16,Forced Technology Transfer (FTT),"Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.
+
+Methods To Comply With SCF Controls:
+- Board of Directors (Bod) Ethics Committee"
+scf,scf:gov-13,GOV-13,Controls,1,17,State-Sponsored Espionage,"Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities. 
+
+Methods To Comply With SCF Controls:
+- Board of Directors (Bod) Ethics Committee"
+scf,scf:gov-14,GOV-14,Controls,1,18,Business As Usual (BAU) Secure Practices,Mechanisms exist to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices through executive leadership involvement.
+scf,scf:gov-15,GOV-15,Controls,1,19,Operationalizing Cybersecurity & Privacy Practices,"Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control."
+scf,scf:gov-15.1,GOV-15.1,Controls,1,20,Select Controls,"Mechanisms exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control."
+scf,scf:gov-15.2,GOV-15.2,Controls,1,21,Implement Controls,"Mechanisms exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control."
+scf,scf:gov-15.3,GOV-15.3,Controls,1,22,Assess Controls,"Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended."
+scf,scf:gov-15.4,GOV-15.4,Controls,1,23,"Authorize Systems, Applications & Services","Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control."
+scf,scf:gov-15.5,GOV-15.5,Controls,1,24,Monitor Controls,"Mechanisms exist to compel data and/or process owners to monitor  systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity and privacy controls are operating as intended."
+scf,scf:ast-01,AST-01,Controls,1,25,Asset Governance ,"Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.
+
+Methods To Comply With SCF Controls:
+- Generally Accepted Accounting Principles (GAAP)
+- ITIL - Configuration Management Database (CMDB)
+- IT Asset Management (ITAM) program"
+scf,scf:ast-01.1,AST-01.1,Controls,1,26,Asset-Service Dependencies,Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function. 
+scf,scf:ast-01.2,AST-01.2,Controls,1,27,Stakeholder Identification & Involvement,"Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets."
+scf,scf:ast-01.3,AST-01.3,Controls,1,28,Standardized Naming Convention,"Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts."
+scf,scf:ast-02,AST-02,Controls,1,29,Asset Inventories ,"Mechanisms exist to perform inventories of technology assets that:
+
+Methods To Comply With SCF Controls:
+- ManageEngine AssetExplorer
+- LANDesk IT Asset Management Suite
+- ServiceNow (https://www.servicenow.com/)
+- Solarwinds (https://www.solarwinds.com/)
+- CrowdStrike
+- JAMF
+- ITIL - Configuration Management Database (CMDB)"
+scf,scf:ast-02.1,AST-02.1,Controls,1,30,Updates During Installations / Removals,"Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades. 
+
+Methods To Comply With SCF Controls:
+- CrowdStrike
+- JAMF
+- ITIL - Configuration Management Database (CMDB)"
+scf,scf:ast-02.2,AST-02.2,Controls,1,31,Automated Unauthorized Component Detection,"Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- DHCP logging
+- Active discovery tools
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Vectra
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
+- Puppet (https://puppet.com/)
+- Chef (https://www.chef.io/) (https://www.chef.io/)
+- Microsoft SCCM
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:ast-02.3,AST-02.3,Controls,1,32,Component Duplication Avoidance ,"Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
+
+Methods To Comply With SCF Controls:
+- ITIL - Configuration Management Database (CMDB)
+- Manual or automated process"
+scf,scf:ast-02.4,AST-02.4,Controls,1,33,Approved Baseline Deviations,"Mechanisms exist to document and govern instances of approved deviations from established baseline configurations. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
+- SCCM
+- Puppet (https://puppet.com/)
+- Chef (https://www.chef.io/) (https://www.chef.io/)
+- Microsoft SCCM"
+scf,scf:ast-02.5,AST-02.5,Controls,1,34,Network Access Control (NAC),"Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, that is capable of detecting unauthorized devices and disable network access to those unauthorized devices.
+
+Methods To Comply With SCF Controls:
+- Cisco NAC
+- Aruba Networks
+- Juniper NAC
+- Packet Fence
+- Symantec NAC
+- Sophos NAC
+- Bradford Networks NAC Director
+- Cisco ISE
+- ForeScout"
+scf,scf:ast-02.6,AST-02.6,Controls,1,35,Dynamic Host Configuration Protocol (DHCP) Server Logging,"Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems. 
+
+Methods To Comply With SCF Controls:
+- Splunk
+- Manual Process
+- Build Automation Tools
+- NNT Log Tracker (https://www.newnettechnologies.com/event-log-management.html)
+- Chef (https://www.chef.io/) (https://www.chef.io/)
+- Puppet (https://puppet.com/)
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+scf,scf:ast-02.7,AST-02.7,Controls,1,36,Software Licensing Restrictions,"Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.
+
+Methods To Comply With SCF Controls:
+- Manual Process
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+scf,scf:ast-02.8,AST-02.8,Controls,1,37,Data Action Mapping,"Mechanisms exist to create and maintain a map of technology assets where sensitive data is stored, transmitted or processed.
+
+Methods To Comply With SCF Controls:
+- Visio
+- LucidChart"
+scf,scf:ast-02.9,AST-02.9,Controls,1,38,Configuration Management Database (CMDB),"Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
+
+Methods To Comply With SCF Controls:
+- Configuration Management Database (CMDB)"
+scf,scf:ast-02.10,AST-02.10,Controls,1,39,Automated Location,Mechanisms exist to track the geographic location of system components.
+scf,scf:ast-02.11,AST-02.11,Controls,1,40,Component Assignment,Mechanisms exist to bind components to a specific system.
+scf,scf:ast-03,AST-03,Controls,1,41,Asset Ownership Assignment,"Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection."
+scf,scf:ast-03.1,AST-03.1,Controls,1,42,Accountability Information,"Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process."
+scf,scf:ast-03.2,AST-03.2,Controls,1,43,Provenance,"Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data."
+scf,scf:ast-04,AST-04,Controls,1,44,Network Diagrams & Data Flow Diagrams (DFDs),"Mechanisms exist to maintain network architecture diagrams that: 
+
+Methods To Comply With SCF Controls:
+- High-Level Diagram (HLD)
+- Low-Level Diagram (LLD)
+- Data Flow Diagram (DFD)
+- Solarwinds (https://www.solarwinds.com/)
+- Paessler
+- PRTG"
+scf,scf:ast-04.1,AST-04.1,Controls,1,45,Asset Scope Classification,"Mechanisms exist to determine cybersecurity and privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties)."
+scf,scf:ast-04.2,AST-04.2,Controls,1,46,Control Applicability Boundary Graphical Representation,"Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries."
+scf,scf:ast-04.3,AST-04.3,Controls,1,47,Compliance-Specific Asset Identification,"Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization."
+scf,scf:ast-05,AST-05,Controls,1,48,Security of Assets & Media,"Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media. 
+
+Methods To Comply With SCF Controls:
+- ITIL - Configuration Management Database (CMDB)
+- Definitive Software Library (DSL)"
+scf,scf:ast-05.1,AST-05.1,Controls,1,49,Management Approval For External Media Transfer,Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities.
+scf,scf:ast-06,AST-06,Controls,1,50,Unattended End-User Equipment ,"Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- File Integrity Monitoring (FIM)
+- Lockable casings
+- Tamper detection tape
+- Full Disk Encryption (FDE) 
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:ast-06.1,AST-06.1,Controls,1,51,Asset Storage In Automobiles,"Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.
+
+Methods To Comply With SCF Controls:
+- Security awareness training
+- Gamification"
+scf,scf:ast-07,AST-07,Controls,1,52,Kiosks & Point of Interaction (PoI) Devices,"Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- File Integrity Monitoring (FIM)
+- Lockable casings
+- Tamper detection tape
+- Chip & PIN"
+scf,scf:ast-08,AST-08,Controls,1,53,Tamper Detection,"Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).
+
+Methods To Comply With SCF Controls:
+- ""Burner"" phones & laptops
+- Tamper tape"
+scf,scf:ast-09,AST-09,Controls,1,54,"Secure Disposal, Destruction or Re-Use of Equipment ","Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.
+
+Methods To Comply With SCF Controls:
+- Shred-it
+- IronMountain
+- sdelete (sysinternals)
+- Bootnukem"
+scf,scf:ast-10,AST-10,Controls,1,55,Return of Assets ,"Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.
+
+Methods To Comply With SCF Controls:
+- Termination checklist
+- Manual Process
+- Native OS and Device Asset Tracking capabilities"
+scf,scf:ast-11,AST-11,Controls,1,56,Removal of Assets ,"Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities. 
+
+Methods To Comply With SCF Controls:
+- RFID asset tagging
+- RFID proximity sensors at access points
+- Asset management software"
+scf,scf:ast-12,AST-12,Controls,1,57,Use of Personal Devices,"Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.
+
+Methods To Comply With SCF Controls:
+- BYOD policy"
+scf,scf:ast-13,AST-13,Controls,1,58,Use of Third-Party Devices,"Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.
+
+Methods To Comply With SCF Controls:
+- NAC
+- Separate SSIDs for wireless networks
+- SIEM monitoring/alerting
+- Manual process to disable network all unused ports
+- Network Access Control (NAC)
+- Mobile Device Management (MDM) software
+- Data Loss Prevention (DLP)"
+scf,scf:ast-14,AST-14,Controls,1,59,Usage Parameters,"Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:ast-14.1,AST-14.1,Controls,1,60,Bluetooth & Wireless Devices,"Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building."
+scf,scf:ast-14.2,AST-14.2,Controls,1,61,Infrared Communications,Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.
+scf,scf:ast-15,AST-15,Controls,1,62,Tamper Protection,"Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Tamper detection tape
+- File Integrity Monitoring (FIM)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+scf,scf:ast-15.1,AST-15.1,Controls,1,63,"Inspection of Systems, Components & Devices ","Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Tamper detection tape
+- File Integrity Monitoring (FIM)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+scf,scf:ast-16,AST-16,Controls,1,64,Bring Your Own Device (BYOD) Usage ,"Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.
+
+Methods To Comply With SCF Controls:
+- AirWatch
+- SCCM
+- Casper
+- BYOD policy"
+scf,scf:ast-17,AST-17,Controls,1,65,Prohibited Equipment & Services,Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.
+scf,scf:ast-18,AST-18,Controls,1,66,Roots of Trust Protection,"Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification."
+scf,scf:ast-19,AST-19,Controls,1,67,Telecommunications Equipment,Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.
+scf,scf:ast-20,AST-20,Controls,1,68,Video Teleconference (VTC) Security,"Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping."
+scf,scf:ast-21,AST-21,Controls,1,69,Voice Over Internet Protocol (VoIP) Security,Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.
+scf,scf:ast-22,AST-22,Controls,1,70,Microphones & Web Cameras,Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive information is discussed.
+scf,scf:ast-23,AST-23,Controls,1,71,Multi-Function Devices (MFD),Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.
+scf,scf:ast-24,AST-24,Controls,1,72,Travel-Only Devices,"Mechanisms exist to issue personnel travelling overseas with temporary, loaner or ""travel-only"" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."
+scf,scf:ast-25,AST-25,Controls,1,73,Re-Imaging Devices After Travel,"Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."
+scf,scf:ast-26,AST-26,Controls,1,74,System Administrative Processes,"Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services."
+scf,scf:ast-27,AST-27,Controls,1,75,Jump Server,"Mechanisms exist to conduct remote system administrative functions via a ""jump box"" or ""jump server"" that is located in a separate network zone to user workstations."
+scf,scf:ast-28,AST-28,Controls,1,76,Database Administrative Processes,"Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases."
+scf,scf:ast-28.1,AST-28.1,Controls,1,77,Database Management System (DBMS),"Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable."
+scf,scf:ast-29,AST-29,Controls,1,78,Radio Frequency Identification (RFID) Security,Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
+scf,scf:ast-29.1,AST-29.1,Controls,1,79,Contactless Access Control Systems,Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
+scf,scf:ast-30,AST-30,Controls,1,80,Decommissioning,"Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+scf,scf:bcd-01,BCD-01,Controls,1,81,Business Continuity Management System (BCMS),"Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.
+
+Methods To Comply With SCF Controls:
+- Business Continuity Plan (BCP)
+- Disaster Recovery Plan (DRP)
+- Continuity of Operations Plan (COOP)
+- Business Impact Analysis (BIA)
+- Criticality assessments"
+scf,scf:bcd-01.1,BCD-01.1,Controls,1,82,Coordinate with Related Plans ,"Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans. 
+
+Methods To Comply With SCF Controls:
+- Cybersecurity Incident Response Plan (IIRP)"
+scf,scf:bcd-01.2,BCD-01.2,Controls,1,83,Coordinate With External Service Providers,"Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
+
+Methods To Comply With SCF Controls:
+- Business Continuity Plan (BCP)
+- Disaster Recovery Plan (DRP)
+- Continuity of Operations Plan (COOP)"
+scf,scf:bcd-01.3,BCD-01.3,Controls,1,84,Transfer to Alternate Processing / Storage Site,Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.
+scf,scf:bcd-01.4,BCD-01.4,Controls,1,85,Recovery Time / Point Objectives (RTO / RPO),Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
+scf,scf:bcd-02,BCD-02,Controls,1,86,Identify Critical Assets ,"Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.
+
+Methods To Comply With SCF Controls:
+- Business Impact Analysis (BIA)
+- Criticality assessments"
+scf,scf:bcd-02.1,BCD-02.1,Controls,1,87,Resume All Missions & Business Functions,"Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.
+
+Methods To Comply With SCF Controls:
+- Disaster Recovery Plan (DRP)
+- Continuity of Operations Plan (COOP)
+- Disaster recovery software"
+scf,scf:bcd-02.2,BCD-02.2,Controls,1,88,Continue Essential Mission & Business Functions,"Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.
+
+Methods To Comply With SCF Controls:
+- Disaster Recovery Plan (DRP)
+- Continuity of Operations Plan (COOP)"
+scf,scf:bcd-02.3,BCD-02.3,Controls,1,89,Resume Essential Missions & Business Functions ,"Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation. 
+
+Methods To Comply With SCF Controls:
+- Business Continuity Plan (BCP)
+- Disaster Recovery Plan (DRP)
+- Continuity of Operations Plan (COOP)"
+scf,scf:bcd-02.4,BCD-02.4,Controls,1,90,Data Storage Location Reviews,Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data.
+scf,scf:bcd-03,BCD-03,Controls,1,91,Contingency Training,"Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities. 
+
+Methods To Comply With SCF Controls:
+- NIST NICE Framework
+- Tabletop exercises"
+scf,scf:bcd-03.1,BCD-03.1,Controls,1,92,Simulated Events,"Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
+
+Methods To Comply With SCF Controls:
+- Tabletop exercises"
+scf,scf:bcd-03.2,BCD-03.2,Controls,1,93,Automated Training Environments,Automated mechanisms exist to provide a more thorough and realistic contingency training environment.
+scf,scf:bcd-04,BCD-04,Controls,1,94,Contingency Plan Testing & Exercises ,"Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan. 
+
+Methods To Comply With SCF Controls:
+- Simulated disasters / emergencies"
+scf,scf:bcd-04.1,BCD-04.1,Controls,1,95,Coordinated Testing with Related Plans ,"Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans. 
+
+Methods To Comply With SCF Controls:
+- Playbooks
+- Enterprise-wide Continuity of Operations Plan (COOP)"
+scf,scf:bcd-04.2,BCD-04.2,Controls,1,96,Alternate Storage & Processing Sites,Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations. 
+scf,scf:bcd-05,BCD-05,Controls,1,97,Contingency Plan Root Cause Analysis (RCA) & Lessons Learned,"Mechanisms exist to conduct a Root Cause Analysis (RCA) and ""lessons learned"" activity every time the contingency plan is activated.
+
+Methods To Comply With SCF Controls:
+- Standardized Operating Procedures (SOP)
+- Disaster Recovery Plan (DRP)
+- Business Continuity Plan (BCP)
+- Continuity of Operations Plan (COOP)"
+scf,scf:bcd-06,BCD-06,Controls,1,98,Contingency Planning & Updates,"Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.
+
+Methods To Comply With SCF Controls:
+- Offline / offsite documentation"
+scf,scf:bcd-07,BCD-07,Controls,1,99,Alternative Security Measures ,"Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised. 
+
+Methods To Comply With SCF Controls:
+- Business Impact Analysis (BIA)
+- Criticality assessments"
+scf,scf:bcd-08,BCD-08,Controls,1,100,Alternate Storage Site,"Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information. 
+
+Methods To Comply With SCF Controls:
+- SunGard
+- AWS
+- Azure"
+scf,scf:bcd-08.1,BCD-08.1,Controls,1,101,Separation from Primary Site ,"Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.
+
+Methods To Comply With SCF Controls:
+- SunGard
+- AWS
+- Azure"
+scf,scf:bcd-08.2,BCD-08.2,Controls,1,102,Accessibility ,"Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
+
+Methods To Comply With SCF Controls:
+- SunGard
+- AWS
+- Azure"
+scf,scf:bcd-09,BCD-09,Controls,1,103,Alternate Processing Site,"Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.
+
+Methods To Comply With SCF Controls:
+- SunGard
+- AWS
+- Azure"
+scf,scf:bcd-09.1,BCD-09.1,Controls,1,104,Separation from Primary Site,"Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.
+
+Methods To Comply With SCF Controls:
+- SunGard
+- AWS
+- Azure"
+scf,scf:bcd-09.2,BCD-09.2,Controls,1,105,Accessibility,"Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.
+
+Methods To Comply With SCF Controls:
+- Business Continuity Plan (BCP)
+- Continuity of Operations Plan (COOP)"
+scf,scf:bcd-09.3,BCD-09.3,Controls,1,106,Alternate Site Priority of Service,"Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs). 
+
+Methods To Comply With SCF Controls:
+- Hot / warm / cold site contracts"
+scf,scf:bcd-09.4,BCD-09.4,Controls,1,107,Preparation for Use,Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.
+scf,scf:bcd-09.5,BCD-09.5,Controls,1,108,Inability to Return to Primary Site,Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site.
+scf,scf:bcd-10,BCD-10,Controls,1,109,Telecommunications Services Availability,"Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.
+
+Methods To Comply With SCF Controls:
+- Alternate telecommunications services are maintained with multiple ISP / network providers"
+scf,scf:bcd-10.1,BCD-10.1,Controls,1,110,Telecommunications Priority of Service Provisions,"Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs). 
+
+Methods To Comply With SCF Controls:
+- Hot / warm / cold site contracts"
+scf,scf:bcd-10.2,BCD-10.2,Controls,1,111,Separation of Primary / Alternate Providers,Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. 
+scf,scf:bcd-10.3,BCD-10.3,Controls,1,112,Provider Continency Plan ,Mechanisms exist to contractually-require telecommunications service providers to have contingency plans that meet organizational contingency requirements.
+scf,scf:bcd-10.4,BCD-10.4,Controls,1,113,Alternate Communications Paths,Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.
+scf,scf:bcd-11,BCD-11,Controls,1,114,Data Backups,"Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
+
+Methods To Comply With SCF Controls:
+- Backup technologies & procedures
+- Offline storage"
+scf,scf:bcd-11.1,BCD-11.1,Controls,1,115,Testing for Reliability & Integrity ,"Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:bcd-11.2,BCD-11.2,Controls,1,116,Separate Storage for Critical Information ,"Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.
+
+Methods To Comply With SCF Controls:
+- IronMountain"
+scf,scf:bcd-11.3,BCD-11.3,Controls,1,117,Information System Imaging,"Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Acronis
+- Docker (https://www.docker.com/)
+- VMWare"
+scf,scf:bcd-11.4,BCD-11.4,Controls,1,118,Cryptographic Protection,"Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.
+
+Methods To Comply With SCF Controls:
+- Backup technologies & procedures"
+scf,scf:bcd-11.5,BCD-11.5,Controls,1,119,Test Restoration Using Sampling,Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing. 
+scf,scf:bcd-11.6,BCD-11.6,Controls,1,120,Transfer to Alternate Storage Site,Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
+scf,scf:bcd-11.7,BCD-11.7,Controls,1,121,Redundant Secondary System,"Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations."
+scf,scf:bcd-11.8,BCD-11.8,Controls,1,122,Dual Authorization For Backup Media Destruction,Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data.
+scf,scf:bcd-12,BCD-12,Controls,1,123,Information System Recovery & Reconstitution,"Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:bcd-12.1,BCD-12.1,Controls,1,124,Transaction Recovery,Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs).
+scf,scf:bcd-12.2,BCD-12.2,Controls,1,125,Failover Capability,"Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.
+
+Methods To Comply With SCF Controls:
+- Load balancers
+- High Availability (HA) firewalls"
+scf,scf:bcd-12.3,BCD-12.3,Controls,1,126,Electronic Discovery (eDiscovery),Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.
+scf,scf:bcd-12.4,BCD-12.4,Controls,1,127,Restore Within Time Period,"Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:bcd-13,BCD-13,Controls,1,128,Backup & Restoration Hardware Protection ,Mechanisms exist to protect backup and restoration hardware and software.
+scf,scf:bcd-14,BCD-14,Controls,1,129,Isolated Recovery Environment,"Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities."
+scf,scf:bcd-15,BCD-15,Controls,1,130,Reserve Hardware,Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.
+scf,scf:cap-01,CAP-01,Controls,1,131,Capacity & Performance Management ,"Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.
+
+Methods To Comply With SCF Controls:
+- Splunk
+- Resource monitoring"
+scf,scf:cap-02,CAP-02,Controls,1,132,Resource Priority,"Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.
+
+Methods To Comply With SCF Controls:
+- Splunk
+- Resource monitoring"
+scf,scf:cap-03,CAP-03,Controls,1,133,Capacity Planning ,"Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations. "
+scf,scf:cap-04,CAP-04,Controls,1,134,Performance Monitoring,"Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services."
+scf,scf:chg-01,CHG-01,Controls,1,135,Change Management Program ,"Mechanisms exist to facilitate the implementation of a change management program.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- VisibleOps methodology 
+- ITIL infrastructure library
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- ServiceNow (https://www.servicenow.com/)
+- Remedy
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
+- Chef (https://www.chef.io/) (https://www.chef.io/)
+- Puppet (https://puppet.com/)"
+scf,scf:chg-02,CHG-02,Controls,1,136,Configuration Change Control ,"Mechanisms exist to govern the technical configuration change control processes.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Change Control Board (CCB)
+- Configuration Management Database (CMDB)
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) Enterprise
+- Chef (https://www.chef.io/) (https://www.chef.io/)
+- Puppet (https://puppet.com/)
+- Solarwinds (https://www.solarwinds.com/)
+- Docker (https://www.docker.com/)
+- VisibleOps methodology 
+- ITIL infrastructure library"
+scf,scf:chg-02.1,CHG-02.1,Controls,1,137,Prohibition Of Changes,"Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- VisibleOps methodology 
+- ITIL infrastructure library
+- Manual processes/workflows
+- Application whitelisting"
+scf,scf:chg-02.2,CHG-02.2,Controls,1,138,"Test, Validate & Document Changes ","Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- VisibleOps methodology 
+- ITIL infrastructure library
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- VMware
+- Docker (https://www.docker.com/)"
+scf,scf:chg-02.3,CHG-02.3,Controls,1,139,Security & Privacy Representative for Asset Lifecycle Changes,"Mechanisms exist to include a cybersecurity and/or privacy representative in the configuration change control review process.
+
+Methods To Comply With SCF Controls:
+- Change Control Board (CCB)
+- Change Advisory Board (CAB)
+- VisibleOps methodology 
+- ITIL infrastructure library"
+scf,scf:chg-02.4,CHG-02.4,Controls,1,140,Automated Security Response,"Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:chg-02.5,CHG-02.5,Controls,1,141,Cryptographic Management,Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes. 
+scf,scf:chg-03,CHG-03,Controls,1,142,Security Impact Analysis for Changes ,"Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.
+
+Methods To Comply With SCF Controls:
+- VisibleOps methodology 
+- ITIL infrastructure library
+- Change management software"
+scf,scf:chg-04,CHG-04,Controls,1,143,Access Restriction For Change,"Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- VisibleOps methodology 
+- ITIL infrastructure library
+- Role-based permissions
+- Mandatory Access Control (MAC)
+- Application whitelisting"
+scf,scf:chg-04.1,CHG-04.1,Controls,1,144,Automated Access Enforcement / Auditing ,"Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- VisibleOps methodology 
+- ITIL infrastructure library
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Manual review processes
+- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
+- Puppet (https://puppet.com/)
+- Chef (https://www.chef.io/) (https://www.chef.io/)"
+scf,scf:chg-04.2,CHG-04.2,Controls,1,145,Signed Components ,"Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.
+
+Methods To Comply With SCF Controls:
+- Privileged Account Management (PAM)
+- Patch management tools
+- OS configuration standards"
+scf,scf:chg-04.3,CHG-04.3,Controls,1,146,Dual Authorization for Change,"Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.
+
+Methods To Comply With SCF Controls:
+- Separation of Duties (SoD)"
+scf,scf:chg-04.4,CHG-04.4,Controls,1,147,Limit Production / Operational Privileges (Incompatible Roles),"Mechanisms exist to limit operational privileges for implementing changes.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Separation of Duties (SoD)
+- Privileged Account Management (PAM)"
+scf,scf:chg-04.5,CHG-04.5,Controls,1,148,Library Privileges,"Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access. 
+
+Methods To Comply With SCF Controls:
+- Privileged Account Management (PAM)"
+scf,scf:chg-05,CHG-05,Controls,1,149,Stakeholder Notification of Changes ,"Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes. 
+
+Methods To Comply With SCF Controls:
+- Change management procedures
+- VisibleOps methodology 
+- ITIL infrastructure library"
+scf,scf:chg-06,CHG-06,Controls,1,150,Security Functionality Verification,"Mechanisms exist to verify the functionality of security controls when anomalies are discovered.
+
+Methods To Comply With SCF Controls:
+- Information Assurance Program (IAP)
+- Security Test & Evaluation (STE)"
+scf,scf:chg-06.1,CHG-06.1,Controls,1,151,Report Verification Results,"Mechanisms exist to report the results of security and privacy function verification to appropriate organizational management.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cld-01,CLD-01,Controls,1,152,Cloud Services,"Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:cld-01.1,CLD-01.1,Controls,1,153,Cloud Infrastructure Onboarding,"Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+scf,scf:cld-01.2,CLD-01.2,Controls,1,154,Cloud Infrastructure Offboarding,"Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+scf,scf:cld-02,CLD-02,Controls,1,155,Cloud Security Architecture ,"Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. 
+
+Methods To Comply With SCF Controls:
+- Architectural review board
+- System Security Plan (SSP)
+- Security architecture roadmaps"
+scf,scf:cld-03,CLD-03,Controls,1,156,Cloud Infrastructure Security Subnet,"Mechanisms exist to host security-specific technologies in a dedicated subnet.
+
+Methods To Comply With SCF Controls:
+- Security management subnet"
+scf,scf:cld-04,CLD-04,Controls,1,157,Application & Program Interface (API) Security ,"Mechanisms exist to ensure support for secure interoperability between components.
+
+Methods To Comply With SCF Controls:
+- Use only open and published APIs"
+scf,scf:cld-05,CLD-05,Controls,1,158,Virtual Machine Images ,"Mechanisms exist to ensure the integrity of virtual machine images at all times. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- File Integrity Monitoring (FIM)
+- Docker (https://www.docker.com/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cld-06,CLD-06,Controls,1,159,Multi-Tenant Environments ,"Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.
+
+Methods To Comply With SCF Controls:
+- Security architecture review
+- Defined processes to segment at the network, application, databases layers"
+scf,scf:cld-06.1,CLD-06.1,Controls,1,160,Customer Responsibility Matrix (CRM),"Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.
+
+Methods To Comply With SCF Controls:
+- Customer Responsibility Matrix (CRM)
+- Shared Responsibility Matrix (SRM)
+- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"
+scf,scf:cld-06.2,CLD-06.2,Controls,1,161,Multi-Tenant Event Logging Capabilities,"Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations."
+scf,scf:cld-06.3,CLD-06.3,Controls,1,162,Multi-Tenant Forensics Capabilities,Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.
+scf,scf:cld-06.4,CLD-06.4,Controls,1,163,Multi-Tenant Incident Response Capabilities,"Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers."
+scf,scf:cld-07,CLD-07,Controls,1,164,Data Handling & Portability,"Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)
+- Security architecture review
+- Encrypted data transfers (e.g. TLS or VPNs)"
+scf,scf:cld-08,CLD-08,Controls,1,165,Standardized Virtualization Formats ,"Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Data Protection Impact Assessment (DPIA)
+- Manual review process
+- Vendor risk assessments
+- Independent vendor compliance assessments "
+scf,scf:cld-09,CLD-09,Controls,1,166,"Geolocation Requirements for Processing, Storage and Service Locations","Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)
+"
+scf,scf:cld-10,CLD-10,Controls,1,167,Sensitive Data In Public Cloud Providers,"Mechanisms exist to limit and manage the storage of sensitive data in public cloud providers. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)
+- Security and network architecture diagrams
+- Data Flow Diagram (DFD)"
+scf,scf:cld-11,CLD-11,Controls,1,168,Cloud Access Point (CAP),"Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.
+
+Methods To Comply With SCF Controls:
+- Next Generation Firewall (NGF)
+- Web Application Firewall (WAF)
+- Network Routing / Switching
+- Intrusion Detection / Protection (IDS / IPS)
+- Data Loss Prevention (DLP)
+- Full Packet Capture"
+scf,scf:cld-12,CLD-12,Controls,1,169,Side Channel Attack Prevention,"Mechanisms exist to prevent ""side channel attacks"" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network."
+scf,scf:cpl-01,CPL-01,Controls,1,170,"Statutory, Regulatory & Contractual Compliance ","Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.
+
+Methods To Comply With SCF Controls:
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)
+- Steering committee"
+scf,scf:cpl-01.1,CPL-01.1,Controls,1,171,Non-Compliance Oversight,"Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions."
+scf,scf:cpl-01.2,CPL-01.2,Controls,1,172,Compliance Scope,"Mechanisms exist to document and validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations."
+scf,scf:cpl-02,CPL-02,Controls,1,173,Security & Privacy Controls Oversight ,"Mechanisms exist to provide a security & privacy controls oversight function that reports to the organization's executive leadership.
+
+Methods To Comply With SCF Controls:
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)
+- Steering committee
+- Formalized SDLC program
+- Formalized DevOps program
+- Information Assurance Program (IAP)
+- Security Test & Evaluation (STE)"
+scf,scf:cpl-02.1,CPL-02.1,Controls,1,174,Internal Audit Function,Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.
+scf,scf:cpl-03,CPL-03,Controls,1,175,Security Assessments ,"Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.
+
+Methods To Comply With SCF Controls:
+- Information Assurance Program (IAP)
+- Security Test & Evaluation (STE)
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"
+scf,scf:cpl-03.1,CPL-03.1,Controls,1,176,Independent Assessors ,"Mechanisms exist to utilize independent assessors to evaluate security & privacy controls at planned intervals or when the system, service or project undergoes significant changes.
+
+Methods To Comply With SCF Controls:
+- Information Assurance Program (IAP)
+- Security Test & Evaluation (STE)"
+scf,scf:cpl-03.2,CPL-03.2,Controls,1,177,Functional Review Of Security Controls ,"Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity and privacy policies and standards. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Internal audit program
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Operational review processes
+- Regular/yearly policy and standards review process
+- Governance, Risk and Compliance Solution (GRC) (ZenGRC, Archer, RSAM, Metric stream, etc.)"
+scf,scf:cpl-04,CPL-04,Controls,1,178,Audit Activities ,"Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.
+
+Methods To Comply With SCF Controls:
+- Internal audit program"
+scf,scf:cpl-05,CPL-05,Controls,1,179,Legal Assessment of Investigative Inquires,"Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary."
+scf,scf:cpl-05.1,CPL-05.1,Controls,1,180,Investigation Request Notifications,"Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution)."
+scf,scf:cpl-05.2,CPL-05.2,Controls,1,181,Investigation Access Restrictions,"Mechanisms exist to support official investigations by provisioning government investigators with ""least privileges"" and ""least functionality"" to ensure that government investigators only have access to the data and systems needed to perform the investigation."
+scf,scf:cpl-06,CPL-06,Controls,1,182,Government Surveillance,"Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
+
+Methods To Comply With SCF Controls:
+- Board of Directors (Bod) Ethics Committee"
+scf,scf:cfg-01,CFG-01,Controls,1,183,Configuration Management Program,"Mechanisms exist to facilitate the implementation of configuration management controls.
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- Configuration Management Database (CMDB)
+- Baseline hardening standards
+- Formalized DevOps program
+- Information Assurance Program (IAP)
+- Security Test & Evaluation (STE)"
+scf,scf:cfg-01.1,CFG-01.1,Controls,1,184,Assignment of Responsibility,"Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:cfg-02,CFG-02,Controls,1,185,System Hardening Through Baseline Configurations ,"Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
+- Center for Internet Security (CIS) Benchmarks
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.1,CFG-02.1,Controls,1,186,Reviews & Updates,"Mechanisms exist to review and update baseline configurations:
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
+- Center for Internet Security (CIS) Benchmarks
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.2,CFG-02.2,Controls,1,187,Automated Central Management & Verification ,"Automated mechanisms exist to govern and report on baseline configurations of the systems. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.3,CFG-02.3,Controls,1,188,Retention Of Previous Configurations ,"Mechanisms exist to retain previous versions of baseline configuration to support roll back. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.4,CFG-02.4,Controls,1,189,Development & Test Environment Configurations,"Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.5,CFG-02.5,Controls,1,190,"Configure Systems, Components or Services for High-Risk Areas ","Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.6,CFG-02.6,Controls,1,191,Network Device Configuration File Synchronization,"Mechanisms exist to configure network devices to synchronize startup and running configuration files. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.7,CFG-02.7,Controls,1,192,Approved Configuration Deviations ,"Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.8,CFG-02.8,Controls,1,193,Respond To Unauthorized Changes ,"Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Service Level Agreements (SLAs)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-02.9,CFG-02.9,Controls,1,194,Baseline Tailoring,"Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:
+
+Methods To Comply With SCF Controls:
+- DISA STIGs
+- CIS Benchmarks"
+scf,scf:cfg-03,CFG-03,Controls,1,195,Least Functionality,"Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-03.1,CFG-03.1,Controls,1,196,Periodic Review,"Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-03.2,CFG-03.2,Controls,1,197,Prevent Unauthorized Software Execution,"Mechanisms exist to configure systems to prevent the execution of unauthorized software programs. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-03.3,CFG-03.3,Controls,1,198,Unauthorized or Authorized Software (Blacklisting or Whitelisting),"Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-03.4,CFG-03.4,Controls,1,199,Split Tunneling,Mechanisms exist to prevent systems from creating split tunneling connections or similar techniques that could be used to exfiltrate data.
+scf,scf:cfg-04,CFG-04,Controls,1,200,Software Usage Restrictions ,Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.
+scf,scf:cfg-04.1,CFG-04.1,Controls,1,201,Open Source Software,"Mechanisms exist to establish parameters for the secure use of open source software. 
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)"
+scf,scf:cfg-04.2,CFG-04.2,Controls,1,202,Unsupported Internet Browsers & Email Clients ,Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.
+scf,scf:cfg-05,CFG-05,Controls,1,203,User-Installed Software,"Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.
+
+Methods To Comply With SCF Controls:
+- Privileged Account Management (PAM)"
+scf,scf:cfg-05.1,CFG-05.1,Controls,1,204,Unauthorized Installation Alerts,"Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:cfg-05.2,CFG-05.2,Controls,1,205,Restrict Roles Permitted To Install Software,"Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service."
+scf,scf:cfg-06,CFG-06,Controls,1,206,Configuration Enforcement,"Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices."
+scf,scf:cfg-07,CFG-07,Controls,1,207,Zero-Touch Provisioning (ZTP),"Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network."
+scf,scf:cfg-08,CFG-08,Controls,1,208,Sensitive / Regulated Data Access Enforcement,"Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data."
+scf,scf:cfg-08.1,CFG-08.1,Controls,1,209,Sensitive / Regulated Data Actions,"Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived."
+scf,scf:mon-01,MON-01,Controls,1,210,Continuous Monitoring,"Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.
+
+Methods To Comply With SCF Controls:
+- Splunk
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.1,MON-01.1,Controls,1,211,Intrusion Detection & Prevention Systems (IDS & IPS),"Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.2,MON-01.2,Controls,1,212,Automated Tools for Real-Time Analysis ,"Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.3,MON-01.3,Controls,1,213,Inbound & Outbound Communications Traffic ,"Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.4,MON-01.4,Controls,1,214,System Generated Alerts ,"Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.5,MON-01.5,Controls,1,215,Wireless Intrusion Detection System (WIDS),"Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.6,MON-01.6,Controls,1,216,Host-Based Devices ,"Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.7,MON-01.7,Controls,1,217,File Integrity Monitoring (FIM),"Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.8,MON-01.8,Controls,1,218,Reviews & Updates ,"Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
+
+Methods To Comply With SCF Controls:
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-01.9,MON-01.9,Controls,1,219,Proxy Logging ,"Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.10,MON-01.10,Controls,1,220,Deactivated Account Activity ,"Mechanisms exist to monitor deactivated accounts for attempted usage.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-01.11,MON-01.11,Controls,1,221,Automated Response to Suspicious Events,Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.
+scf,scf:mon-01.12,MON-01.12,Controls,1,222,Automated Alerts,Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.
+scf,scf:mon-01.13,MON-01.13,Controls,1,223,Alert Threshold Tuning,"Mechanisms exist to ""tune"" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events."
+scf,scf:mon-01.14,MON-01.14,Controls,1,224,Individuals Posing Greater Risk,Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk. 
+scf,scf:mon-01.15,MON-01.15,Controls,1,225,Privileged User Oversight,Mechanisms exist to implement enhanced activity monitoring for privileged users.
+scf,scf:mon-01.16,MON-01.16,Controls,1,226,Analyze and Prioritize Monitoring Requirements,"Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes."
+scf,scf:mon-01.17,MON-01.17,Controls,1,227,Real-Time Session Monitoring,"Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations."
+scf,scf:mon-02,MON-02,Controls,1,228,Centralized Collection of Security Event Logs,"Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.
+
+Methods To Comply With SCF Controls:
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-02.1,MON-02.1,Controls,1,229,Correlate Monitoring Information,"Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-02.2,MON-02.2,Controls,1,230,Central Review & Analysis,"Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-02.3,MON-02.3,Controls,1,231,Integration of Scanning & Other Monitoring Information,"Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity."
+scf,scf:mon-02.4,MON-02.4,Controls,1,232,Correlation with Physical Monitoring,"Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity. "
+scf,scf:mon-02.5,MON-02.5,Controls,1,233,Permitted Actions,"Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information. "
+scf,scf:mon-02.6,MON-02.6,Controls,1,234,Audit Level Adjustments,"Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence. "
+scf,scf:mon-02.7,MON-02.7,Controls,1,235,System-Wide / Time-Correlated Audit Trail,Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.
+scf,scf:mon-02.8,MON-02.8,Controls,1,236,Changes by Authorized Individuals,"Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-03,MON-03,Controls,1,237,Content of Audit Records ,"Mechanisms exist to configure systems to produce audit records that contain sufficient information to, at a minimum:
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-03.1,MON-03.1,Controls,1,238,Sensitive Audit Information,Mechanisms exist to protect sensitive data contained in log files. 
+scf,scf:mon-03.2,MON-03.2,Controls,1,239,Audit Trails,Mechanisms exist to link system access to individual users or service accounts.
+scf,scf:mon-03.3,MON-03.3,Controls,1,240,Privileged Functions Logging ,"Mechanisms exist to log and review the actions of users and/or services with elevated privileges.
+
+Methods To Comply With SCF Controls:
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-03.4,MON-03.4,Controls,1,241,Verbosity Logging for Boundary Devices ,"Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies."
+scf,scf:mon-03.5,MON-03.5,Controls,1,242,Limit Personal Data (PD) In Audit Records,"Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the privacy risk assessment.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:mon-03.6,MON-03.6,Controls,1,243,Centralized Management of Planned Audit Record Content,Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components. 
+scf,scf:mon-03.7,MON-03.7,Controls,1,244,Database Logging,Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities.
+scf,scf:mon-04,MON-04,Controls,1,245,Event Log Storage Capacity ,Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded. 
+scf,scf:mon-05,MON-05,Controls,1,246,Response To Event Log Processing Failures,"Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-05.1,MON-05.1,Controls,1,247,Real-Time Alerts of Event Logging Failure,"Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-05.2,MON-05.2,Controls,1,248,Event Log Storage Capacity Alerting ,Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.
+scf,scf:mon-06,MON-06,Controls,1,249,Monitoring Reporting ,"Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-06.1,MON-06.1,Controls,1,250,Query Parameter Audits of Personal Data (PD),Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).
+scf,scf:mon-06.2,MON-06.2,Controls,1,251,Trend Analysis Reporting,"Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
+scf,scf:mon-07,MON-07,Controls,1,252,Time Stamps ,Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs. 
+scf,scf:mon-07.1,MON-07.1,Controls,1,253,Synchronization With Authoritative Time Source,"Mechanisms exist to synchronize internal system clocks with an authoritative time source. 
+
+Methods To Comply With SCF Controls:
+- Network Time Protocol (NTP)"
+scf,scf:mon-08,MON-08,Controls,1,254,Protection of Event Logs ,"Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-08.1,MON-08.1,Controls,1,255,Event Log Backup on Separate Physical Systems / Components ,"Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-08.2,MON-08.2,Controls,1,256,Access by Subset of Privileged Users ,"Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.
+
+Methods To Comply With SCF Controls:
+- Security Incident Event Manager (SIEM)
+- Splunk"
+scf,scf:mon-08.3,MON-08.3,Controls,1,257,Cryptographic Protection of Event Log Information,"Cryptographic mechanisms exist to protect the integrity of event logs and audit tools. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-08.4,MON-08.4,Controls,1,258,Dual Authorization for Event Log Movement,Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs.
+scf,scf:mon-09,MON-09,Controls,1,259,Non-Repudiation,"Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-09.1,MON-09.1,Controls,1,260,Identity Binding,Mechanisms exist to bind the identity of the information producer to the information generated.
+scf,scf:mon-10,MON-10,Controls,1,261,Event Log Retention,"Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-11,MON-11,Controls,1,262,Monitoring For Information Disclosure,"Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information. 
+
+Methods To Comply With SCF Controls:
+- Content filtering solution
+- Review of social media outlets"
+scf,scf:mon-11.1,MON-11.1,Controls,1,263,Analyze Traffic for Covert Exfiltration,Automated mechanisms exist to analyze network traffic to detect covert data exfiltration.
+scf,scf:mon-11.2,MON-11.2,Controls,1,264,Unauthorized Network Services,Automated mechanisms exist to detect unauthorized network services and alert incident response personnel. 
+scf,scf:mon-11.3,MON-11.3,Controls,1,265,Monitoring for Indicators of Compromise (IOC),"Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC). 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:mon-12,MON-12,Controls,1,266,Session Audit ,"Mechanisms exist to provide session audit capabilities that can: 
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-13,MON-13,Controls,1,267,Alternate Event Logging Capability ,"Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-14,MON-14,Controls,1,268,Cross-Organizational Monitoring ,"Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data."
+scf,scf:mon-14.1,MON-14.1,Controls,1,269,Sharing of Event Logs,"Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.
+
+Methods To Comply With SCF Controls:
+- Veris (incident sharing) (http://veriscommunity.net)"
+scf,scf:mon-15,MON-15,Controls,1,270,Covert Channel Analysis ,Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.
+scf,scf:mon-16,MON-16,Controls,1,271,Anomalous Behavior,"Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-16.1,MON-16.1,Controls,1,272,Insider Threats,"Mechanisms exist to monitor internal personnel activity for potential security incidents.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-16.2,MON-16.2,Controls,1,273,Third-Party Threats,"Mechanisms exist to monitor third-party personnel activity for potential security incidents.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-16.3,MON-16.3,Controls,1,274,Unauthorized Activities,"Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:mon-16.4,MON-16.4,Controls,1,275,Account Creation and Modification Logging,Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups.
+scf,scf:cry-01,CRY-01,Controls,1,276,Use of Cryptographic Controls ,"Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.
+
+Methods To Comply With SCF Controls:
+- Key and certificate management solutions
+- Microsoft BitLocker (https://www.microsoft.com/en-us/download/details.aspx?id=53006)
+- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)
+- Vormetric Transparent Encryption (https://www.thalesesecurity.com/products/data-encryption/vormetric-transparent-encryption)"
+scf,scf:cry-01.1,CRY-01.1,Controls,1,277,Alternate Physical Protection ,Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards. 
+scf,scf:cry-01.2,CRY-01.2,Controls,1,278,Export-Controlled Technology,Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.
+scf,scf:cry-01.3,CRY-01.3,Controls,1,279,Pre/Post Transmission Handling,Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception.
+scf,scf:cry-01.4,CRY-01.4,Controls,1,280,Conceal / Randomize Communications,Cryptographic mechanisms exist to conceal or randomize communication patterns.
+scf,scf:cry-01.5,CRY-01.5,Controls,1,281,Cryptographic Cipher Suites and Protocols Inventory,"Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols."
+scf,scf:cry-02,CRY-02,Controls,1,282,Cryptographic Module Authentication,"Automated mechanisms exist to enable systems to authenticate to a cryptographic module.
+
+Methods To Comply With SCF Controls:
+- Yubico (https://www.yubico.com)"
+scf,scf:cry-03,CRY-03,Controls,1,283,Transmission Confidentiality ,"Cryptographic mechanisms exist to protect the confidentiality of data being transmitted. 
+
+Methods To Comply With SCF Controls:
+- SSL / TLS protocols
+- IPSEC Tunnels
+- Native MPLS encrypted tunnel configurations
+- Custom encrypted payloads"
+scf,scf:cry-04,CRY-04,Controls,1,284,Transmission Integrity ,Cryptographic mechanisms exist to protect the integrity of data being transmitted. 
+scf,scf:cry-05,CRY-05,Controls,1,285,Encrypting Data At Rest ,"Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest. 
+
+Methods To Comply With SCF Controls:
+- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)"
+scf,scf:cry-05.1,CRY-05.1,Controls,1,286,Storage Media,"Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive data residing on storage media.
+
+Methods To Comply With SCF Controls:
+- Native Storage Area Network (SAN) encryption functionality
+- BitLocker and EFS"
+scf,scf:cry-05.2,CRY-05.2,Controls,1,287,Offline Storage,Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.
+scf,scf:cry-05.3,CRY-05.3,Controls,1,288,Database Encryption,Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.
+scf,scf:cry-06,CRY-06,Controls,1,289,Non-Console Administrative Access,Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.
+scf,scf:cry-07,CRY-07,Controls,1,290,Wireless Access Authentication & Encryption ,Mechanisms exist to protect wireless access via secure authentication and encryption.
+scf,scf:cry-08,CRY-08,Controls,1,291,Public Key Infrastructure (PKI) ,"Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider. 
+
+Methods To Comply With SCF Controls:
+- Microsoft Active Directory (AD) Certificate Services
+- Digitcert (https://www.digicert.com)
+- Entrust (https://www.entrust.com)
+- Comodo (https://www.comodo.com)
+- Vault (https://www.vaultproject.io/)"
+scf,scf:cry-08.1,CRY-08.1,Controls,1,292,Availability,Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys.
+scf,scf:cry-09,CRY-09,Controls,1,293,Cryptographic Key Management ,"Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.
+
+Methods To Comply With SCF Controls:
+- Microsoft Active Directory (AD) Certificate Services
+- Digitcert (https://www.digicert.com)
+- Entrust (https://www.entrust.com)
+- Comodo (https://www.comodo.com)
+- Vault (https://www.vaultproject.io/)"
+scf,scf:cry-09.1,CRY-09.1,Controls,1,294,Symmetric Keys,Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes. 
+scf,scf:cry-09.2,CRY-09.2,Controls,1,295,Asymmetric Keys,Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key. 
+scf,scf:cry-09.3,CRY-09.3,Controls,1,296,Cryptographic Key Loss or Change,"Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users. 
+
+Methods To Comply With SCF Controls:
+- Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. "
+scf,scf:cry-09.4,CRY-09.4,Controls,1,297,Control & Distribution of Cryptographic Keys,Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes. 
+scf,scf:cry-09.5,CRY-09.5,Controls,1,298,Assigned Owners ,Mechanisms exist to ensure cryptographic keys are bound to individual identities. 
+scf,scf:cry-09.6,CRY-09.6,Controls,1,299,Third-Party Cryptographic Keys,Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.
+scf,scf:cry-09.7,CRY-09.7,Controls,1,300,External System Cryptographic Key Control,Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.
+scf,scf:cry-10,CRY-10,Controls,1,301,Transmission of Security & Privacy Attributes ,"Mechanisms exist to ensure systems associate security attributes with information exchanged between systems. 
+
+Methods To Comply With SCF Controls:
+- Integrity checking"
+scf,scf:cry-11,CRY-11,Controls,1,302,Certificate Authorities,Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.
+scf,scf:dch-01,DCH-01,Controls,1,303,Data Protection ,Mechanisms exist to facilitate the implementation of data protection controls. 
+scf,scf:dch-01.1,DCH-01.1,Controls,1,304,Data Stewardship ,"Mechanisms exist to ensure data stewardship is assigned, documented and communicated. "
+scf,scf:dch-01.2,DCH-01.2,Controls,1,305,Sensitive / Regulated Data Protection,Mechanisms exist to protect sensitive/regulated data wherever it is stored.
+scf,scf:dch-01.3,DCH-01.3,Controls,1,306,Sensitive / Regulated Media Records,Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.
+scf,scf:dch-02,DCH-02,Controls,1,307,Data & Asset Classification ,"Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements. "
+scf,scf:dch-02.1,DCH-02.1,Controls,1,308,Highest Classification Level,"Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed."
+scf,scf:dch-03,DCH-03,Controls,1,309,Media Access ,"Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals. 
+
+Methods To Comply With SCF Controls:
+- Data Loss Prevention (DLP)"
+scf,scf:dch-03.1,DCH-03.1,Controls,1,310,Disclosure of Information,Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know.
+scf,scf:dch-03.2,DCH-03.2,Controls,1,311,Masking Displayed Data ,Mechanisms exist to apply data masking to sensitive information that is displayed or printed. 
+scf,scf:dch-03.3,DCH-03.3,Controls,1,312,Controlled Release,Automated mechanisms exist to validate security and privacy attributes prior to releasing information to external systems.
+scf,scf:dch-04,DCH-04,Controls,1,313,Media Marking ,"Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. "
+scf,scf:dch-04.1,DCH-04.1,Controls,1,314,Automated Marking,"Automated mechanisms exist to mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aide Data Loss Prevention (DLP) technologies. "
+scf,scf:dch-05,DCH-05,Controls,1,315,Security & Privacy Attributes,"Mechanisms exist to bind security attributes to information as it is stored, transmitted and processed."
+scf,scf:dch-05.1,DCH-05.1,Controls,1,316,Dynamic Attribute Association,"Mechanisms exist to dynamically associate security and privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and privacy policies."
+scf,scf:dch-05.2,DCH-05.2,Controls,1,317,Attribute Value Changes By Authorized Individuals,Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
+scf,scf:dch-05.3,DCH-05.3,Controls,1,318,Maintenance of Attribute Associations By System,Mechanisms exist to maintain the association and integrity of security and privacy attributes to individuals and objects.
+scf,scf:dch-05.4,DCH-05.4,Controls,1,319,Association of Attributes By Authorized Individuals,Mechanisms exist to provide the capability to associate security and privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).
+scf,scf:dch-05.5,DCH-05.5,Controls,1,320,Attribute Displays for Output Devices,"Mechanisms exist to display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions."
+scf,scf:dch-05.6,DCH-05.6,Controls,1,321,Data Subject Attribute Associations,Mechanisms exist to require personnel to associate and maintain the association of security and privacy attributes with individuals and objects in accordance with security and privacy policies.
+scf,scf:dch-05.7,DCH-05.7,Controls,1,322,Consistent Attribute Interpretation,"Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components."
+scf,scf:dch-05.8,DCH-05.8,Controls,1,323,Identity Association Techniques & Technologies,Mechanisms exist to associate security and privacy attributes to information.
+scf,scf:dch-05.9,DCH-05.9,Controls,1,324,Attribute Reassignment,"Mechanisms exist to reclassify data as required, due to changing business/technical requirements."
+scf,scf:dch-05.10,DCH-05.10,Controls,1,325,Attribute Configuration By Authorized Individuals,Mechanisms exist to provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
+scf,scf:dch-05.11,DCH-05.11,Controls,1,326,Audit Changes,"Mechanisms exist to audit changes to security and privacy attributes and responds to events in accordance with incident response procedures.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:dch-06,DCH-06,Controls,1,327,Media Storage,Mechanisms exist to: 
+scf,scf:dch-06.1,DCH-06.1,Controls,1,328,Physically Secure All Media,"Mechanisms exist to physically secure all media that contains sensitive information.
+
+Methods To Comply With SCF Controls:
+- Lockbox"
+scf,scf:dch-06.2,DCH-06.2,Controls,1,329,Sensitive Data Inventories,Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually. 
+scf,scf:dch-06.3,DCH-06.3,Controls,1,330,Periodic Scans for Sensitive Data,"Mechanisms exist to periodically scan unstructured data sources for sensitive data or data requiring special protection measures by statutory, regulatory or contractual obligations. "
+scf,scf:dch-06.4,DCH-06.4,Controls,1,331,Making Sensitive Data Unreadable In Storage,Mechanisms exist to ensure sensitive data is rendered human unreadable anywhere sensitive data is stored. 
+scf,scf:dch-06.5,DCH-06.5,Controls,1,332,Storing Authentication Data,Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization. 
+scf,scf:dch-07,DCH-07,Controls,1,333,Media Transportation ,"Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.
+
+Methods To Comply With SCF Controls:
+- Assigned couriers"
+scf,scf:dch-07.1,DCH-07.1,Controls,1,334,Custodians,"Mechanisms exist to identify custodians throughout the transport of digital or non-digital media. 
+
+Methods To Comply With SCF Controls:
+- Chain of custody"
+scf,scf:dch-07.2,DCH-07.2,Controls,1,335,Encrypting Data In Storage Media,Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
+scf,scf:dch-08,DCH-08,Controls,1,336,Physical Media Disposal,"Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures. 
+
+Methods To Comply With SCF Controls:
+- Shred-it
+- IronMountain
+- DoD-strength data erasers"
+scf,scf:dch-09,DCH-09,Controls,1,337,Digital Media Sanitization,"Mechanisms exist to sanitize digital media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse."
+scf,scf:dch-09.1,DCH-09.1,Controls,1,338,Media Sanitization Documentation,"Mechanisms exist to supervise, track, document and verify media sanitization and disposal actions. 
+
+Methods To Comply With SCF Controls:
+- Certificate of destruction"
+scf,scf:dch-09.2,DCH-09.2,Controls,1,339,Equipment Testing,Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved. 
+scf,scf:dch-09.3,DCH-09.3,Controls,1,340,Sanitization of Personal Data (PD),"Mechanisms exist to facilitate the sanitization of Personal Data (PD).
+
+Methods To Comply With SCF Controls:
+- De-identifying PI"
+scf,scf:dch-09.4,DCH-09.4,Controls,1,341,First Time Use Sanitization,Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use.
+scf,scf:dch-09.5,DCH-09.5,Controls,1,342,Dual Authorization for Sensitive Data Destruction,"Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data."
+scf,scf:dch-10,DCH-10,Controls,1,343,Media Use,Mechanisms exist to restrict the use of types of digital media on systems or system components. 
+scf,scf:dch-10.1,DCH-10.1,Controls,1,344,Limitations on Use ,Mechanisms exist to restrict the use and distribution of sensitive / regulated data. 
+scf,scf:dch-10.2,DCH-10.2,Controls,1,345,Prohibit Use Without Owner,Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
+scf,scf:dch-11,DCH-11,Controls,1,346,Data Reclassification ,"Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information."
+scf,scf:dch-12,DCH-12,Controls,1,347,Removable Media Security,Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.
+scf,scf:dch-13,DCH-13,Controls,1,348,Use of External Information Systems ,"Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data. "
+scf,scf:dch-13.1,DCH-13.1,Controls,1,349,Limits of Authorized Use ,"Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: "
+scf,scf:dch-13.2,DCH-13.2,Controls,1,350,Portable Storage Devices,Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems. 
+scf,scf:dch-13.3,DCH-13.3,Controls,1,351,Protecting Sensitive Data on External Systems,"Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.
+
+Methods To Comply With SCF Controls:
+- NIST 800-171 Compliance Criteria (NCC) (ComplianceForge)"
+scf,scf:dch-13.4,DCH-13.4,Controls,1,352,Non-Organizationally Owned Systems / Components / Devices,"Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information."
+scf,scf:dch-14,DCH-14,Controls,1,353,Information Sharing ,"Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.
+
+Methods To Comply With SCF Controls:
+- ShareFile
+- SmartVault
+- Veris (incident sharing) (http://veriscommunity.net)"
+scf,scf:dch-14.1,DCH-14.1,Controls,1,354,Information Search & Retrieval,Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions.
+scf,scf:dch-14.2,DCH-14.2,Controls,1,355,Transfer Authorizations,"Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data."
+scf,scf:dch-14.3,DCH-14.3,Controls,1,356,Data Access Mapping,Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the personnel with whom sensitive data is shared.
+scf,scf:dch-15,DCH-15,Controls,1,357,Publicly Accessible Content,"Mechanisms exist to control publicly-accessible content.
+
+Methods To Comply With SCF Controls:
+- Designate individuals authorized to post information onto systems that are publicly accessible.
+- Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
+- Review the proposed content of publicly accessible information for nonpublic information prior to posting.
+- Remove nonpublic information from the publicly accessible system."
+scf,scf:dch-16,DCH-16,Controls,1,358,Data Mining Protection,Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques. 
+scf,scf:dch-17,DCH-17,Controls,1,359,Ad-Hoc Transfers ,"Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.
+
+Methods To Comply With SCF Controls:
+- ShareFile
+- Box"
+scf,scf:dch-18,DCH-18,Controls,1,360,Media & Data Retention ,"Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-18.1,DCH-18.1,Controls,1,361,"Limit Personal Data (PD) Elements In Testing, Training & Research","Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-18.2,DCH-18.2,Controls,1,362,Minimize Personal Data (PD),"Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-18.3,DCH-18.3,Controls,1,363,Temporary Files Containing Personal Data (PD),Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD).
+scf,scf:dch-19,DCH-19,Controls,1,364,Geographic Location of Data,"Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties."
+scf,scf:dch-20,DCH-20,Controls,1,365,Archived Data Sets ,"Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations. "
+scf,scf:dch-21,DCH-21,Controls,1,366,Information Disposal,"Mechanisms exist to securely dispose of, destroy or erase information.
+
+Methods To Comply With SCF Controls:
+- Shred-it
+- IronMountain"
+scf,scf:dch-22,DCH-22,Controls,1,367,Data Quality Operations,"Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-22.1,DCH-22.1,Controls,1,368,Updating & Correcting Personal Data (PD),"Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-22.2,DCH-22.2,Controls,1,369,Data Tags,"Mechanisms exist to utilize data tags to automate tracking of sensitive data across the information lifecycle.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-22.3,DCH-22.3,Controls,1,370,Primary Source Personal Data (PD) Collection,"Mechanisms exist to collect Personal Data (PD) directly from the individual. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23,DCH-23,Controls,1,371,De-Identification (Anonymization),"Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.1,DCH-23.1,Controls,1,372,De-Identify Dataset Upon Collection,"Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.2,DCH-23.2,Controls,1,373,Archiving,"Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.3,DCH-23.3,Controls,1,374,Release,"Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.4,DCH-23.4,Controls,1,375,"Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers","Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.5,DCH-23.5,Controls,1,376,Statistical Disclosure Control,"Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis."
+scf,scf:dch-23.6,DCH-23.6,Controls,1,377,Differential Privacy,"Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.7,DCH-23.7,Controls,1,378,Automated De-Identification of Sensitive Data,"Mechanisms exist to perform de-identification of sensitive data, using validated algorithms and software to implement the algorithms.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:dch-23.8,DCH-23.8,Controls,1,379,Motivated Intruder,Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
+scf,scf:dch-23.9,DCH-23.9,Controls,1,380,Code Names,"Mechanisms exist to use aliases to name assets, that are mission-critical and/or contain highly-sensitive data, are unique and not readily associated with a product, project or type of data."
+scf,scf:dch-24,DCH-24,Controls,1,381,Information Location,"Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.
+
+Methods To Comply With SCF Controls:
+- Data Flow Diagram (DFD)"
+scf,scf:dch-24.1,DCH-24.1,Controls,1,382,Automated Tools to Support Information Location,Automated mechanisms exist to identify by data classification type to ensure adequate security and privacy controls are in place to protect organizational information and individual privacy.
+scf,scf:dch-25,DCH-25,Controls,1,383,Transfer of Sensitive and/or Regulated Data,"Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.
+
+Methods To Comply With SCF Controls:
+- Model contracts
+- Privacy Shield
+- Binding Corporate Rules (BCR)"
+scf,scf:dch-25.1,DCH-25.1,Controls,1,384,Transfer Activity Limits,"Mechanisms exist to establish organization-defined ""normal business activities"" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions."
+scf,scf:dch-26,DCH-26,Controls,1,385,Data Localization,"Mechanisms exist to constrain the impact of ""digital sovereignty laws,"" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.
+
+Methods To Comply With SCF Controls:
+- Board of Directors (Bod) Ethics Committee"
+scf,scf:emb-01,EMB-01,Controls,1,386,Embedded Technology Security Program ,Mechanisms exist to facilitate the implementation of embedded technology controls. 
+scf,scf:emb-02,EMB-02,Controls,1,387,Internet of Things (IOT) ,Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Internet of Things (IoT).
+scf,scf:emb-03,EMB-03,Controls,1,388,Operational Technology (OT) ,Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT).
+scf,scf:emb-04,EMB-04,Controls,1,389,Interface Security,Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).
+scf,scf:emb-05,EMB-05,Controls,1,390,Embedded Technology Configuration Monitoring,Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.
+scf,scf:emb-06,EMB-06,Controls,1,391,Prevent Alterations,Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software.
+scf,scf:emb-07,EMB-07,Controls,1,392,Embedded Technology Maintenance,Mechanisms exist to securely update software and upgrade functionality on embedded devices.
+scf,scf:emb-08,EMB-08,Controls,1,393,Resilience To Outages,Mechanisms exist to configure embedded technology to be resilient to data network and power outages.
+scf,scf:emb-09,EMB-09,Controls,1,394,Power Level Monitoring,"Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering."
+scf,scf:emb-10,EMB-10,Controls,1,395,Embedded Technology Reviews,"Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented."
+scf,scf:emb-11,EMB-11,Controls,1,396,Message Queuing Telemetry Transport (MQTT) Security,Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.
+scf,scf:emb-12,EMB-12,Controls,1,397,Restrict Communications,"Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications."
+scf,scf:emb-13,EMB-13,Controls,1,398,Authorized Communications,Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints.
+scf,scf:emb-14,EMB-14,Controls,1,399,Operating Environment Certification,Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment.
+scf,scf:emb-15,EMB-15,Controls,1,400,Safety Assessment,"Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure."
+scf,scf:emb-16,EMB-16,Controls,1,401,Certificate-Based Authentication,"Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services."
+scf,scf:emb-17,EMB-17,Controls,1,402,Chip-To-Cloud Security,Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).
+scf,scf:emb-18,EMB-18,Controls,1,403,Real-Time Operating System (RTOS) Security,Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).
+scf,scf:emb-19,EMB-19,Controls,1,404,Safe Operations,Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.
+scf,scf:end-01,END-01,Controls,1,405,Endpoint Security ,"Mechanisms exist to facilitate the implementation of endpoint security controls.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Group Policy Objects (GPOs)
+- Antimalware technologies
+- Software firewalls
+- Host-based IDS/IPS technologies
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-02,END-02,Controls,1,406,Endpoint Protection Measures ,"Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-03,END-03,Controls,1,407,Prohibit Installation Without Privileged Status ,"Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Removal of local admin rights
+- Privileged Account Management (PAM)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-03.1,END-03.1,Controls,1,408,Software Installation Alerts,"Mechanisms exist to generate an alert when new software is detected. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-03.2,END-03.2,Controls,1,409,Governing Access Restriction for Change,"Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:end-04,END-04,Controls,1,410,Malicious Code Protection (Anti-Malware) ,"Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- Antimalware software
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-04.1,END-04.1,Controls,1,411,Automatic Antimalware Signature Updates,"Mechanisms exist to automatically update antimalware technologies, including signature definitions. 
+
+Methods To Comply With SCF Controls:
+- Antimalware software"
+scf,scf:end-04.2,END-04.2,Controls,1,412,Documented Protection Measures,Mechanisms exist to document antimalware technologies.
+scf,scf:end-04.3,END-04.3,Controls,1,413,Centralized Management of Antimalware Technologies,"Mechanisms exist to centrally-manage antimalware technologies.
+
+Methods To Comply With SCF Controls:
+- Antimalware software"
+scf,scf:end-04.4,END-04.4,Controls,1,414,Heuristic / Nonsignature-Based Detection,"Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.
+
+Methods To Comply With SCF Controls:
+- Antimalware software"
+scf,scf:end-04.5,END-04.5,Controls,1,415,Malware Protection Mechanism Testing,"Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs. 
+
+Methods To Comply With SCF Controls:
+- EICAR test file"
+scf,scf:end-04.6,END-04.6,Controls,1,416,Evolving Malware Threats,Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software. 
+scf,scf:end-04.7,END-04.7,Controls,1,417,Always On Protection,"Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period. 
+
+Methods To Comply With SCF Controls:
+- Antimalware software"
+scf,scf:end-05,END-05,Controls,1,418,Software Firewall ,"Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:end-06,END-06,Controls,1,419,Endpoint File Integrity Monitoring (FIM) ,"Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- File Integrity Monitor (FIM)"
+scf,scf:end-06.1,END-06.1,Controls,1,420,Integrity Checks ,"Mechanisms exist to validate configurations through integrity checking of software and firmware.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- File Integrity Monitor (FIM)"
+scf,scf:end-06.2,END-06.2,Controls,1,421,Integration of Detection & Response ,"Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- File Integrity Monitor (FIM)"
+scf,scf:end-06.3,END-06.3,Controls,1,422,Automated Notifications of Integrity Violations,"Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:end-06.4,END-06.4,Controls,1,423,Automated Response to Integrity Violations,"Automated mechanisms exist to implement remediation actions when integrity violations are discovered. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:end-06.5,END-06.5,Controls,1,424,Boot Process Integrity,Automated mechanisms exist to verify the integrity of the boot process of information systems.
+scf,scf:end-06.6,END-06.6,Controls,1,425,Protection of Boot Firmware,Automated mechanisms exist to protect the integrity of boot firmware in information systems.
+scf,scf:end-06.7,END-06.7,Controls,1,426,Binary or Machine-Executable Code,Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.
+scf,scf:end-07,END-07,Controls,1,427,Host Intrusion Detection and Prevention Systems (HIDS / HIPS) ,"Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)
+- File Integrity Monitor (FIM)"
+scf,scf:end-08,END-08,Controls,1,428,Phishing & Spam Protection ,Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.
+scf,scf:end-08.1,END-08.1,Controls,1,429,Central Management,Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.
+scf,scf:end-08.2,END-08.2,Controls,1,430,Automatic Spam and Phishing Protection Updates,Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.
+scf,scf:end-09,END-09,Controls,1,431,Trusted Path,"Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.
+
+Methods To Comply With SCF Controls:
+- Active Directory (AD) Ctrl+Alt+Del login process"
+scf,scf:end-10,END-10,Controls,1,432,Mobile Code,Mechanisms exist to address mobile code / operating system-independent applications. 
+scf,scf:end-11,END-11,Controls,1,433,Thin Nodes,Mechanisms exist to configure thin nodes to have minimal functionality and information storage. 
+scf,scf:end-12,END-12,Controls,1,434,Port & Input / Output (I/O) Device Access ,Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.
+scf,scf:end-13,END-13,Controls,1,435,Sensor Capability,Mechanisms exist to configure embedded sensors on systems to: 
+scf,scf:end-13.1,END-13.1,Controls,1,436,Authorized Use,Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.
+scf,scf:end-13.2,END-13.2,Controls,1,437,Notice of Collection,"Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.
+
+Methods To Comply With SCF Controls:
+- Visible or auditory alert
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:end-13.3,END-13.3,Controls,1,438,Collection Minimization,Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.
+scf,scf:end-13.4,END-13.4,Controls,1,439,Sensor Delivery Verification,Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.
+scf,scf:end-14,END-14,Controls,1,440,Collaborative Computing Devices ,"Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: 
+
+Methods To Comply With SCF Controls:
+- Unplug devices when not needed"
+scf,scf:end-14.1,END-14.1,Controls,1,441,Disabling / Removal In Secure Work Areas,Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas.
+scf,scf:end-14.2,END-14.2,Controls,1,442,Explicitly Indicate Current Participants,Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.
+scf,scf:end-15,END-15,Controls,1,443,Hypervisor Access ,Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.
+scf,scf:end-16,END-16,Controls,1,444,Restrict Access To Security Functions,"Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.
+
+Methods To Comply With SCF Controls:
+- Windows Defender Device Guard"
+scf,scf:end-16.1,END-16.1,Controls,1,445,Host-Based Security Function Isolation,"Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation. 
+
+Methods To Comply With SCF Controls:
+- Windows Defender Device Guard"
+scf,scf:hrs-01,HRS-01,Controls,1,446,Human Resources Security Management,Mechanisms exist to facilitate the implementation of personnel security controls.
+scf,scf:hrs-02,HRS-02,Controls,1,447,Position Categorization ,Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.
+scf,scf:hrs-02.1,HRS-02.1,Controls,1,448,Users With Elevated Privileges,"Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question."
+scf,scf:hrs-02.2,HRS-02.2,Controls,1,449,Probationary Periods,Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period.
+scf,scf:hrs-03,HRS-03,Controls,1,450,Roles & Responsibilities ,"Mechanisms exist to define cybersecurity responsibilities for all personnel. 
+
+Methods To Comply With SCF Controls:
+- NIST NICE framework
+- RACI diagram"
+scf,scf:hrs-03.1,HRS-03.1,Controls,1,451,User Awareness ,Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.
+scf,scf:hrs-03.2,HRS-03.2,Controls,1,452,Competency Requirements for Security-Related Positions,Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set. 
+scf,scf:hrs-04,HRS-04,Controls,1,453,Personnel Screening ,"Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.
+
+Methods To Comply With SCF Controls:
+- Criminal, education and employment background checks"
+scf,scf:hrs-04.1,HRS-04.1,Controls,1,454,Roles With Special Protection Measures,"Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.
+
+Methods To Comply With SCF Controls:
+- Security clearances for classified information."
+scf,scf:hrs-04.2,HRS-04.2,Controls,1,455,Formal Indoctrination,"Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system."
+scf,scf:hrs-04.3,HRS-04.3,Controls,1,456,Citizenship Requirements,"Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship."
+scf,scf:hrs-04.4,HRS-04.4,Controls,1,457,Citizenship Identification,"Mechanisms exist to identify foreign nationals, including by their specific citizenship."
+scf,scf:hrs-05,HRS-05,Controls,1,458,Terms of Employment ,"Mechanisms exist to require all employees and contractors to apply security and privacy principles in their daily work.
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Rules of behavior"
+scf,scf:hrs-05.1,HRS-05.1,Controls,1,459,Rules of Behavior,"Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Rules of behavior"
+scf,scf:hrs-05.2,HRS-05.2,Controls,1,460,Social Media & Social Networking Restrictions,"Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information. 
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Rules of behavior"
+scf,scf:hrs-05.3,HRS-05.3,Controls,1,461,Use of Communications Technology,"Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously. 
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Rules of behavior"
+scf,scf:hrs-05.4,HRS-05.4,Controls,1,462,Use of Critical Technologies ,Mechanisms exist to govern usage policies for critical technologies. 
+scf,scf:hrs-05.5,HRS-05.5,Controls,1,463,Use of Mobile Devices,"Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Rules of behavior
+- BYOD policy"
+scf,scf:hrs-05.6,HRS-05.6,Controls,1,464,Security-Minded Dress Code,"Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets."
+scf,scf:hrs-05.7,HRS-05.7,Controls,1,465,Policy Familiarization & Acknowledgement,Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies and provide acknowledgement.
+scf,scf:hrs-06,HRS-06,Controls,1,466,Access Agreements ,Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access. 
+scf,scf:hrs-06.1,HRS-06.1,Controls,1,467,Confidentiality Agreements,"Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.
+
+Methods To Comply With SCF Controls:
+- Non-Disclosure Agreements (NDAs)"
+scf,scf:hrs-06.2,HRS-06.2,Controls,1,468,Post-Employment Obligations,"Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information."
+scf,scf:hrs-07,HRS-07,Controls,1,469,Personnel Sanctions,"Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures. "
+scf,scf:hrs-07.1,HRS-07.1,Controls,1,470,Workplace Investigations,Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated. 
+scf,scf:hrs-08,HRS-08,Controls,1,471,Personnel Transfer,"Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner."
+scf,scf:hrs-09,HRS-09,Controls,1,472,Personnel Termination ,Mechanisms exist to govern the termination of individual employment.
+scf,scf:hrs-09.1,HRS-09.1,Controls,1,473,Asset Collection,Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.
+scf,scf:hrs-09.2,HRS-09.2,Controls,1,474,High-Risk Terminations,"Mechanisms exist to expedite the process of removing ""high risk"" individual’s access to systems and applications upon termination, as determined by management."
+scf,scf:hrs-09.3,HRS-09.3,Controls,1,475,Post-Employment Requirements ,"Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.
+
+Methods To Comply With SCF Controls:
+- Non-Disclosure Agreements (NDAs)"
+scf,scf:hrs-09.4,HRS-09.4,Controls,1,476,Automated Employment Status Notifications,Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.
+scf,scf:hrs-10,HRS-10,Controls,1,477,Third-Party Personnel Security,"Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities.
+
+Methods To Comply With SCF Controls:
+- Independent background check service"
+scf,scf:hrs-11,HRS-11,Controls,1,478,Separation of Duties (SoD),Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.
+scf,scf:hrs-12,HRS-12,Controls,1,479,Incompatible Roles ,"Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment."
+scf,scf:hrs-12.1,HRS-12.1,Controls,1,480,Two-Person Rule,Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems.
+scf,scf:hrs-13,HRS-13,Controls,1,481,Identify Critical Skills & Gaps,Mechanisms exist to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist.
+scf,scf:hrs-13.1,HRS-13.1,Controls,1,482,Remediate Identified Skills Deficiencies,Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s mission and business functions.
+scf,scf:hrs-13.2,HRS-13.2,Controls,1,483,Identify Vital Cybersecurity & Privacy Staff,Mechanisms exist to identify vital cybersecurity & privacy staff.
+scf,scf:hrs-13.3,HRS-13.3,Controls,1,484,Establish Redundancy for Vital Cybersecurity & Privacy Staff,Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff.
+scf,scf:hrs-13.4,HRS-13.4,Controls,1,485,Perform Succession Planning,Mechanisms exist to perform succession planning for vital cybersecurity & privacy roles.
+scf,scf:iac-01,IAC-01,Controls,1,486,Identity & Access Management (IAM) ,Mechanisms exist to facilitate the implementation of identification and access management controls.
+scf,scf:iac-01.1,IAC-01.1,Controls,1,487,Retain Access Records,"Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed."
+scf,scf:iac-02,IAC-02,Controls,1,488,Identification & Authentication for Organizational Users ,"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users. "
+scf,scf:iac-02.1,IAC-02.1,Controls,1,489,Group Authentication ,Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized. 
+scf,scf:iac-02.2,IAC-02.2,Controls,1,490,Network Access to Privileged Accounts - Replay Resistant,Automated mechanisms exist to employ replay-resistant network access authentication.
+scf,scf:iac-02.3,IAC-02.3,Controls,1,491,Acceptance of PIV Credentials ,"Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials. 
+
+Methods To Comply With SCF Controls:
+- Personal Identity Verification (PIV) credentials"
+scf,scf:iac-02.4,IAC-02.4,Controls,1,492,Out-of-Band Authentication (OOBA) ,Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions. 
+scf,scf:iac-03,IAC-03,Controls,1,493,Identification & Authentication for Non-Organizational Users ,"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization."
+scf,scf:iac-03.1,IAC-03.1,Controls,1,494,Acceptance of PIV Credentials from Other Organizations ,Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties.
+scf,scf:iac-03.2,IAC-03.2,Controls,1,495,Acceptance of Third-Party Credentials,"Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials. "
+scf,scf:iac-03.3,IAC-03.3,Controls,1,496,Use of FICAM-Issued Profiles,"Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles. "
+scf,scf:iac-03.4,IAC-03.4,Controls,1,497,Disassociability,"Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties."
+scf,scf:iac-03.5,IAC-03.5,Controls,1,498,Acceptance of External Authenticators,Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.
+scf,scf:iac-04,IAC-04,Controls,1,499,Identification & Authentication for Devices,"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.
+
+Methods To Comply With SCF Controls:
+- Active Directory (AD) Kerberos"
+scf,scf:iac-04.1,IAC-04.1,Controls,1,500,Device Attestation,Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process.
+scf,scf:iac-05,IAC-05,Controls,1,501,Identification & Authentication for Third Party Systems & Services,Mechanisms exist to identify and authenticate third-party systems and services.
+scf,scf:iac-05.1,IAC-05.1,Controls,1,502,Sharing Identification & Authentication Information,Mechanisms exist to ensure third-party service providers provide current and accurate information for any third-party user with access to the organization's data or assets.
+scf,scf:iac-05.2,IAC-05.2,Controls,1,503,Privileged Access by Non-Organizational Users,Mechanisms exist to prohibit privileged access by non-organizational users.
+scf,scf:iac-06,IAC-06,Controls,1,504,Multi-Factor Authentication (MFA),"Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:
+
+Methods To Comply With SCF Controls:
+- Multi-Factor Authentication (MFA)
+- Microsoft Active Directory (AD) Certificate Services
+- Yubico (https://www.yubico.com)
+- Duo (https://www.duo.com)"
+scf,scf:iac-06.1,IAC-06.1,Controls,1,505,Network Access to Privileged Accounts,"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts. 
+
+Methods To Comply With SCF Controls:
+- Multi-Factor Authentication (MFA)
+- Microsoft Active Directory (AD) Certificate Services
+- Yubico (https://www.yubico.com)
+- Duo (https://www.duo.com)"
+scf,scf:iac-06.2,IAC-06.2,Controls,1,506,Network Access to Non-Privileged Accounts ,"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts. 
+
+Methods To Comply With SCF Controls:
+- Multi-Factor Authentication (MFA)
+- Microsoft Active Directory (AD) Certificate Services
+- Yubico (https://www.yubico.com)
+- Duo (https://www.duo.com)"
+scf,scf:iac-06.3,IAC-06.3,Controls,1,507,Local Access to Privileged Accounts ,"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts. 
+
+Methods To Comply With SCF Controls:
+- Multi-Factor Authentication (MFA)
+- Microsoft Active Directory (AD) Certificate Services
+- Yubico (https://www.yubico.com)
+- Duo (https://www.duo.com)"
+scf,scf:iac-06.4,IAC-06.4,Controls,1,508,Out-of-Band Multi-Factor Authentication ,Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access. 
+scf,scf:iac-07,IAC-07,Controls,1,509,User Provisioning & De-Provisioning ,Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights. 
+scf,scf:iac-07.1,IAC-07.1,Controls,1,510,Change of Roles & Duties,"Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted. "
+scf,scf:iac-07.2,IAC-07.2,Controls,1,511,Termination of Employment,"Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract."
+scf,scf:iac-08,IAC-08,Controls,1,512,Role-Based Access Control (RBAC) ,"Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive data access.
+
+Methods To Comply With SCF Controls:
+- Role-Based Access Control (RBAC)
+"
+scf,scf:iac-09,IAC-09,Controls,1,513,Identifier Management (User Names),Mechanisms exist to govern naming standards for usernames and systems.
+scf,scf:iac-09.1,IAC-09.1,Controls,1,514,User Identity (ID) Management ,Mechanisms exist to ensure proper user identification management for non-consumer users and administrators. 
+scf,scf:iac-09.2,IAC-09.2,Controls,1,515,Identity User Status,Mechanisms exist to identify contractor and other third-party users through unique username characteristics. 
+scf,scf:iac-09.3,IAC-09.3,Controls,1,516,Dynamic Management,"Mechanisms exist to dynamically manage usernames and system identifiers. 
+
+Methods To Comply With SCF Controls:
+- Microsoft Active Directory (AD)"
+scf,scf:iac-09.4,IAC-09.4,Controls,1,517,Cross-Organization Management,Mechanisms exist to coordinate username identifiers with external organizations for cross-organization management of identifiers. 
+scf,scf:iac-09.5,IAC-09.5,Controls,1,518,Privileged Account Identifiers,Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged user or service.
+scf,scf:iac-09.6,IAC-09.6,Controls,1,519,Pairwise Pseudonymous Identifiers (PPID),Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject.
+scf,scf:iac-10,IAC-10,Controls,1,520,Authenticator Management,Mechanisms exist to securely manage authenticators for users and devices.
+scf,scf:iac-10.1,IAC-10.1,Controls,1,521,Password-Based Authentication ,"Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication."
+scf,scf:iac-10.2,IAC-10.2,Controls,1,522,PKI-Based Authentication,Automated mechanisms exist to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication.
+scf,scf:iac-10.3,IAC-10.3,Controls,1,523,In-Person or Trusted Third-Party Registration,Mechanisms exist to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created.
+scf,scf:iac-10.4,IAC-10.4,Controls,1,524,Automated Support For Password Strength,Automated mechanisms exist to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements. 
+scf,scf:iac-10.5,IAC-10.5,Controls,1,525,Protection of Authenticators,Mechanisms exist to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access. 
+scf,scf:iac-10.6,IAC-10.6,Controls,1,526,No Embedded Unencrypted Static Authenticators,"Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys. "
+scf,scf:iac-10.7,IAC-10.7,Controls,1,527,Hardware Token-Based Authentication,"Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.
+
+Methods To Comply With SCF Controls:
+- Tokens are sufficiently encrypted or do not reveal credentials or passwords within the token."
+scf,scf:iac-10.8,IAC-10.8,Controls,1,528,Vendor-Supplied Defaults,"Mechanisms exist to ensure vendor-supplied defaults are changed as part of the installation process.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:iac-10.9,IAC-10.9,Controls,1,529,Multiple Information System Accounts,Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.
+scf,scf:iac-10.10,IAC-10.10,Controls,1,530,Expiration of Cached Authenticators,Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period.
+scf,scf:iac-10.11,IAC-10.11,Controls,1,531,Password Managers,Mechanisms exist to protect and store passwords via a password manager tool.
+scf,scf:iac-10.12,IAC-10.12,Controls,1,532,Biometric Authentication,Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives.
+scf,scf:iac-11,IAC-11,Controls,1,533,Authenticator Feedback,Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. 
+scf,scf:iac-12,IAC-12,Controls,1,534,Cryptographic Module Authentication ,"Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
+
+Methods To Comply With SCF Controls:
+- FIPS 140-2"
+scf,scf:iac-12.1,IAC-12.1,Controls,1,535,Hardware Security Modules (HSM),Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies. 
+scf,scf:iac-13,IAC-13,Controls,1,536,Adaptive Identification & Authentication ,Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.
+scf,scf:iac-13.1,IAC-13.1,Controls,1,537,Single Sign-On (SSO),Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and services.
+scf,scf:iac-13.2,IAC-13.2,Controls,1,538,Federated Credential Management,Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices.
+scf,scf:iac-14,IAC-14,Controls,1,539,Re-Authentication ,Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication. 
+scf,scf:iac-15,IAC-15,Controls,1,540,Account Management ,"Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.
+
+Methods To Comply With SCF Controls:
+- Service accounts prohibit interactive login - users cannot log into systems with those accounts."
+scf,scf:iac-15.1,IAC-15.1,Controls,1,541,Automated System Account Management ,"Automated mechanisms exist to support the management of system accounts. 
+
+Methods To Comply With SCF Controls:
+- Service accounts prohibit interactive login - users cannot log into systems with those accounts."
+scf,scf:iac-15.2,IAC-15.2,Controls,1,542,Removal of Temporary / Emergency Accounts,Automated mechanisms exist to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account. 
+scf,scf:iac-15.3,IAC-15.3,Controls,1,543,Disable Inactive Accounts,Automated mechanisms exist to disable inactive accounts after an organization-defined time period. 
+scf,scf:iac-15.4,IAC-15.4,Controls,1,544,Automated Audit Actions,"Automated mechanisms exist to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles. "
+scf,scf:iac-15.5,IAC-15.5,Controls,1,545,Restrictions on Shared Groups / Accounts,Mechanisms exist to authorize the use of shared/group accounts only under certain organization-defined conditions.
+scf,scf:iac-15.6,IAC-15.6,Controls,1,546,Account Disabling for High Risk Individuals,Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization.
+scf,scf:iac-15.7,IAC-15.7,Controls,1,547,System Accounts,Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner. 
+scf,scf:iac-15.8,IAC-15.8,Controls,1,548,Usage Conditions,Automated mechanisms exist to enforce usage conditions for users and/or roles.
+scf,scf:iac-15.9,IAC-15.9,Controls,1,549,Emergency Accounts,"Mechanisms exist to establish and control ""emergency access only"" accounts."
+scf,scf:iac-16,IAC-16,Controls,1,550,Privileged Account Management (PAM) ,Mechanisms exist to restrict and control privileged access rights for users and services.
+scf,scf:iac-16.1,IAC-16.1,Controls,1,551,Privileged Account Inventories ,Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management. 
+scf,scf:iac-16.2,IAC-16.2,Controls,1,552,Privileged Account Separation ,Mechanisms exist to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments.
+scf,scf:iac-17,IAC-17,Controls,1,553,Periodic Review of Account Privileges,"Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary."
+scf,scf:iac-18,IAC-18,Controls,1,554,User Responsibilities for Account Management,"Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.). 
+
+Methods To Comply With SCF Controls:
+- Employment contract
+- Rules of Behavior
+- Formalized password policy"
+scf,scf:iac-19,IAC-19,Controls,1,555,Credential Sharing ,"Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication methods."
+scf,scf:iac-20,IAC-20,Controls,1,556,Access Enforcement,"Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of ""least privilege."""
+scf,scf:iac-20.1,IAC-20.1,Controls,1,557,Access To Sensitive Data,Mechanisms exist to limit access to sensitive data to only those individuals whose job requires such access. 
+scf,scf:iac-20.2,IAC-20.2,Controls,1,558,Database Access,Mechanisms exist to restrict access to database containing sensitive data to only necessary services or those individuals whose job requires such access. 
+scf,scf:iac-20.3,IAC-20.3,Controls,1,559,Use of Privileged Utility Programs,Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls.
+scf,scf:iac-20.4,IAC-20.4,Controls,1,560,Dedicated Administrative Machines,"Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.
+
+Methods To Comply With SCF Controls:
+- Jump hosts"
+scf,scf:iac-20.5,IAC-20.5,Controls,1,561,Dual Authorization for Privileged Commands,Automated mechanisms exist to enforce dual authorization for privileged commands.
+scf,scf:iac-20.6,IAC-20.6,Controls,1,562,Revocation of Access Authorizations,Mechanisms exist to revoke logical and physical access authorizations.
+scf,scf:iac-21,IAC-21,Controls,1,563,Least Privilege ,"Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions. "
+scf,scf:iac-21.1,IAC-21.1,Controls,1,564,Authorize Access to Security Functions ,Mechanisms exist to limit access to security functions to explicitly-authorized privileged users.
+scf,scf:iac-21.2,IAC-21.2,Controls,1,565,Non-Privileged Access for Non-Security Functions ,"Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions. "
+scf,scf:iac-21.3,IAC-21.3,Controls,1,566,Privileged Accounts ,Mechanisms exist to restrict the assignment of privileged accounts to organization-defined personnel or roles without management approval.
+scf,scf:iac-21.4,IAC-21.4,Controls,1,567,Auditing Use of Privileged Functions ,Mechanisms exist to audit the execution of privileged functions. 
+scf,scf:iac-21.5,IAC-21.5,Controls,1,568,Prohibit Non-Privileged Users from Executing Privileged Functions ,"Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures. "
+scf,scf:iac-21.6,IAC-21.6,Controls,1,569,Network Access to Privileged Commands,"Mechanisms exist to authorize remote access to perform privileged commands on critical systems or where sensitive data is stored, transmitted and/or processed only for compelling operational needs."
+scf,scf:iac-21.7,IAC-21.7,Controls,1,570,Privilege Levels for Code Execution,Automated mechanisms exist to prevent applications from executing at higher privilege levels than the user's privileges. 
+scf,scf:iac-22,IAC-22,Controls,1,571,Account Lockout ,Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.
+scf,scf:iac-23,IAC-23,Controls,1,572,Concurrent Session Control,Mechanisms exist to limit the number of concurrent sessions for each system account. 
+scf,scf:iac-24,IAC-24,Controls,1,573,Session Lock ,"Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods."
+scf,scf:iac-24.1,IAC-24.1,Controls,1,574,Pattern-Hiding Displays ,Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock. 
+scf,scf:iac-25,IAC-25,Controls,1,575,Session Termination ,"Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity. "
+scf,scf:iac-25.1,IAC-25.1,Controls,1,576,User-Initiated Logouts / Message Displays,Mechanisms exist to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session. 
+scf,scf:iac-26,IAC-26,Controls,1,577,Permitted Actions Without Identification or Authorization,Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication.
+scf,scf:iac-27,IAC-27,Controls,1,578,Reference Monitor,"Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured."
+scf,scf:iac-28,IAC-28,Controls,1,579,Identity Proofing (Identity Verification),"Mechanisms exist to verify the identity of a user before modifying any permissions or authentication factor.
+
+Methods To Comply With SCF Controls:
+- Professional references
+- Education / certification transcripts
+- Driver's license
+- Passport"
+scf,scf:iac-28.1,IAC-28.1,Controls,1,580,Management Approval For New or Changed Accounts,Mechanisms exist to ensure management approvals are required for new accounts or changes in permissions to existing accounts.
+scf,scf:iac-28.2,IAC-28.2,Controls,1,581,Identity Evidence,"Mechanisms exist to require evidence of individual identification to be presented to the registration authority.
+
+Methods To Comply With SCF Controls:
+- Driver's license
+- Passport"
+scf,scf:iac-28.3,IAC-28.3,Controls,1,582,Identity Evidence Validation & Verification,"Mechanisms exist to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.
+
+Methods To Comply With SCF Controls:
+- Employment verification
+- Credit check
+- Criminal history check
+- Education verification"
+scf,scf:iac-28.4,IAC-28.4,Controls,1,583,In-Person Validation & Verification,"Mechanisms exist to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.
+
+Methods To Comply With SCF Controls:
+- In-person validation of government-issued photograph identification"
+scf,scf:iac-28.5,IAC-28.5,Controls,1,584,Address Confirmation,Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital).
+scf,scf:iac-29,IAC-29,Controls,1,585,Attribute-Based Access Control (ABAC) ,"Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.
+
+Methods To Comply With SCF Controls:
+- NIST Special Publication 800-162 "
+scf,scf:iro-01,IRO-01,Controls,1,586,Incident Response Operations,Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for security and privacy-related incidents.
+scf,scf:iro-02,IRO-02,Controls,1,587,Incident Handling ,"Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.
+
+Methods To Comply With SCF Controls:
+- ITIL Infrastructure Library - Incident and problem management"
+scf,scf:iro-02.1,IRO-02.1,Controls,1,588,Automated Incident Handling Processes,"Automated mechanisms exist to support the incident handling process. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:iro-02.2,IRO-02.2,Controls,1,589,Insider Threat Response Capability,Mechanisms exist to implement and govern an insider threat program. 
+scf,scf:iro-02.3,IRO-02.3,Controls,1,590,Dynamic Reconfiguration,"Automated mechanisms exist to dynamically reconfigure information system components as part of the incident response capability. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:iro-02.4,IRO-02.4,Controls,1,591,Continuity of Operations,Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions.
+scf,scf:iro-02.5,IRO-02.5,Controls,1,592,Correlation with External Organizations,Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses. 
+scf,scf:iro-02.6,IRO-02.6,Controls,1,593,Automatic Disabling of System,"Mechanisms exist to automatically disable systems, upon detection of a possible incident that meets organizational criteria, that allows for forensic analysis to be performed."
+scf,scf:iro-03,IRO-03,Controls,1,594,Indicators of Compromise (IOC),"Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.
+
+Methods To Comply With SCF Controls:
+- Indicators of Compromise (IoC)
+- Incident Response Plan (IRP)
+- Strake (https://9yahds.com/)
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:iro-04,IRO-04,Controls,1,595,Incident Response Plan (IRP) ,"Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
+
+Methods To Comply With SCF Controls:
+- Incident Response Plan (IRP)
+- Hard copy of IRP"
+scf,scf:iro-04.1,IRO-04.1,Controls,1,596,Data Breach,"Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations. "
+scf,scf:iro-04.2,IRO-04.2,Controls,1,597,IRP Update,"Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary."
+scf,scf:iro-04.3,IRO-04.3,Controls,1,598,Continuous Incident Response Improvements,Mechanisms exist to use qualitative and quantitative data from incident response testing to: 
+scf,scf:iro-05,IRO-05,Controls,1,599,Incident Response Training ,"Mechanisms exist to train personnel in their incident response roles and responsibilities.
+
+Methods To Comply With SCF Controls:
+- ITIL Infrastructure Library - Incident and problem management
+- Incident Response Plan (IRP)
+- Strake (https://9yahds.com/)"
+scf,scf:iro-05.1,IRO-05.1,Controls,1,600,Simulated Incidents,Mechanisms exist to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations.
+scf,scf:iro-05.2,IRO-05.2,Controls,1,601,Automated Incident Response Training Environments,Automated mechanisms exist to provide a more thorough and realistic incident response training environment.
+scf,scf:iro-06,IRO-06,Controls,1,602,Incident Response Testing,"Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.
+
+Methods To Comply With SCF Controls:
+- Strake (https://9yahds.com/)
+- ""Table Top"" incident response exercises (rock drills)
+- ""Red team vs blue team"" exercises
+- EICAR test file antimalware detection and response exercises"
+scf,scf:iro-06.1,IRO-06.1,Controls,1,603,Coordination with Related Plans ,Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans. 
+scf,scf:iro-07,IRO-07,Controls,1,604,Integrated Security Incident Response Team (ISIRT),"Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.
+
+Methods To Comply With SCF Controls:
+- Full-time employees only"
+scf,scf:iro-08,IRO-08,Controls,1,605,Chain of Custody & Forensics,"Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
+
+Methods To Comply With SCF Controls:
+- Chain of custody procedures
+- Encase
+- Forensic Tool Kit (FTK)"
+scf,scf:iro-09,IRO-09,Controls,1,606,Situational Awareness For Incidents,"Mechanisms exist to document, monitor and report the status of cybersecurity and privacy incidents to internal stakeholders all the way through the resolution of the incident.
+
+Methods To Comply With SCF Controls:
+- Incident Response Plan (IRP)
+- Strake (https://9yahds.com/)"
+scf,scf:iro-09.1,IRO-09.1,Controls,1,607,"Automated Tracking, Data Collection & Analysis","Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential security and privacy incidents.
+
+Methods To Comply With SCF Controls:
+- Strake (https://9yahds.com/)"
+scf,scf:iro-10,IRO-10,Controls,1,608,Incident Stakeholder Reporting ,Mechanisms exist to timely-report incidents to applicable:
+scf,scf:iro-10.1,IRO-10.1,Controls,1,609,Automated Reporting,"Automated mechanisms exist to assist in the reporting of security and privacy incidents.
+
+Methods To Comply With SCF Controls:
+- Strake (https://9yahds.com/)"
+scf,scf:iro-10.2,IRO-10.2,Controls,1,610,Cyber Incident Reporting for Sensitive Data,Mechanisms exist to report sensitive data incidents in a timely manner.
+scf,scf:iro-10.3,IRO-10.3,Controls,1,611,Vulnerabilities Related To Incidents,Mechanisms exist to report system vulnerabilities associated with reported security and privacy incidents to organization-defined personnel or roles.
+scf,scf:iro-10.4,IRO-10.4,Controls,1,612,Supply Chain Coordination,Mechanisms exist to provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.
+scf,scf:iro-11,IRO-11,Controls,1,613,Incident Reporting Assistance ,"Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential security and privacy incidents. 
+
+Methods To Comply With SCF Controls:
+- ITIL Infrastructure Library - Incident and problem management"
+scf,scf:iro-11.1,IRO-11.1,Controls,1,614,Automation Support of Availability of Information / Support ,Automated mechanisms exist to increase the availability of incident response-related information and support. 
+scf,scf:iro-11.2,IRO-11.2,Controls,1,615,Coordination With External Providers,"Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers."
+scf,scf:iro-12,IRO-12,Controls,1,616,Information Spillage Response,Mechanisms exist to respond to sensitive information spills.
+scf,scf:iro-12.1,IRO-12.1,Controls,1,617,Responsible Personnel,Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive information spills. 
+scf,scf:iro-12.2,IRO-12.2,Controls,1,618,Training,Mechanisms exist to ensure incident response training material provides coverage for sensitive information spillage response.
+scf,scf:iro-12.3,IRO-12.3,Controls,1,619,Post-Spill Operations,Mechanisms exist to ensure that organizational personnel impacted by sensitive information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. 
+scf,scf:iro-12.4,IRO-12.4,Controls,1,620,Exposure to Unauthorized Personnel,Mechanisms exist to address security safeguards for personnel exposed to sensitive information that is not within their assigned access authorizations. 
+scf,scf:iro-13,IRO-13,Controls,1,621,Root Cause Analysis (RCA) & Lessons Learned,Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and privacy incidents to reduce the likelihood or impact of future incidents. 
+scf,scf:iro-14,IRO-14,Controls,1,622,Regulatory & Law Enforcement Contacts ,Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies. 
+scf,scf:iro-15,IRO-15,Controls,1,623,Detonation Chambers (Sandboxes),"Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.
+
+Methods To Comply With SCF Controls:
+- Separate network with ""sacrificial"" systems where potential malware can be evaluated without impacting the production network."
+scf,scf:iro-16,IRO-16,Controls,1,624,Public Relations & Reputation Repair,Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation.
+scf,scf:iao-01,IAO-01,Controls,1,625,Information Assurance (IA) Operations,"Mechanisms exist to facilitate the implementation of cybersecurity and privacy assessment and authorization controls. 
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:iao-01.1,IAO-01.1,Controls,1,626,Assessment Boundaries,"Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review."
+scf,scf:iao-02,IAO-02,Controls,1,627,Assessments ,"Mechanisms exist to formally assess the cybersecurity and privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management
+- Information Assurance Program (IAP) "
+scf,scf:iao-02.1,IAO-02.1,Controls,1,628,Assessor Independence,"Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity and privacy control assessments. 
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:iao-02.2,IAO-02.2,Controls,1,629,Specialized Assessments,"Mechanisms exist to conduct specialized assessments for: 
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:iao-02.3,IAO-02.3,Controls,1,630,Third-Party Assessments,"Mechanisms exist to accept and respond to the results of external assessments that are performed by impartial, external organizations. 
+
+Methods To Comply With SCF Controls:
+- Audit steering committee
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:iao-02.4,IAO-02.4,Controls,1,631,Security Assessment Report (SAR),Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.
+scf,scf:iao-03,IAO-03,Controls,1,632,System Security & Privacy Plan (SSPP),"Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical system, application or service, as well as influence inputs, entities, systems, applications and processes, providing a historical record of the data and its origins.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:iao-03.1,IAO-03.1,Controls,1,633,Plan / Coordinate with Other Organizational Entities,"Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations. 
+
+Methods To Comply With SCF Controls:
+- Audit steering committee
+- Information Assurance (IA) program
+- VisibleOps security management
+- Information Assurance Program (IAP) "
+scf,scf:iao-03.2,IAO-03.2,Controls,1,634,Adequate Security for Sensitive / Regulated Data In Support of Contracts,"Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract. 
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:iao-04,IAO-04,Controls,1,635,Threat Analysis & Flaw Remediation During Development,"Mechanisms exist to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management
+- Security Test & Evaluation (ST&E)"
+scf,scf:iao-05,IAO-05,Controls,1,636,Plan of Action & Milestones (POA&M),"Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management
+- Plan of Action & Milestones (POA&M)"
+scf,scf:iao-05.1,IAO-05.1,Controls,1,637,Plan of Action & Milestones (POA&M) Automation,"Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
+
+Methods To Comply With SCF Controls:
+- Governance, Risk & Compliance (GRC)"
+scf,scf:iao-06,IAO-06,Controls,1,638,Technical Verification,"Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management
+- Information Assurance Program (IAP) "
+scf,scf:iao-07,IAO-07,Controls,1,639,Security Authorization ,"Mechanisms exist to ensure systems, projects and services are officially authorized prior to ""go live"" in a production environment.
+
+Methods To Comply With SCF Controls:
+- Information Assurance (IA) program
+- VisibleOps security management"
+scf,scf:mnt-01,MNT-01,Controls,1,640,Maintenance Operations ,"Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise."
+scf,scf:mnt-02,MNT-02,Controls,1,641,Controlled Maintenance ,"Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the system, application or service.
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:mnt-02.1,MNT-02.1,Controls,1,642,Automated Maintenance Activities,"Automated mechanisms exist to schedule, conduct and document maintenance and repairs."
+scf,scf:mnt-03,MNT-03,Controls,1,643,Timely Maintenance,Mechanisms exist to obtain maintenance support and/or spare parts for systems within a defined Recovery Time Objective (RTO).
+scf,scf:mnt-03.1,MNT-03.1,Controls,1,644,Preventative Maintenance,"Mechanisms exist to perform preventive maintenance on critical systems, applications and services."
+scf,scf:mnt-03.2,MNT-03.2,Controls,1,645,Predictive Maintenance,"Mechanisms exist to perform predictive maintenance on critical systems, applications and services."
+scf,scf:mnt-03.3,MNT-03.3,Controls,1,646,Automated Support For Predictive Maintenance,Automated mechanisms exist to transfer predictive maintenance data to a computerized maintenance management system.
+scf,scf:mnt-04,MNT-04,Controls,1,647,Maintenance Tools,"Mechanisms exist to control and monitor the use of system maintenance tools. 
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:mnt-04.1,MNT-04.1,Controls,1,648,Inspect Tools ,Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. 
+scf,scf:mnt-04.2,MNT-04.2,Controls,1,649,Inspect Media ,Mechanisms exist to check media containing diagnostic and test programs for malicious code before the media are used. 
+scf,scf:mnt-04.3,MNT-04.3,Controls,1,650,Prevent Unauthorized Removal ,Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that containing organizational information.
+scf,scf:mnt-04.4,MNT-04.4,Controls,1,651,Restrict Tool Usage,Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance personnel and/or roles.
+scf,scf:mnt-05,MNT-05,Controls,1,652,Remote Maintenance,"Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities."
+scf,scf:mnt-05.1,MNT-05.1,Controls,1,653,Auditing Remote Maintenance,"Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions. "
+scf,scf:mnt-05.2,MNT-05.2,Controls,1,654,Remote Maintenance Notifications,"Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time)."
+scf,scf:mnt-05.3,MNT-05.3,Controls,1,655,Remote Maintenance Cryptographic Protection,"Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications. "
+scf,scf:mnt-05.4,MNT-05.4,Controls,1,656,Remote Maintenance Disconnect Verification,"Mechanisms exist to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated."
+scf,scf:mnt-05.5,MNT-05.5,Controls,1,657,Remote Maintenance Pre-Approval,"Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:mnt-05.6,MNT-05.6,Controls,1,658,Remote Maintenance Comparable Security & Sanitization,"Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced."
+scf,scf:mnt-05.7,MNT-05.7,Controls,1,659,Separation of Maintenance Sessions,Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions.
+scf,scf:mnt-06,MNT-06,Controls,1,660,Authorized Maintenance Personnel,"Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:mnt-06.1,MNT-06.1,Controls,1,661,Maintenance Personnel Without Appropriate Access ,"Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:mnt-06.2,MNT-06.2,Controls,1,662,Non-System Related Maintenance,Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of IT systems have required access authorizations.
+scf,scf:mnt-07,MNT-07,Controls,1,663,Maintain Configuration Control During Maintenance,Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair.
+scf,scf:mnt-08,MNT-08,Controls,1,664,Field Maintenance,Mechanisms exist to securely conduct field maintenance on geographically deployed assets.
+scf,scf:mnt-09,MNT-09,Controls,1,665,Off-Site Maintenance,Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site.
+scf,scf:mnt-10,MNT-10,Controls,1,666,Maintenance Validation,Mechanisms exist to validate maintenance activities were appropriately performed according to the work order and that security controls are operational.
+scf,scf:mnt-11,MNT-11,Controls,1,667,Maintenance Monitoring,Mechanisms exist to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates.
+scf,scf:mdm-01,MDM-01,Controls,1,668,Centralized Management Of Mobile Devices ,"Mechanisms exist to develop, govern & update procedures to facilitate the implementation of mobile device management controls."
+scf,scf:mdm-02,MDM-02,Controls,1,669,Access Control For Mobile Devices,Mechanisms exist to enforce access control requirements for the connection of mobile devices to organizational systems. 
+scf,scf:mdm-03,MDM-03,Controls,1,670,Full Device & Container-Based Encryption ,Cryptographic mechanisms exist to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.
+scf,scf:mdm-04,MDM-04,Controls,1,671,Mobile Device Tampering,"Mechanisms exist to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization’s network."
+scf,scf:mdm-05,MDM-05,Controls,1,672,Remote Purging,Mechanisms exist to remotely purge selected information from mobile devices. 
+scf,scf:mdm-06,MDM-06,Controls,1,673,Personally-Owned Mobile Devices ,"Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational systems and networks. "
+scf,scf:mdm-07,MDM-07,Controls,1,674,Organization-Owned Mobile Devices ,Mechanisms exist to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store.
+scf,scf:mdm-08,MDM-08,Controls,1,675,Mobile Device Data Retention Limitations,Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and timeframe.
+scf,scf:mdm-09,MDM-09,Controls,1,676,Mobile Device Geofencing,Mechanisms exist to restrict the functionality of mobile devices based on geographic location.
+scf,scf:mdm-10,MDM-10,Controls,1,677,Separate Mobile Device Profiles,Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data. 
+scf,scf:mdm-11,MDM-11,Controls,1,678,Restricting Access To Authorized Devices,"Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with systems, applications and services."
+scf,scf:net-01,NET-01,Controls,1,679,Network Security Controls (NSC),"Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:net-01.1,NET-01.1,Controls,1,680,Zero Trust Architecture (ZTA),Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized.
+scf,scf:net-02,NET-02,Controls,1,681,Layered Network Defenses ,Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. 
+scf,scf:net-02.1,NET-02.1,Controls,1,682,Denial of Service (DoS) Protection,Automated mechanisms exist to protect against or limit the effects of denial of service attacks. 
+scf,scf:net-02.2,NET-02.2,Controls,1,683,Guest Networks,Mechanisms exist to implement and manage a secure guest network. 
+scf,scf:net-02.3,NET-02.3,Controls,1,684,Cross Domain Solution (CDS),Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains.
+scf,scf:net-03,NET-03,Controls,1,685,Boundary Protection ,Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.
+scf,scf:net-03.1,NET-03.1,Controls,1,686,Limit Network Connections,Mechanisms exist to limit the number of concurrent external network connections to its systems. 
+scf,scf:net-03.2,NET-03.2,Controls,1,687,External Telecommunications Services ,"Mechanisms exist to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.
+
+Methods To Comply With SCF Controls:
+- Outbound content filtering"
+scf,scf:net-03.3,NET-03.3,Controls,1,688,Prevent Discovery of Internal Information,Mechanisms exist to prevent the public disclosure of internal network information. 
+scf,scf:net-03.4,NET-03.4,Controls,1,689,Personal Data (PD),"Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD).
+
+Methods To Comply With SCF Controls:
+- Data Loss Prevention (DLP)"
+scf,scf:net-03.5,NET-03.5,Controls,1,690,Prevent Unauthorized Exfiltration,Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive data across managed interfaces. 
+scf,scf:net-03.6,NET-03.6,Controls,1,691,Dynamic Isolation & Segregation (Sandboxing),"Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application. "
+scf,scf:net-03.7,NET-03.7,Controls,1,692,Isolation of Information System Components,"Mechanisms exist to employ boundary protections to isolate systems, services and processes that support critical missions and/or business functions. "
+scf,scf:net-03.8,NET-03.8,Controls,1,693,Separate Subnet for Connecting to Different Security Domains,"Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains."
+scf,scf:net-04,NET-04,Controls,1,694,Data Flow Enforcement – Access Control Lists (ACLs),"Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:net-04.1,NET-04.1,Controls,1,695,Deny Traffic by Default & Allow Traffic by Exception,"Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). "
+scf,scf:net-04.2,NET-04.2,Controls,1,696,Object Security Attributes ,"Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions. 
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:net-04.3,NET-04.3,Controls,1,697,Content Check for Encrypted Data,Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms. 
+scf,scf:net-04.4,NET-04.4,Controls,1,698,Embedded Data Types,"Mechanisms exist to enforce limitations on embedding data within other data types. 
+
+Methods To Comply With SCF Controls:
+- Prevent exfiltration through steganography"
+scf,scf:net-04.5,NET-04.5,Controls,1,699,Metadata ,Mechanisms exist to enforce information flow controls based on metadata. 
+scf,scf:net-04.6,NET-04.6,Controls,1,700,Human Reviews,Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis. 
+scf,scf:net-04.7,NET-04.7,Controls,1,701,Security Policy Filters,Automated mechanisms exist to enforce information flow control using security policy filters as a basis for flow control decisions.
+scf,scf:net-04.8,NET-04.8,Controls,1,702,Data Type Identifiers,Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains.
+scf,scf:net-04.9,NET-04.9,Controls,1,703,Decomposition Into Policy-Related Subcomponents,"Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains."
+scf,scf:net-04.10,NET-04.10,Controls,1,704,Detection of Unsanctioned Information,"Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains."
+scf,scf:net-04.11,NET-04.11,Controls,1,705,Approved Solutions,"Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains."
+scf,scf:net-04.12,NET-04.12,Controls,1,706,Cross Domain Authentication,Automated mechanisms exist to uniquely identify and authenticate source and destination points for information transfer.
+scf,scf:net-04.13,NET-04.13,Controls,1,707,Metadata Validation,Automated mechanisms exist to apply security and/or privacy filters on metadata.
+scf,scf:net-05,NET-05,Controls,1,708,System Interconnections,"Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs) that document, for each interconnection, the interface characteristics, security and privacy requirements and the nature of the information communicated.
+
+Methods To Comply With SCF Controls:
+- VisibleOps security management"
+scf,scf:net-05.1,NET-05.1,Controls,1,709,External System Connections,Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device. 
+scf,scf:net-05.2,NET-05.2,Controls,1,710,Internal System Connections,"Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated."
+scf,scf:net-06,NET-06,Controls,1,711,Network Segmentation,"Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, applications and services that protections from other network resources.
+
+Methods To Comply With SCF Controls:
+- Subnetting
+- VLANs"
+scf,scf:net-06.1,NET-06.1,Controls,1,712,Security Management Subnets,Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system. 
+scf,scf:net-06.2,NET-06.2,Controls,1,713,Virtual Local Area Network (VLAN) Separation,"Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems. 
+
+Methods To Comply With SCF Controls:
+- Virtual Local Area Network (VLAN)"
+scf,scf:net-06.3,NET-06.3,Controls,1,714,Sensitive / Regulated Data Enclave (Secure Zone),Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones). 
+scf,scf:net-06.4,NET-06.4,Controls,1,715,Segregation From Enterprise Services,"Mechanisms exist to isolate sensitive / regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments."
+scf,scf:net-06.5,NET-06.5,Controls,1,716,Direct Internet Access Restrictions,"Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive / regulated data enclaves (secure zones)."
+scf,scf:net-07,NET-07,Controls,1,717,Remote Session Termination,Mechanisms exist to terminate remote sessions at the end of the session or after an organization-defined time period of inactivity. 
+scf,scf:net-08,NET-08,Controls,1,718,Network Intrusion Detection / Prevention Systems (NIDS / NIPS),Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network. 
+scf,scf:net-08.1,NET-08.1,Controls,1,719,DMZ Networks,"Mechanisms exist to require De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.
+
+Methods To Comply With SCF Controls:
+- Architectural review board
+- System Security Plan (SSP)"
+scf,scf:net-08.2,NET-08.2,Controls,1,720,Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS),Mechanisms exist to require wireless network segments to implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies.
+scf,scf:net-09,NET-09,Controls,1,721,Session Integrity ,"Mechanisms exist to protect the authenticity and integrity of communications sessions. 
+
+Methods To Comply With SCF Controls:
+- PKI for non-repudiation"
+scf,scf:net-09.1,NET-09.1,Controls,1,722,Invalidate Session Identifiers at Logout,Automated mechanisms exist to invalidate session identifiers upon user logout or other session termination. 
+scf,scf:net-09.2,NET-09.2,Controls,1,723,Unique System-Generated Session Identifiers,Automated mechanisms exist to generate and recognize unique session identifiers for each session.
+scf,scf:net-10,NET-10,Controls,1,724,Domain Name Service (DNS) Resolution ,"Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution."
+scf,scf:net-10.1,NET-10.1,Controls,1,725,Architecture & Provisioning for Name / Address Resolution Service,Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) resolution service for are fault-tolerant and implement internal/external role separation. 
+scf,scf:net-10.2,NET-10.2,Controls,1,726,Secure Name / Address Resolution Service (Recursive or Caching Resolver),Mechanisms exist to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems. 
+scf,scf:net-10.3,NET-10.3,Controls,1,727,Sender Policy Framework (SPF),Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain.
+scf,scf:net-10.4,NET-10.4,Controls,1,728,Domain Registrar Security,"Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details."
+scf,scf:net-11,NET-11,Controls,1,729,Out-of-Band Channels ,"Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals. 
+
+Methods To Comply With SCF Controls:
+- Signature delivery (courier service)"
+scf,scf:net-12,NET-12,Controls,1,730,Safeguarding Data Over Open Networks ,"Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks. "
+scf,scf:net-12.1,NET-12.1,Controls,1,731,Wireless Link Protection,"Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered."
+scf,scf:net-12.2,NET-12.2,Controls,1,732,End-User Messaging Technologies,"Mechanisms exist to prohibit the transmission of unprotected sensitive data by end-user messaging technologies. 
+
+Methods To Comply With SCF Controls:
+- Acceptable Use Policy (AUP)
+- Data Loss Prevention (DLP)"
+scf,scf:net-13,NET-13,Controls,1,733,Electronic Messaging,"Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications."
+scf,scf:net-14,NET-14,Controls,1,734,Remote Access ,"Mechanisms exist to define, control and review organization-approved, secure remote access methods."
+scf,scf:net-14.1,NET-14.1,Controls,1,735,Automated Monitoring & Control ,Automated mechanisms exist to monitor and control remote access sessions. 
+scf,scf:net-14.2,NET-14.2,Controls,1,736,Protection of Confidentiality / Integrity Using Encryption,"Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN). "
+scf,scf:net-14.3,NET-14.3,Controls,1,737,Managed Access Control Points,"Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator)."
+scf,scf:net-14.4,NET-14.4,Controls,1,738,Remote Privileged Commands & Sensitive Data Access,Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs. 
+scf,scf:net-14.5,NET-14.5,Controls,1,739,Work From Anywhere (WFA) - Telecommuting Security,Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers. 
+scf,scf:net-14.6,NET-14.6,Controls,1,740,Third-Party Remote Access Governance,"Mechanisms exist to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access."
+scf,scf:net-14.7,NET-14.7,Controls,1,741,Endpoint Security Validation ,"Mechanisms exist to validate software versions/patch levels and control remote devices connecting to corporate networks or storing and accessing organization information. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:net-14.8,NET-14.8,Controls,1,742,Expeditious Disconnect / Disable Capability ,Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote access session.
+scf,scf:net-15,NET-15,Controls,1,743,Wireless Networking ,Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.
+scf,scf:net-15.1,NET-15.1,Controls,1,744,Authentication & Encryption,Mechanisms exist to exist to protect wireless access through authentication and strong encryption. 
+scf,scf:net-15.2,NET-15.2,Controls,1,745,Disable Wireless Networking,Mechanisms exist to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users. 
+scf,scf:net-15.3,NET-15.3,Controls,1,746,Restrict Configuration By Users,Mechanisms exist to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities. 
+scf,scf:net-15.4,NET-15.4,Controls,1,747,Wireless Boundaries,Mechanisms exist to confine wireless communications to organization-controlled boundaries. 
+scf,scf:net-15.5,NET-15.5,Controls,1,748,Rogue Wireless Detection,Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies). 
+scf,scf:net-16,NET-16,Controls,1,749,Intranets,"Mechanisms exist to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: "
+scf,scf:net-17,NET-17,Controls,1,750,Data Loss Prevention (DLP) ,"Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.
+
+Methods To Comply With SCF Controls:
+- Data Loss Prevention (DLP)"
+scf,scf:net-18,NET-18,Controls,1,751,DNS & Content Filtering ,Mechanisms exist to force Internet-bound network traffic through a proxy device for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.
+scf,scf:net-18.1,NET-18.1,Controls,1,752,Route Traffic to Proxy Servers,Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces. 
+scf,scf:net-18.2,NET-18.2,Controls,1,753,Visibility of Encrypted Communications,Mechanisms exist to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms.
+scf,scf:net-18.3,NET-18.3,Controls,1,754,Route Privileged Network Access,"Automated mechanisms exist to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."
+scf,scf:pes-01,PES-01,Controls,1,755,Physical & Environmental Protections,Mechanisms exist to facilitate the operation of physical and environmental protection controls. 
+scf,scf:pes-01.1,PES-01.1,Controls,1,756,Site Security Plan (SitePlan),"Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats."
+scf,scf:pes-02,PES-02,Controls,1,757,Physical Access Authorizations ,Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).
+scf,scf:pes-02.1,PES-02.1,Controls,1,758,Role-Based Physical Access,Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual.
+scf,scf:pes-02.2,PES-02.2,Controls,1,759,Dual Authorization for Physical Access,"Mechanisms exist to enforce a ""two-person rule"" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.)."
+scf,scf:pes-03,PES-03,Controls,1,760,Physical Access Control ,"Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).
+
+Methods To Comply With SCF Controls:
+- Security guards
+- Verify individual access authorizations before granting access to the facility.
+- Control entry to the facility containing the system using physical access devices and/or guards.
+- Control access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk.
+- Secure keys, combinations and other physical access devices.
+- Change combinations and keys and when keys are lost, combinations are compromised or individuals are transferred or terminated."
+scf,scf:pes-03.1,PES-03.1,Controls,1,761,Controlled Ingress & Egress Points,Physical access control mechanisms exist to limit and monitor physical access through controlled ingress and egress points.
+scf,scf:pes-03.2,PES-03.2,Controls,1,762,Lockable Physical Casings,"Physical access control mechanisms exist to protect system components from unauthorized physical access (e.g., lockable physical casings). 
+
+Methods To Comply With SCF Controls:
+- CCTV
+- Lockable server/network racks
+- Logged access badges to access server rooms"
+scf,scf:pes-03.3,PES-03.3,Controls,1,763,Physical Access Logs ,"Physical access control mechanisms exist to generate a log entry for each access through controlled ingress and egress points.
+
+Methods To Comply With SCF Controls:
+- Visitor logbook
+- iLobby (https://goilobby.com/)
+- The Receptionist (https://thereceptionist.com/)
+- LobbyGuard (http://lobbyguard.com/)"
+scf,scf:pes-03.4,PES-03.4,Controls,1,764,Access To Information Systems,"Physical access control mechanisms exist to enforce physical access to critical information systems or sensitive data, in addition to the physical access controls for the facility."
+scf,scf:pes-04,PES-04,Controls,1,765,"Physical Security of Offices, Rooms & Facilities","Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities. 
+
+Methods To Comply With SCF Controls:
+- ""clean desk"" policy
+- Management spot checks"
+scf,scf:pes-04.1,PES-04.1,Controls,1,766,Working in Secure Areas,"Physical security mechanisms exist to allow only authorized personnel access to secure areas. 
+
+Methods To Comply With SCF Controls:
+- Visitor escorts"
+scf,scf:pes-04.2,PES-04.2,Controls,1,767,Searches,"Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets."
+scf,scf:pes-04.3,PES-04.3,Controls,1,768,Temporary Storage,"Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards."
+scf,scf:pes-05,PES-05,Controls,1,769,Monitoring Physical Access,"Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents."
+scf,scf:pes-05.1,PES-05.1,Controls,1,770,Intrusion Alarms / Surveillance Equipment ,"Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance equipment. 
+
+Methods To Comply With SCF Controls:
+- CCTV"
+scf,scf:pes-05.2,PES-05.2,Controls,1,771,Monitoring Physical Access To Information Systems,"Facility security mechanisms exist to monitor physical access to critical information systems or sensitive data, in addition to the physical access monitoring of the facility."
+scf,scf:pes-06,PES-06,Controls,1,772,Visitor Control,"Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible). 
+
+Methods To Comply With SCF Controls:
+- Visitor logbook
+- iLobby (https://goilobby.com/)
+- The Receptionist (https://thereceptionist.com/)
+- LobbyGuard (http://lobbyguard.com/)"
+scf,scf:pes-06.1,PES-06.1,Controls,1,773,Distinguish Visitors from On-Site Personnel,"Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive data is accessible. 
+
+Methods To Comply With SCF Controls:
+- Visible badges for visitors that are different from organizational personnel
+"
+scf,scf:pes-06.2,PES-06.2,Controls,1,774,Identification Requirement,Physical access control mechanisms exist to requires at least one (1) form of government-issued photo identification to authenticate individuals before they can gain access to the facility.
+scf,scf:pes-06.3,PES-06.3,Controls,1,775,Restrict Unescorted Access,"Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access. "
+scf,scf:pes-06.4,PES-06.4,Controls,1,776,Automated Records Management & Review,Automated mechanisms exist to facilitate the maintenance and review of visitor access records.
+scf,scf:pes-06.5,PES-06.5,Controls,1,777,Minimize Visitor Personal Data (PD),Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access records.
+scf,scf:pes-06.6,PES-06.6,Controls,1,778,Visitor Access Revocation,"Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration."
+scf,scf:pes-07,PES-07,Controls,1,779,Supporting Utilities ,Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction. 
+scf,scf:pes-07.1,PES-07.1,Controls,1,780,Automatic Voltage Controls,Facility security mechanisms exist to utilize automatic voltage controls for critical system components. 
+scf,scf:pes-07.2,PES-07.2,Controls,1,781,Emergency Shutoff,Facility security mechanisms exist to shut off power in emergency situations by:
+scf,scf:pes-07.3,PES-07.3,Controls,1,782,Emergency Power,"Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source."
+scf,scf:pes-07.4,PES-07.4,Controls,1,783,Emergency Lighting,Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. 
+scf,scf:pes-07.5,PES-07.5,Controls,1,784,Water Damage Protection,"Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel. 
+
+Methods To Comply With SCF Controls:
+- Water leak sensors
+- Humidity sensors"
+scf,scf:pes-07.6,PES-07.6,Controls,1,785,Automation Support for Water Damage Protection,Facility security mechanisms exist to detect the presence of water in the vicinity of critical information systems and alert facility maintenance and IT personnel. 
+scf,scf:pes-07.7,PES-07.7,Controls,1,786,Redundant Cabling,Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged.
+scf,scf:pes-08,PES-08,Controls,1,787,Fire Protection,Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source. 
+scf,scf:pes-08.1,PES-08.1,Controls,1,788,Fire Detection Devices,Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire. 
+scf,scf:pes-08.2,PES-08.2,Controls,1,789,Fire Suppression Devices,Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders. 
+scf,scf:pes-08.3,PES-08.3,Controls,1,790,Automatic Fire Suppression,Facility security mechanisms exist to employ an automatic fire suppression capability for critical information systems when the facility is not staffed on a continuous basis.
+scf,scf:pes-09,PES-09,Controls,1,791,Temperature & Humidity Controls,Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility.
+scf,scf:pes-09.1,PES-09.1,Controls,1,792,Monitoring with Alarms / Notifications,Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment. 
+scf,scf:pes-10,PES-10,Controls,1,793,Delivery & Removal ,Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access. 
+scf,scf:pes-11,PES-11,Controls,1,794,Alternate Work Site,"Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites."
+scf,scf:pes-12,PES-12,Controls,1,795,Equipment Siting & Protection ,Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. 
+scf,scf:pes-12.1,PES-12.1,Controls,1,796,Transmission Medium Security,"Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage. "
+scf,scf:pes-12.2,PES-12.2,Controls,1,797,Access Control for Output Devices,"Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output. 
+
+Methods To Comply With SCF Controls:
+- Printer management (print only when at the printer with proximity card or code)"
+scf,scf:pes-13,PES-13,Controls,1,798,Information Leakage Due To Electromagnetic Signals Emanations,Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations. 
+scf,scf:pes-14,PES-14,Controls,1,799,Asset Monitoring and Tracking,"Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
+
+Methods To Comply With SCF Controls:
+- RFID tagging"
+scf,scf:pes-15,PES-15,Controls,1,800,Electromagnetic Pulse (EMP) Protection,"Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.
+
+Methods To Comply With SCF Controls:
+- EMP shielding (Faraday cages)"
+scf,scf:pes-16,PES-16,Controls,1,801,Component Marking,"Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component."
+scf,scf:pes-17,PES-17,Controls,1,802,Proximity Sensor ,Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario.
+scf,scf:pes-18,PES-18,Controls,1,803,On-Site Client Segregation,Mechanisms exist to ensure client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client work spaces.
+scf,scf:pri-01,PRI-01,Controls,1,804,Privacy Program,Mechanisms exist to facilitate the implementation and operation of privacy controls. 
+scf,scf:pri-01.1,PRI-01.1,Controls,1,805,Chief Privacy Officer (CPO),"Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."
+scf,scf:pri-01.2,PRI-01.2,Controls,1,806,Privacy Act Statements,Mechanisms exist to provide additional formal notice to individuals from whom the information is being collected that includes:
+scf,scf:pri-01.3,PRI-01.3,Controls,1,807,Dissemination of Privacy Program Information ,Mechanisms exist to: 
+scf,scf:pri-01.4,PRI-01.4,Controls,1,808,Data Protection Officer (DPO),Mechanisms exist to appoint a Data Protection Officer (DPO):
+scf,scf:pri-01.5,PRI-01.5,Controls,1,809,Binding Corporate Rules (BCR),"Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data."
+scf,scf:pri-01.6,PRI-01.6,Controls,1,810,Security of Personal Data,Mechanisms exist to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
+scf,scf:pri-01.7,PRI-01.7,Controls,1,811,Limiting Personal Data Disclosures,Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained.
+scf,scf:pri-02,PRI-02,Controls,1,812,Privacy Notice,Mechanisms exist to:
+scf,scf:pri-02.1,PRI-02.1,Controls,1,813,Purpose Specification,"Mechanisms exist to identify and document the purpose(s) for which Personal Data (PD) is collected, used, maintained and shared in its privacy notices."
+scf,scf:pri-02.2,PRI-02.2,Controls,1,814,Automated Data Management Processes,"Automated mechanisms exist to adjust data that is able to be collected, created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s).
+
+Methods To Comply With SCF Controls:
+The organization should identify and address obligations, including legal obligations, to the PD principals resulting from decisions made by the organization which are related to the PD principal based solely on automated processing of PD."
+scf,scf:pri-02.3,PRI-02.3,Controls,1,815,Computer Matching Agreements (CMA) ,Mechanisms exist to publish Computer Matching Agreements (CMA) on the public website of the organization.
+scf,scf:pri-02.4,PRI-02.4,Controls,1,816,System of Records Notice (SORN),"Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance."
+scf,scf:pri-02.5,PRI-02.5,Controls,1,817,System of Records Notice (SORN) Review Process,Mechanisms exist to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.
+scf,scf:pri-02.6,PRI-02.6,Controls,1,818,Privacy Act Exemptions,Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate.
+scf,scf:pri-02.7,PRI-02.7,Controls,1,819,Real-Time or Layered Notice,Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's privacy notice.
+scf,scf:pri-03,PRI-03,Controls,1,820,Choice & Consent,"Mechanisms exist to authorize the processing of their Personal Data (PD) prior to its collection that:
+
+Methods To Comply With SCF Controls:
+- ""opt in"" vs ""opt out"" user selections"
+scf,scf:pri-03.1,PRI-03.1,Controls,1,821,Tailored Consent,Mechanisms exist to allow data subjects to modify the use permissions to selected attributes of their Personal Data (PD).
+scf,scf:pri-03.2,PRI-03.2,Controls,1,822,Just-In-Time Notice & Updated Consent,"Mechanisms exist to present authorizations to process Personal Data (PD) in conjunction with the data action, when:"
+scf,scf:pri-03.3,PRI-03.3,Controls,1,823,Prohibition Of Selling or Sharing Personal Data (PD),Mechanisms exist to prevent the sale or sharing of Personal Data (PD) when instructed by the data subject.
+scf,scf:pri-03.4,PRI-03.4,Controls,1,824,Revoke Consent,Mechanisms exist to allow data subjects to revoke consent to the processing of their Personal Data (PD).
+scf,scf:pri-03.5,PRI-03.5,Controls,1,825,Product or Service Delivery Restrictions,"Mechanisms exist to prohibit the refusal or products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent.
+
+Methods To Comply With SCF Controls:
+- Privacy Program"
+scf,scf:pri-03.6,PRI-03.6,Controls,1,826,Authorized Agent,"Mechanisms exist to allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions."
+scf,scf:pri-03.7,PRI-03.7,Controls,1,827,Active Participation By Data Subjects,"Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.)."
+scf,scf:pri-03.8,PRI-03.8,Controls,1,828,Global Privacy Control (GPC),"Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal)."
+scf,scf:pri-04,PRI-04,Controls,1,829,Restrict Collection To Identified Purpose,"Mechanisms exist to collect Personal Data (PD) only for the purposes identified in the privacy notice and includes protections against collecting PD from minors without appropriate parental, or legal guardian, consent."
+scf,scf:pri-04.1,PRI-04.1,Controls,1,830,"Authority To Collect, Use, Maintain & Share Personal Data (PD)","Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Data (PD), either generally or in support of a specific program or system need."
+scf,scf:pri-04.2,PRI-04.2,Controls,1,831,Primary Sources,"Mechanisms exist to ensure information is directly collected from the data subject, whenever possible."
+scf,scf:pri-04.3,PRI-04.3,Controls,1,832,Identifiable Image Collection,"Mechanisms exist to restrict the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.
+
+Methods To Comply With SCF Controls:
+- Privacy Program"
+scf,scf:pri-04.4,PRI-04.4,Controls,1,833,Acquired Personal Data (PD),"Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject."
+scf,scf:pri-04.5,PRI-04.5,Controls,1,834,Validate Collected Personal Data,"Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process."
+scf,scf:pri-04.6,PRI-04.6,Controls,1,835,Re-Validate Collected Personal Data,"Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate."
+scf,scf:pri-05,PRI-05,Controls,1,836,Personal Data Retention & Disposal,Mechanisms exist to: 
+scf,scf:pri-05.1,PRI-05.1,Controls,1,837,"Internal Use of Personal Data For Testing, Training and Research","Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that:"
+scf,scf:pri-05.2,PRI-05.2,Controls,1,838,Personal Data Accuracy & Integrity,Mechanisms exist to confirm the accuracy and relevance of Personal Data (PD) throughout the information lifecycle.
+scf,scf:pri-05.3,PRI-05.3,Controls,1,839,Data Masking,"Mechanisms exist to mask sensitive information through data anonymization, pseudonymization, redaction or de-identification."
+scf,scf:pri-05.4,PRI-05.4,Controls,1,840,Usage Restrictions of Sensitive Personal Data,"Mechanisms exist to restrict the use of Personal Data (PD) to only the authorized purpose(s) consistent with applicable laws, regulations and in privacy notices. "
+scf,scf:pri-05.5,PRI-05.5,Controls,1,841,Inventory of Personal Data (PD),"Mechanisms exist to establish, maintain and update an inventory that contains a listing of all programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD). "
+scf,scf:pri-05.6,PRI-05.6,Controls,1,842,Personal Data (PD) Inventory Automation Support,Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form.
+scf,scf:pri-05.7,PRI-05.7,Controls,1,843,Personal Data (PD) Categories,Mechanisms exist to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD).
+scf,scf:pri-06,PRI-06,Controls,1,844,Data Subject Access,Mechanisms exist to provide individuals the ability to access their Personal Data (PD) maintained in organizational systems of records.
+scf,scf:pri-06.1,PRI-06.1,Controls,1,845,Correcting Inaccurate Personal Data,"Mechanisms exist to establish and implement a process for:
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:pri-06.2,PRI-06.2,Controls,1,846,Notice of Correction or Processing Change,"Mechanisms exist to notify affected individuals if their Personal Data (PD) has been corrected or amended.
+
+Methods To Comply With SCF Controls:
+The organization should, in the case of having general written authorization, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PD, thereby giving the customer the opportunity to object to such changes."
+scf,scf:pri-06.3,PRI-06.3,Controls,1,847,Appeal Adverse Decision,Mechanisms exist to provide an organization-defined process for individuals to appeal an adverse decision and have incorrect information amended.
+scf,scf:pri-06.4,PRI-06.4,Controls,1,848,User Feedback Management,"Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices."
+scf,scf:pri-06.5,PRI-06.5,Controls,1,849,Right to Erasure,"Mechanisms exist to erase personal data of an individual, without delay."
+scf,scf:pri-06.6,PRI-06.6,Controls,1,850,Data Portability,"Mechanisms exist to export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance."
+scf,scf:pri-06.7,PRI-06.7,Controls,1,851,Personal Data Exportability,Mechanisms exist to digitally export Personal Data (PD) in a secure manner upon request by the data subject.
+scf,scf:pri-07,PRI-07,Controls,1,852,Information Sharing With Third Parties,"Mechanisms exist to discloses Personal Data (PD) to third-parties only for the purposes identified in the privacy notice and with the implicit or explicit consent of the data subject. 
+
+Methods To Comply With SCF Controls:
+- Veris (incident sharing) (http://veriscommunity.net)"
+scf,scf:pri-07.1,PRI-07.1,Controls,1,853,Privacy Requirements for Contractors & Service Providers ,Mechanisms exist to includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers. 
+scf,scf:pri-07.2,PRI-07.2,Controls,1,854,Joint Processing of Personal Data,Mechanisms exist to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem. 
+scf,scf:pri-07.3,PRI-07.3,Controls,1,855,Obligation To Inform Third-Parties,"Mechanisms exist to inform applicable third-parties to any modification, deletion or other change that affects shared Personal Data (PD).
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:pri-07.4,PRI-07.4,Controls,1,856,Reject Unauthorized Disclosure Requests,"Mechanisms exist to reject unauthorized disclosure requests.
+
+Methods To Comply With SCF Controls:
+- Authorized Agent"
+scf,scf:pri-08,PRI-08,Controls,1,857,"Testing, Training & Monitoring","Mechanisms exist to conduct security and privacy testing, training and monitoring activities"
+scf,scf:pri-09,PRI-09,Controls,1,858,Personal Data Lineage,"Mechanisms exist to utilize a record of processing activities to maintain a record of Personal Data (PD) that is stored, transmitted and/or processed under the organization's responsibility.
+
+Methods To Comply With SCF Controls:
+The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PD."
+scf,scf:pri-10,PRI-10,Controls,1,859,Data Quality Management,"Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Data (PD) across the information lifecycle."
+scf,scf:pri-10.1,PRI-10.1,Controls,1,860,Automation,Automated mechanisms exist to support the evaluation of data quality across the information lifecycle.
+scf,scf:pri-10.2,PRI-10.2,Controls,1,861,Data Analytics Bias,Mechanisms exist to evaluate its analytical processes for potential bias.
+scf,scf:pri-11,PRI-11,Controls,1,862,Data Tagging,Mechanisms exist to issue data modeling guidelines to support tagging of sensitive data.
+scf,scf:pri-12,PRI-12,Controls,1,863,Updating Personal Data (PD),Mechanisms exist to develop processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur.
+scf,scf:pri-13,PRI-13,Controls,1,864,Data Management Board,"Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.
+
+Methods To Comply With SCF Controls:
+- Data Management Board (DMB)"
+scf,scf:pri-14,PRI-14,Controls,1,865,Privacy Records & Reporting,"Mechanisms exist to maintain privacy-related records and develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates."
+scf,scf:pri-14.1,PRI-14.1,Controls,1,866,Accounting of Disclosures,"Mechanisms exist to develop and maintain an accounting of disclosures of Personal Data (PD) held by the organization and make the accounting of disclosures available to the person named in the record, upon request."
+scf,scf:pri-14.2,PRI-14.2,Controls,1,867,Notification of Disclosure Request To Data Subject,Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD).
+scf,scf:pri-15,PRI-15,Controls,1,868,Register Database,"Mechanisms exist to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary."
+scf,scf:pri-16,PRI-16,Controls,1,869,Potential Human Rights Abuses,"Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.
+
+Methods To Comply With SCF Controls:
+- Board of Directors (Bod) Ethics Committee"
+scf,scf:pri-17,PRI-17,Controls,1,870,Data Subject Communications,"Mechanisms exist to craft disclosures and communications to data subjects such that the material is readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person."
+scf,scf:pri-17.1,PRI-17.1,Controls,1,871,Conspicuous Link To Privacy Notice,Mechanisms exist to include a conspicuous link to the organization's privacy notice on all consumer-facing websites and mobile applications.
+scf,scf:pri-17.2,PRI-17.2,Controls,1,872,Notice of Financial Incentive,"Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate."
+scf,scf:prm-01,PRM-01,Controls,1,873,Security Portfolio Management,Mechanisms exist to facilitate the implementation of security and privacy-related resource planning controls that define a viable plan for achieving cybersecurity & privacy objectives.
+scf,scf:prm-01.1,PRM-01.1,Controls,1,874,Strategic Plan & Objectives,Mechanisms exist to establish a strategic cybersecurity and privacy-specific business plan and set of objectives to achieve that plan.
+scf,scf:prm-01.2,PRM-01.2,Controls,1,875,Targeted Capability Maturity Levels,Mechanisms exist to define and identify targeted capability maturity levels.
+scf,scf:prm-02,PRM-02,Controls,1,876,Security & Privacy Resource Management,"Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and documents all exceptions to this requirement. "
+scf,scf:prm-03,PRM-03,Controls,1,877,Allocation of Resources ,"Mechanisms exist to identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives."
+scf,scf:prm-04,PRM-04,Controls,1,878,Security & Privacy In Project Management ,"Mechanisms exist to assess security and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements."
+scf,scf:prm-05,PRM-05,Controls,1,879,Security & Privacy Requirements Definition,"Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). 
+
+Methods To Comply With SCF Controls:
+- Secure Development Life Cycle (SDLC)"
+scf,scf:prm-06,PRM-06,Controls,1,880,Business Process Definition ,Mechanisms exist to define business processes with consideration for cybersecurity and privacy that determines: 
+scf,scf:prm-07,PRM-07,Controls,1,881,Secure Development Life Cycle (SDLC) Management,"Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:prm-08,PRM-08,Controls,1,882,Manage Organizational Knowledge,Mechanisms exist to manage the organizational knowledge of the cybersecurity and privacy staff.
+scf,scf:rsk-01,RSK-01,Controls,1,883,Risk Management Program ,"Mechanisms exist to facilitate the implementation of risk management controls.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-01.1,RSK-01.1,Controls,1,884,Risk Framing,"Mechanisms exist to identify:
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-02,RSK-02,Controls,1,885,Risk-Based Security Categorization ,"Mechanisms exist to categorizes systems and data in accordance with applicable local, state and Federal laws that:
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-02.1,RSK-02.1,Controls,1,886,Impact-Level Prioritization,"Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent potential disruptions."
+scf,scf:rsk-03,RSK-03,Controls,1,887,Risk Identification,"Mechanisms exist to identify and document risks, both internal and external. 
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-04,RSK-04,Controls,1,888,Risk Assessment ,"Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- Risk assessment
+- Business Impact Analysis (BIA)
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:rsk-04.1,RSK-04.1,Controls,1,889,Risk Register,"Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- Risk register
+- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"
+scf,scf:rsk-05,RSK-05,Controls,1,890,Risk Ranking ,"Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. 
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-06,RSK-06,Controls,1,891,Risk Remediation ,"Mechanisms exist to remediate risks to an acceptable level. 
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:rsk-06.1,RSK-06.1,Controls,1,892,Risk Response,"Mechanisms exist to respond to findings from security and privacy assessments, incidents and audits to ensure proper remediation has been performed.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-06.2,RSK-06.2,Controls,1,893,Compensating Countermeasures,Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats.
+scf,scf:rsk-07,RSK-07,Controls,1,894,Risk Assessment Update,"Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. 
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-08,RSK-08,Controls,1,895,Business Impact Analysis (BIA) ,"Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- Data Protection Impact Assessment (DPIA)
+- Business Impact Analysis (BIA)"
+scf,scf:rsk-09,RSK-09,Controls,1,896,Supply Chain Risk Management (SCRM) Plan,"Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)"
+scf,scf:rsk-09.1,RSK-09.1,Controls,1,897,Supply Chain Risk Assessment,"Mechanisms exist to periodically assess supply chain risks associated with systems, system components and services.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:rsk-10,RSK-10,Controls,1,898,Data Protection Impact Assessment (DPIA) ,"Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.
+
+Methods To Comply With SCF Controls:
+- Risk Management Program (RMP)
+- Data Protection Impact Assessment (DPIA)
+- Privacy Impact Assessment (PIA)"
+scf,scf:rsk-11,RSK-11,Controls,1,899,Risk Monitoring,"Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security & privacy controls, compliance and change management."
+scf,scf:sea-01,SEA-01,Controls,1,900,Secure Engineering Principles ,"Mechanisms exist to facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services."
+scf,scf:sea-01.1,SEA-01.1,Controls,1,901,Centralized Management of Cybersecurity & Privacy Controls,Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity and privacy controls and related processes.
+scf,scf:sea-02,SEA-02,Controls,1,902,Alignment With Enterprise Architecture ,"Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity and privacy principles that addresses risk to organizational operations, assets, individuals, other organizations. 
+
+Methods To Comply With SCF Controls:
+- Administrative controls through corporate policies, standards & procedures.
+- NIST 800-160
+- Enterprise architecture committee"
+scf,scf:sea-02.1,SEA-02.1,Controls,1,903,Standardized Terminology,Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments. 
+scf,scf:sea-02.2,SEA-02.2,Controls,1,904,Outsourcing Non-Essential Functions or Services,Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to third-party service providers and align with the organization's enterprise architecture and security standards.
+scf,scf:sea-02.3,SEA-02.3,Controls,1,905,Technical Debt Reviews,Mechanisms exist to conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies.
+scf,scf:sea-03,SEA-03,Controls,1,906,Defense-In-Depth (DiD) Architecture,Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. 
+scf,scf:sea-03.1,SEA-03.1,Controls,1,907,System Partitioning ,Mechanisms exist to partition systems so that partitions reside in separate physical domains or environments. 
+scf,scf:sea-03.2,SEA-03.2,Controls,1,908,Application Partitioning,"Mechanisms exist to separate user functionality from system management functionality. 
+
+Methods To Comply With SCF Controls:
+- Separate interface for non-privileged users."
+scf,scf:sea-04,SEA-04,Controls,1,909,Process Isolation ,Mechanisms exist to implement a separate execution domain for each executing process. 
+scf,scf:sea-04.1,SEA-04.1,Controls,1,910,Security Function Isolation,Mechanisms exist to isolate security functions from non-security functions. 
+scf,scf:sea-04.2,SEA-04.2,Controls,1,911,Hardware Separation,Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process separation. 
+scf,scf:sea-04.3,SEA-04.3,Controls,1,912,Thread Separation,Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded processing. 
+scf,scf:sea-05,SEA-05,Controls,1,913,Information In Shared Resources ,Mechanisms exist to prevent unauthorized and unintended information transfer via shared system resources. 
+scf,scf:sea-06,SEA-06,Controls,1,914,Prevent Program Execution,Automated mechanisms exist to prevent the execution of unauthorized software programs. 
+scf,scf:sea-07,SEA-07,Controls,1,915,Predictable Failure Analysis ,"Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.
+
+Methods To Comply With SCF Controls:
+- Mean Time to Failure (MTTF)"
+scf,scf:sea-07.1,SEA-07.1,Controls,1,916,Technology Lifecycle Management,"Mechanisms exist to manage the usable lifecycles of systems. 
+
+Methods To Comply With SCF Controls:
+- Computer Lifecycle Program (CLP)
+- Technology Asset Management (TAM)"
+scf,scf:sea-07.2,SEA-07.2,Controls,1,917,Fail Secure,"Mechanisms exist to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure. "
+scf,scf:sea-07.3,SEA-07.3,Controls,1,918,Fail Safe,Mechanisms exist to implement fail-safe procedures when failure conditions occur. 
+scf,scf:sea-08,SEA-08,Controls,1,919,Non-Persistence ,Mechanisms exist to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency. 
+scf,scf:sea-08.1,SEA-08.1,Controls,1,920,Refresh from Trusted Sources,"Mechanisms exist to ensures that software and data needed for information system component and service refreshes are obtained from trusted sources.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:sea-09,SEA-09,Controls,1,921,Information Output Filtering ,Mechanisms exist to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content. 
+scf,scf:sea-09.1,SEA-09.1,Controls,1,922,Limit Personal Data (PD) Dissemination,"Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:sea-10,SEA-10,Controls,1,923,Memory Protection ,"Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution. 
+
+Methods To Comply With SCF Controls:
+- Puppet (https://puppet.com/)
+- Chef (https://www.chef.io/) (https://www.chef.io/)"
+scf,scf:sea-11,SEA-11,Controls,1,924,Honeypots ,"Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks. "
+scf,scf:sea-12,SEA-12,Controls,1,925,Honeyclients ,Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code. 
+scf,scf:sea-13,SEA-13,Controls,1,926,Heterogeneity ,Mechanisms exist to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM). 
+scf,scf:sea-13.1,SEA-13.1,Controls,1,927,Virtualization Techniques ,Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of operating systems and applications.
+scf,scf:sea-14,SEA-14,Controls,1,928,Concealment & Misdirection ,Mechanisms exist to utilize concealment and misdirection techniques for systems to confuse and mislead adversaries. 
+scf,scf:sea-14.1,SEA-14.1,Controls,1,929,Randomness,Automated mechanisms exist to introduce randomness into organizational operations and assets.
+scf,scf:sea-14.2,SEA-14.2,Controls,1,930,Change Processing & Storage Locations,Automated mechanisms exist to change the location of processing and/or storage at random time intervals.
+scf,scf:sea-15,SEA-15,Controls,1,931,Distributed Processing & Storage ,Mechanisms exist to distribute processing and storage across multiple physical locations. 
+scf,scf:sea-16,SEA-16,Controls,1,932,Non-Modifiable Executable Programs ,"Mechanisms exist to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media."
+scf,scf:sea-17,SEA-17,Controls,1,933,Secure Log-On Procedures ,"Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.
+
+Methods To Comply With SCF Controls:
+- Active Directory (AD) Ctrl+Alt+Del login process"
+scf,scf:sea-18,SEA-18,Controls,1,934,System Use Notification (Logon Banner),"Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides privacy and security notices.
+
+Methods To Comply With SCF Controls:
+- Logon banner
+- System use notifications
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:sea-18.1,SEA-18.1,Controls,1,935,Standardized Microsoft Windows Banner,"Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system that provides privacy and security notices.
+
+Methods To Comply With SCF Controls:
+- Active Directory (AD) Ctrl+Alt+Del login process
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:sea-18.2,SEA-18.2,Controls,1,936,Truncated Banner,"Mechanisms exist to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source, such as Active Directory.
+
+Methods To Comply With SCF Controls:
+- Logon banner
+- System use notifications
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:sea-19,SEA-19,Controls,1,937,Previous Logon Notification,"Mechanisms exist to configure systems that process, store or transmit sensitive data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
+
+Methods To Comply With SCF Controls:
+- Network Time Protocol (NTP)"
+scf,scf:sea-20,SEA-20,Controls,1,938,Clock Synchronization,"Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks. 
+
+Methods To Comply With SCF Controls:
+- Network Time Protocol (NTP)"
+scf,scf:ops-01,OPS-01,Controls,1,939,Operations Security ,"Mechanisms exist to facilitate the implementation of operational security controls.
+
+Methods To Comply With SCF Controls:
+- Standardized Operating Procedures (SOP)
+- ITIL v4 
+- COBIT 5"
+scf,scf:ops-01.1,OPS-01.1,Controls,1,940,Standardized Operating Procedures (SOP),"Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.
+
+Methods To Comply With SCF Controls:
+- Standardized Operating Procedures (SOP)"
+scf,scf:ops-02,OPS-02,Controls,1,941,Security Concept Of Operations (CONOPS) ,"Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders. "
+scf,scf:ops-03,OPS-03,Controls,1,942,Service Delivery,"Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.
+
+Methods To Comply With SCF Controls:
+- ITIL v4 
+- COBIT 5"
+scf,scf:ops-04,OPS-04,Controls,1,943,Security Operations Center (SOC),Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.
+scf,scf:ops-05,OPS-05,Controls,1,944,Secure Practices Guidelines,"Mechanisms exist to provide guidelines and recommendations for the secure use of products and/or services to assist in the configuration, installation and use of the product and/or service."
+scf,scf:sat-01,SAT-01,Controls,1,945,Security & Privacy-Minded Workforce ,Mechanisms exist to facilitate the implementation of security workforce development and awareness controls. 
+scf,scf:sat-02,SAT-02,Controls,1,946,Security & Privacy Awareness ,Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function. 
+scf,scf:sat-02.1,SAT-02.1,Controls,1,947,Simulated Cyber Attack Scenario Training,Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios.
+scf,scf:sat-02.2,SAT-02.2,Controls,1,948,Social Engineering & Mining,Mechanisms exist to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.
+scf,scf:sat-03,SAT-03,Controls,1,949,Role-Based Security & Privacy Training ,Mechanisms exist to provide role-based security-related training: 
+scf,scf:sat-03.1,SAT-03.1,Controls,1,950,Practical Exercises ,Mechanisms exist to include practical exercises in security and privacy training that reinforce training objectives.
+scf,scf:sat-03.2,SAT-03.2,Controls,1,951,Suspicious Communications & Anomalous System Behavior,Mechanisms exist to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior.
+scf,scf:sat-03.3,SAT-03.3,Controls,1,952,"Sensitive Information Storage, Handling & Processing","Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements."
+scf,scf:sat-03.4,SAT-03.4,Controls,1,953,Vendor Security & Privacy Training,Mechanisms exist to incorporate vendor-specific security training in support of new technology initiatives. 
+scf,scf:sat-03.5,SAT-03.5,Controls,1,954,Privileged Users,Mechanisms exist to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities 
+scf,scf:sat-03.6,SAT-03.6,Controls,1,955,Cyber Threat Environment,Mechanisms exist to provide role-based security and privacy awareness training that is specific to the cyber threats that the user might encounter the user's specific day-to-day business operations.
+scf,scf:sat-03.7,SAT-03.7,Controls,1,956,Continuing Professional Education (CPE) - Cybersecurity & Privacy Personnel,Mechanisms exist to ensure cybersecurity and privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.
+scf,scf:sat-03.8,SAT-03.8,Controls,1,957,Continuing Professional Education (CPE) - DevOps Personnel,Mechanisms exist to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats.
+scf,scf:sat-04,SAT-04,Controls,1,958,Security & Privacy Training Records ,"Mechanisms exist to document, retain and monitor individual training activities, including basic security awareness training, ongoing awareness training and specific-system training.
+
+Methods To Comply With SCF Controls:
+- KnowB4 (https://www.knowbe4.com/)"
+scf,scf:tda-01,TDA-01,Controls,1,959,Technology Development & Acquisition,"Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs."
+scf,scf:tda-01.1,TDA-01.1,Controls,1,960,Product Management,"Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies."
+scf,scf:tda-01.2,TDA-01.2,Controls,1,961,Integrity Mechanisms for Software / Firmware Updates ,"Mechanisms exist to utilize integrity validation mechanisms for security updates.
+
+Methods To Comply With SCF Controls:
+- Checksum comparison
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:tda-01.3,TDA-01.3,Controls,1,962,Malware Testing Prior to Release ,"Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:tda-02,TDA-02,Controls,1,963,Minimum Viable Product (MVP) Security Requirements ,Mechanisms exist to ensure risk-based technical and functional specifications are established to define a Minimum Viable Product (MVP).
+scf,scf:tda-02.1,TDA-02.1,Controls,1,964,"Ports, Protocols & Services In Use","Mechanisms exist to require the developers of systems, system components or services to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use. 
+
+Methods To Comply With SCF Controls:
+- Ports, Protocols & Services (PPS)"
+scf,scf:tda-02.2,TDA-02.2,Controls,1,965,Information Assurance Enabled Products,"Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.
+
+Methods To Comply With SCF Controls:
+- FIPS 201"
+scf,scf:tda-02.3,TDA-02.3,Controls,1,966,"Development Methods, Techniques & Processes","Mechanisms exist to require software vendors / manufacturers to demonstrate that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed or malformed software."
+scf,scf:tda-02.4,TDA-02.4,Controls,1,967,Pre-Established Security Configurations,Mechanisms exist to ensure software vendors / manufacturers:
+scf,scf:tda-02.5,TDA-02.5,Controls,1,968,"Identification & Justification of Ports, Protocols & Services","Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions. "
+scf,scf:tda-02.6,TDA-02.6,Controls,1,969,"Insecure Ports, Protocols & Services","Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions. "
+scf,scf:tda-02.7,TDA-02.7,Controls,1,970,Security & Privacy Representatives For Product Changes,Mechanisms exist to include appropriate cybersecurity and privacy representatives in the product feature and/or functionality change control review process.
+scf,scf:tda-03,TDA-03,Controls,1,971,Commercial Off-The-Shelf (COTS) Security Solutions ,Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products. 
+scf,scf:tda-03.1,TDA-03.1,Controls,1,972,Supplier Diversity,"Mechanisms exist to obtain security and privacy technologies from different suppliers to minimize supply chain risk.
+
+Methods To Comply With SCF Controls:
+- Supplier diversity"
+scf,scf:tda-04,TDA-04,Controls,1,973,Documentation Requirements,"Mechanisms exist to obtain, protect and distribute administrator documentation for systems that describe:"
+scf,scf:tda-04.1,TDA-04.1,Controls,1,974,Functional Properties ,"Mechanisms exist to require vendors/contractors to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls. 
+
+Methods To Comply With SCF Controls:
+- SSAE-16 SOC2 report"
+scf,scf:tda-04.2,TDA-04.2,Controls,1,975,Software Bill of Materials (SBOM),"Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and services that lists software packages in use, including versions and applicable licenses."
+scf,scf:tda-05,TDA-05,Controls,1,976,Developer Architecture & Design ,"Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: "
+scf,scf:tda-05.1,TDA-05.1,Controls,1,977,Physical Diagnostic & Test Interfaces,Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse.
+scf,scf:tda-05.2,TDA-05.2,Controls,1,978,Diagnostic & Test Interface Monitoring,Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces.
+scf,scf:tda-06,TDA-06,Controls,1,979,Secure Coding ,"Mechanisms exist to develop applications based on secure coding principles. 
+
+Methods To Comply With SCF Controls:
+- OWASP's Application Security Verification Standard (ASVS) 
+- Mobile Application Security Verification Standard (MASVS)"
+scf,scf:tda-06.1,TDA-06.1,Controls,1,980,Criticality Analysis,"Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).
+
+Methods To Comply With SCF Controls:
+- Secure Development Life Cycle (SDLC)"
+scf,scf:tda-06.2,TDA-06.2,Controls,1,981,Threat Modeling,"Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for."
+scf,scf:tda-06.3,TDA-06.3,Controls,1,982,Software Assurance Maturity Model (SAMM),"Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services."
+scf,scf:tda-06.4,TDA-06.4,Controls,1,983,Supporting Toolchain,"Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle."
+scf,scf:tda-06.5,TDA-06.5,Controls,1,984,Software Design Review,Mechanisms exist to have an independent review of the software design to confirm that all security and privacy requirements are met and that any identified risks are satisfactorily addressed.
+scf,scf:tda-07,TDA-07,Controls,1,985,Secure Development Environments ,Mechanisms exist to maintain a segmented development network to ensure a secure development environment. 
+scf,scf:tda-08,TDA-08,Controls,1,986,"Separation of Development, Testing and Operational Environments ","Mechanisms exist to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production systems."
+scf,scf:tda-08.1,TDA-08.1,Controls,1,987,Secure Migration Practices,"Mechanisms exist to ensure secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment."
+scf,scf:tda-09,TDA-09,Controls,1,988,Security & Privacy Testing Throughout Development ,"Mechanisms exist to require system developers/integrators consult with cybersecurity and privacy personnel to: 
+
+Methods To Comply With SCF Controls:
+- Security Test & Evaluation (ST&E)"
+scf,scf:tda-09.1,TDA-09.1,Controls,1,989,Continuous Monitoring Plan,"Mechanisms exist to require the developers of systems, system components or services to produce a plan for the continuous monitoring of security & privacy control effectiveness. "
+scf,scf:tda-09.2,TDA-09.2,Controls,1,990,Static Code Analysis,"Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis. "
+scf,scf:tda-09.3,TDA-09.3,Controls,1,991,Dynamic Code Analysis ,"Mechanisms exist to require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis. "
+scf,scf:tda-09.4,TDA-09.4,Controls,1,992,Malformed Input Testing,"Mechanisms exist to utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:tda-09.5,TDA-09.5,Controls,1,993,Application Penetration Testing,"Mechanisms exist to perform application-level penetration testing of custom-made applications and services.
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:tda-09.6,TDA-09.6,Controls,1,994,Secure Settings By Default,Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise.
+scf,scf:tda-09.7,TDA-09.7,Controls,1,995,Manual Code Review,"Mechanisms exist to require the developers of systems, system components or services to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design."
+scf,scf:tda-10,TDA-10,Controls,1,996,Use of Live Data ,"Mechanisms exist to approve, document and control the use of live data in development and test environments."
+scf,scf:tda-10.1,TDA-10.1,Controls,1,997,Test Data Integrity,"Mechanisms exist to ensure the integrity of test data through existing security & privacy controls.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:tda-11,TDA-11,Controls,1,998,Product Tampering and Counterfeiting (PTC),Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components.
+scf,scf:tda-11.1,TDA-11.1,Controls,1,999,Anti-Counterfeit Training,"Mechanisms exist to train personnel to detect counterfeit system components, including hardware, software and firmware. "
+scf,scf:tda-11.2,TDA-11.2,Controls,1,1000,Component Disposal,[deprecated - incorporated into AST-09]
+scf,scf:tda-12,TDA-12,Controls,1,1001,Customized Development of Critical Components ,"Mechanisms exist to custom-develop critical system components, when COTS solutions are unavailable.
+
+Methods To Comply With SCF Controls:
+- OWASP"
+scf,scf:tda-13,TDA-13,Controls,1,1002,Developer Screening ,"Mechanisms exist to ensure that the developers of systems, applications and/or services have the requisite skillset and appropriate access authorizations."
+scf,scf:tda-14,TDA-14,Controls,1,1003,Developer Configuration Management ,"Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation."
+scf,scf:tda-14.1,TDA-14.1,Controls,1,1004,Software / Firmware Integrity Verification,"Mechanisms exist to require developer of systems, system components or services to enable integrity verification of software and firmware components. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:tda-14.2,TDA-14.2,Controls,1,1005,Hardware Integrity Verification,"Mechanisms exist to require developer of systems, system components or services to enable integrity verification of hardware components."
+scf,scf:tda-15,TDA-15,Controls,1,1006,Developer Threat Analysis & Flaw Remediation,"Mechanisms exist to require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party. 
+
+Methods To Comply With SCF Controls:
+- Security Test and Evaluation (ST&E) plan"
+scf,scf:tda-16,TDA-16,Controls,1,1007,Developer-Provided Training ,"Mechanisms exist to require the developers of systems, system components or services to provide training on the correct use and operation of the system, system component or service."
+scf,scf:tda-17,TDA-17,Controls,1,1008,Unsupported Systems ,Mechanisms exist to prevent unsupported systems by:
+scf,scf:tda-17.1,TDA-17.1,Controls,1,1009,Alternate Sources for Continued Support,Mechanisms exist to provide in-house support or contract external providers for support with unsupported system components. 
+scf,scf:tda-18,TDA-18,Controls,1,1010,Input Data Validation ,Mechanisms exist to check the validity of information inputs. 
+scf,scf:tda-19,TDA-19,Controls,1,1011,Error Handling ,Mechanisms exist to handle error conditions by: 
+scf,scf:tda-20,TDA-20,Controls,1,1012,Access to Program Source Code ,"Mechanisms exist to limit privileges to change software resident within software libraries. 
+
+Methods To Comply With SCF Controls:
+- Source code escrow"
+scf,scf:tda-20.1,TDA-20.1,Controls,1,1013,Software Release Integrity Verification,Mechanisms exist to publish integrity verification information for software releases.
+scf,scf:tda-20.2,TDA-20.2,Controls,1,1014,Archiving Software Releases,"Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information."
+scf,scf:tda-20.3,TDA-20.3,Controls,1,1015,Software Escrow,Mechanisms exist to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support. 
+scf,scf:tpm-01,TPM-01,Controls,1,1016,Third-Party Management ,"Mechanisms exist to facilitate the implementation of third-party management controls.
+
+Methods To Comply With SCF Controls:
+- Procurement program
+- Contract reviews"
+scf,scf:tpm-01.1,TPM-01.1,Controls,1,1017,Third-Party Inventories ,"Mechanisms exist to maintain a current, accurate and complete list of Third-Party Service Providers (TSP) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data."
+scf,scf:tpm-02,TPM-02,Controls,1,1018,Third-Party Criticality Assessments,"Mechanisms exist to identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:tpm-03,TPM-03,Controls,1,1019,Supply Chain Protection,"Mechanisms exist to evaluate security risks associated with the services and product supply chain. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:tpm-03.1,TPM-03.1,Controls,1,1020,"Acquisition Strategies, Tools & Methods","Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:tpm-03.2,TPM-03.2,Controls,1,1021,Limit Potential Harm,"Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain. 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)
+- Liability clause in contracts"
+scf,scf:tpm-03.3,TPM-03.3,Controls,1,1022,Processes To Address Weaknesses or Deficiencies,"Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain 
+
+Methods To Comply With SCF Controls:
+- Data Protection Impact Assessment (DPIA)"
+scf,scf:tpm-04,TPM-04,Controls,1,1023,Third-Party Services ,"Mechanisms exist to mitigate the risks associated with third-party access to the organization’s systems and data.
+
+Methods To Comply With SCF Controls:
+- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.
+- Maintain and implement policies and procedures to manage service providers (e.g., Software-as-a-Service (SaaS), web hosting companies, collocation providers, or email providers), through observation, review of policies and procedures and review of supporting documentation. 
+- Maintain a program to monitor service providers’ control compliance status at least annually.
+- Require providers of external system services to comply with organizational security requirements and employ appropriate security controls in accordance with applicable statutory, regulatory and contractual obligations.
+- Define and document oversight and user roles and responsibilities with regard to external system services.
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:tpm-04.1,TPM-04.1,Controls,1,1024,Third-Party Risk Assessments & Approvals,"Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of technology-related services.
+
+Methods To Comply With SCF Controls:
+- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.
+- Maintain a list of service providers.
+- Maintain and implement controls to manage security providers (e.g., backup tape storage facilities or security service providers), through observation, review of policies and procedures and review of supporting documentation.
+- Maintain a written agreement that includes an acknowledgment that service providers are responsible for the security of data the service providers possess.
+- Maintain a program to monitor service providers’ control compliance status, at least annually.
+- Require that providers of external services comply with organizational digital security requirements and utilize appropriate security controls in accordance with all applicable laws and regulatory requirements."
+scf,scf:tpm-04.2,TPM-04.2,Controls,1,1025,"External Connectivity Requirements - Identification of Ports, Protocols & Services","Mechanisms exist to require Third-Party Service Providers (TSP) to identify and document the business need for ports, protocols and other services it requires to operate its processes and technologies."
+scf,scf:tpm-04.3,TPM-04.3,Controls,1,1026,Conflict of Interests,"Mechanisms exist to ensure that the interests of third-party service providers are consistent with and reflect organizational interests.
+
+Methods To Comply With SCF Controls:
+- Third-party contract requirements for cybersecurity controls"
+scf,scf:tpm-04.4,TPM-04.4,Controls,1,1027,"Third-Party Processing, Storage and Service Locations",Mechanisms exist to restrict the location of information processing/storage based on business requirements. 
+scf,scf:tpm-05,TPM-05,Controls,1,1028,Third-Party Contract Requirements,"Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data.
+
+Methods To Comply With SCF Controls:
+- Non-Disclosure Agreements (NDAs)"
+scf,scf:tpm-05.1,TPM-05.1,Controls,1,1029,Security Compromise Notification Agreements,"Mechanisms exist to compel Third-Party Service Providers (TSP) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes."
+scf,scf:tpm-05.2,TPM-05.2,Controls,1,1030,Contract Flow-Down Requirements,Mechanisms exist to ensure cybersecurity and privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
+scf,scf:tpm-05.3,TPM-05.3,Controls,1,1031,Third-Party Authentication Practices,Mechanisms exist to ensure Third-Party Service Providers (TSP) use unique authentication factors for each of its customers.
+scf,scf:tpm-05.4,TPM-05.4,Controls,1,1032,"Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix","Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity and privacy controls between internal stakeholders and Third-Party Service Providers (TSP). 
+
+Methods To Comply With SCF Controls:
+- Customer Responsibility Matrix (CRM)
+- Shared Responsibility Matrix (SRM)
+- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"
+scf,scf:tpm-05.5,TPM-05.5,Controls,1,1033,Third-Party Scope Review,"Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity and privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders. "
+scf,scf:tpm-05.6,TPM-05.6,Controls,1,1034,First-Party Declaration (1PD),"Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable Third-Party Service Providers (TSP) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and privacy controls, including any flow-down requirements to subcontractors. "
+scf,scf:tpm-06,TPM-06,Controls,1,1035,Third-Party Personnel Security ,Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.
+scf,scf:tpm-07,TPM-07,Controls,1,1036,Monitoring for Third-Party Information Disclosure ,Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of organizational information. 
+scf,scf:tpm-08,TPM-08,Controls,1,1037,Review of Third-Party Services,"Mechanisms exist to monitor, regularly review and audit Third-Party Service Providers (TSP) for compliance with established contractual requirements for cybersecurity and privacy controls. "
+scf,scf:tpm-09,TPM-09,Controls,1,1038,Third-Party Deficiency Remediation ,Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. 
+scf,scf:tpm-10,TPM-10,Controls,1,1039,Managing Changes To Third-Party Services,"Mechanisms exist to control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party.
+
+Methods To Comply With SCF Controls:
+- Contact requirement to report changes to service offerings that may impact the contract.
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:tpm-11,TPM-11,Controls,1,1040,Third-Party Incident Response & Recovery Capabilities,Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers. 
+scf,scf:thr-01,THR-01,Controls,1,1041,Threat Intelligence Program,"Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities."
+scf,scf:thr-02,THR-02,Controls,1,1042,Indicators of Exposure (IOE),"Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization. 
+
+Methods To Comply With SCF Controls:
+- Indicators of Exposure (IoE)"
+scf,scf:thr-03,THR-03,Controls,1,1043,Threat Intelligence Feeds,"Mechanisms exist to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.
+
+Methods To Comply With SCF Controls:
+- US-CERT mailing lists & feeds
+- InfraGard
+- Internal newsletters"
+scf,scf:thr-04,THR-04,Controls,1,1044,Insider Threat Program ,"Mechanisms exist to implement an insider threat program that includes a cross-discipline insider threat incident handling team. 
+
+Methods To Comply With SCF Controls:
+- Insider threat program"
+scf,scf:thr-05,THR-05,Controls,1,1045,Insider Threat Awareness,Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat.
+scf,scf:thr-06,THR-06,Controls,1,1046,Vulnerability Disclosure Program (VDP),"Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of products and services that receives unsolicited input from the public about vulnerabilities in organizational systems, services and processes.
+
+Methods To Comply With SCF Controls:
+- ""bug bounty"" program"
+scf,scf:thr-07,THR-07,Controls,1,1047,Threat Hunting,"Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls."
+scf,scf:thr-08,THR-08,Controls,1,1048,Tainting,Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
+scf,scf:vpm-01,VPM-01,Controls,1,1049,Vulnerability & Patch Management Program (VPMP),"Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.
+
+Methods To Comply With SCF Controls:
+- Vulnerability & Patch Management Program (ComplianceForge)"
+scf,scf:vpm-01.1,VPM-01.1,Controls,1,1050,Attack Surface Scope,Mechanisms exist to define and manage the scope for its attack surface management activities.
+scf,scf:vpm-02,VPM-02,Controls,1,1051,Vulnerability Remediation Process ,"Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:vpm-03,VPM-03,Controls,1,1052,Vulnerability Ranking ,"Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information. 
+
+Methods To Comply With SCF Controls:
+- US-CERT "
+scf,scf:vpm-04,VPM-04,Controls,1,1053,Continuous Vulnerability Remediation Activities,"Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks. 
+
+Methods To Comply With SCF Controls:
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:vpm-04.1,VPM-04.1,Controls,1,1054,Stable Versions,Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems.
+scf,scf:vpm-04.2,VPM-04.2,Controls,1,1055,Flaw Remediation with Personal Data (PD),"Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD)."
+scf,scf:vpm-05,VPM-05,Controls,1,1056,Software & Firmware Patching,"Mechanisms exist to conduct software patching for all deployed operating systems, applications and firmware.
+
+Methods To Comply With SCF Controls:
+- Patch management tools"
+scf,scf:vpm-05.1,VPM-05.1,Controls,1,1057,Centralized Management of Flaw Remediation Processes,"Mechanisms exist to centrally-manage the flaw remediation process. 
+
+Methods To Comply With SCF Controls:
+- Patch management tools"
+scf,scf:vpm-05.2,VPM-05.2,Controls,1,1058,Automated Remediation Status,"Automated mechanisms exist to determine the state of system components with regard to flaw remediation. 
+
+Methods To Comply With SCF Controls:
+- Vulnerability scanning tools
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:vpm-05.3,VPM-05.3,Controls,1,1059,Time To Remediate / Benchmarks For Corrective Action,"Mechanisms exist to track the effectiveness of remediation operations through metrics reporting.
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:vpm-05.4,VPM-05.4,Controls,1,1060,Automated Software & Firmware Updates,Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates.
+scf,scf:vpm-05.5,VPM-05.5,Controls,1,1061,Removal of Previous Versions,Mechanisms exist to remove old versions of software and firmware components after updated versions have been installed. 
+scf,scf:vpm-06,VPM-06,Controls,1,1062,Vulnerability Scanning ,"Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications.
+
+Methods To Comply With SCF Controls:
+- External vulnerability scans (unauthenticated)
+- Internal vulnerability scans (authenticated)
+- Nessus (https://www.tenable.com/products/nessus/nessus-professional)
+- Qualys (https://www.qualys.com/)
+- Rapid7 (https://www.rapid7.com/)
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:vpm-06.1,VPM-06.1,Controls,1,1063,Update Tool Capability,Mechanisms exist to update vulnerability scanning tools.
+scf,scf:vpm-06.2,VPM-06.2,Controls,1,1064,Breadth / Depth of Coverage ,"Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
+- NNT Change Tracker (https://www.newnettechnologies.com)"
+scf,scf:vpm-06.3,VPM-06.3,Controls,1,1065,Privileged Access,"Mechanisms exist to implement privileged access authorization for selected vulnerability scanning activities. 
+
+Methods To Comply With SCF Controls:
+- Authenticated scans"
+scf,scf:vpm-06.4,VPM-06.4,Controls,1,1066,Trend Analysis,"Automated mechanisms exist to compare the results of vulnerability scans over time to determine trends in system vulnerabilities. 
+
+Methods To Comply With SCF Controls:
+- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+scf,scf:vpm-06.5,VPM-06.5,Controls,1,1067,Review Historical Audit Logs,Mechanisms exist to review historical audit logs to determine if identified vulnerabilities have been previously exploited. 
+scf,scf:vpm-06.6,VPM-06.6,Controls,1,1068,External Vulnerability Assessment Scans,"Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."
+scf,scf:vpm-06.7,VPM-06.7,Controls,1,1069,Internal Vulnerability Assessment Scans,"Mechanisms exist to perform quarterly internal vulnerability scans, that includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."
+scf,scf:vpm-06.8,VPM-06.8,Controls,1,1070,Acceptable Discoverable Information,Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediated non-compliant systems.
+scf,scf:vpm-06.9,VPM-06.9,Controls,1,1071,Correlate Scanning Information,Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
+scf,scf:vpm-07,VPM-07,Controls,1,1072,Penetration Testing ,Mechanisms exist to conduct penetration testing on systems and web applications.
+scf,scf:vpm-07.1,VPM-07.1,Controls,1,1073,Independent Penetration Agent or Team,Mechanisms exist to utilize an independent assessor or penetration team to perform penetration testing.
+scf,scf:vpm-08,VPM-08,Controls,1,1074,Technical Surveillance Countermeasures Security ,"Mechanisms exist to utilize a technical surveillance countermeasures survey.
+
+Methods To Comply With SCF Controls:
+- Facility sweeping for ""bugs"" or other unauthorized surveillance technologies."
+scf,scf:vpm-09,VPM-09,Controls,1,1075,Reviewing Vulnerability Scanner Usage,"Mechanisms exist to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans. 
+
+Methods To Comply With SCF Controls:
+- Security Incident Event Manager (SIEM)"
+scf,scf:vpm-10,VPM-10,Controls,1,1076,Red Team Exercises,"Mechanisms exist to utilize ""red team"" exercises to simulate attempts by adversaries to compromise systems and applications in accordance with organization-defined rules of engagement. 
+
+Methods To Comply With SCF Controls:
+- ""red team"" exercises"
+scf,scf:web-01,WEB-01,Controls,1,1077,Web Security,"Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures."
+scf,scf:web-01.1,WEB-01.1,Controls,1,1078,Unauthorized Code,Mechanisms exist to prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser.
+scf,scf:web-02,WEB-02,Controls,1,1079,Use of Demilitarized Zones (DMZ),"Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports."
+scf,scf:web-03,WEB-03,Controls,1,1080,Web Application Firewall (WAF),"Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. 
+
+Methods To Comply With SCF Controls:
+- Web Application Firewall (WAF)"
+scf,scf:web-04,WEB-04,Controls,1,1081,Client-Facing Web Services,"Mechanisms exist to deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.
+
+Methods To Comply With SCF Controls:
+- OWASP"
+scf,scf:web-05,WEB-05,Controls,1,1082,Cookie Management,"Mechanisms exist to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management."
+scf,scf:web-06,WEB-06,Controls,1,1083,Strong Customer Authentication (SCA),Mechanisms exist to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity.
+scf,scf:web-07,WEB-07,Controls,1,1084,Web Security Standard,Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.
+scf,scf:web-08,WEB-08,Controls,1,1085,Web Application Framework,"Mechanisms exist to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs."
+scf,scf:web-09,WEB-09,Controls,1,1086,Validation & Sanitization,Mechanisms exist to ensure all input handled by a web application is validated and/or sanitized.
+scf,scf:web-10,WEB-10,Controls,1,1087,Secure Web Traffic,"Mechanisms exist to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS)."
+scf,scf:web-11,WEB-11,Controls,1,1088,Output Encoding,Mechanisms exist to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks.
+scf,scf:web-12,WEB-12,Controls,1,1089,Web Browser Security,"Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users."
+scf,scf:web-13,WEB-13,Controls,1,1090,Website Change Detection,"Mechanisms exist to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data. "
diff --git a/data/controls.json b/data/controls.json
index 8ec9983..41be045 100644
--- a/data/controls.json
+++ b/data/controls.json
@@ -3195,7 +3195,7 @@
     "id_raw": "AC-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Access Control Policy and Procedures",
     "description": null
   },
@@ -3205,7 +3205,7 @@
     "id_raw": "AC-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Concurrent Session Control",
     "description": null
   },
@@ -3215,7 +3215,7 @@
     "id_raw": "AC-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Session Lock",
     "description": null
   },
@@ -3225,7 +3225,7 @@
     "id_raw": "AC-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Pattern-Hiding Displays",
     "description": "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."
   },
@@ -3235,7 +3235,7 @@
     "id_raw": "AC-11a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and"
   },
@@ -3245,7 +3245,7 @@
     "id_raw": "AC-11b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Retains the session lock until the user reestablishes access using established identification and authentication procedures."
   },
@@ -3255,7 +3255,7 @@
     "id_raw": "AC-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Session Termination",
     "description": null
   },
@@ -3265,7 +3265,7 @@
     "id_raw": "AC-12 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "User-Initiated Logouts / Message Displays",
     "description": "The information system: Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions."
   },
@@ -3275,7 +3275,7 @@
     "id_raw": "AC-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Supervision and Review - Access Control",
     "description": null
   },
@@ -3285,7 +3285,7 @@
     "id_raw": "AC-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Permitted Actions Without Identification Or Authentication",
     "description": null
   },
@@ -3295,7 +3295,7 @@
     "id_raw": "AC-14a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and"
   },
@@ -3305,7 +3305,7 @@
     "id_raw": "AC-14b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."
   },
@@ -3315,7 +3315,7 @@
     "id_raw": "AC-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Automated Marking",
     "description": null
   },
@@ -3325,7 +3325,7 @@
     "id_raw": "AC-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Security Attributes",
     "description": null
   },
@@ -3335,7 +3335,7 @@
     "id_raw": "AC-16 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Dynamic Attribute Association",
     "description": "The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined."
   },
@@ -3345,7 +3345,7 @@
     "id_raw": "AC-16 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Attribute Configuration By Authorized Individuals",
     "description": "The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects."
   },
@@ -3355,7 +3355,7 @@
     "id_raw": "AC-16 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Attribute Value Changes By Authorized Individuals",
     "description": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes."
   },
@@ -3365,7 +3365,7 @@
     "id_raw": "AC-16 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Maintenance Of Attribute Associations By Information System",
     "description": "The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]."
   },
@@ -3375,7 +3375,7 @@
     "id_raw": "AC-16 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Association Of Attributes By Authorized Individuals",
     "description": "The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals)."
   },
@@ -3385,7 +3385,7 @@
     "id_raw": "AC-16 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Attribute Displays For Output Devices",
     "description": "The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]."
   },
@@ -3395,7 +3395,7 @@
     "id_raw": "AC-16 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Maintenance Of Attribute Association By Organization",
     "description": "The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]."
   },
@@ -3405,7 +3405,7 @@
     "id_raw": "AC-16 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Consistent Attribute Interpretation",
     "description": "The organization provides a consistent interpretation of security attributes transmitted between distributed information system components."
   },
@@ -3415,7 +3415,7 @@
     "id_raw": "AC-16 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Association Techniques / Technologies",
     "description": "The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information."
   },
@@ -3425,7 +3425,7 @@
     "id_raw": "AC-16 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Attribute Reassignment",
     "description": "The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]."
   },
@@ -3435,7 +3435,7 @@
     "id_raw": "AC-16a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;"
   },
@@ -3445,7 +3445,7 @@
     "id_raw": "AC-16b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that the security attribute associations are made and retained with the information;"
   },
@@ -3455,7 +3455,7 @@
     "id_raw": "AC-16c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and"
   },
@@ -3465,7 +3465,7 @@
     "id_raw": "AC-16d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes."
   },
@@ -3475,7 +3475,7 @@
     "id_raw": "AC-17",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 17,
     "title": "Remote Access",
     "description": null
   },
@@ -3485,7 +3485,7 @@
     "id_raw": "AC-17 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Monitoring / Control",
     "description": "The information system monitors and controls remote access methods."
   },
@@ -3495,7 +3495,7 @@
     "id_raw": "AC-17 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Protection Of Confidentiality / Integrity Using Encryption",
     "description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."
   },
@@ -3505,7 +3505,7 @@
     "id_raw": "AC-17 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Managed Access Control Points",
     "description": "The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points."
   },
@@ -3515,7 +3515,7 @@
     "id_raw": "AC-17 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Privileged Commands / Access",
     "description": "The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system."
   },
@@ -3525,7 +3525,7 @@
     "id_raw": "AC-17 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Protection Of Information",
     "description": "The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure."
   },
@@ -3535,7 +3535,7 @@
     "id_raw": "AC-17 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Disconnect / Disable Access",
     "description": "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]."
   },
@@ -3545,7 +3545,7 @@
     "id_raw": "AC-17a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"
   },
@@ -3555,7 +3555,7 @@
     "id_raw": "AC-17b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Authorizes remote access to the information system prior to allowing such connections."
   },
@@ -3565,7 +3565,7 @@
     "id_raw": "AC-18",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 18,
     "title": "Wireless Access",
     "description": null
   },
@@ -3575,7 +3575,7 @@
     "id_raw": "AC-18 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Authentication And Encryption",
     "description": "The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption."
   },
@@ -3585,7 +3585,7 @@
     "id_raw": "AC-18 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Disable Wireless Networking",
     "description": "The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."
   },
@@ -3595,7 +3595,7 @@
     "id_raw": "AC-18 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Restrict Configurations By Users",
     "description": "The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."
   },
@@ -3605,7 +3605,7 @@
     "id_raw": "AC-18 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Antennas / Transmission Power Levels",
     "description": "The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."
   },
@@ -3615,7 +3615,7 @@
     "id_raw": "AC-18a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and"
   },
@@ -3625,7 +3625,7 @@
     "id_raw": "AC-18b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Authorizes wireless access to the information system prior to allowing such connections."
   },
@@ -3635,7 +3635,7 @@
     "id_raw": "AC-19",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 19,
     "title": "Access Control For Mobile Devices",
     "description": null
   },
@@ -3645,7 +3645,7 @@
     "id_raw": "AC-19 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Restrictions For Classified Information",
     "description": "The organization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified information systems is prohibited; Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]."
   },
@@ -3655,7 +3655,7 @@
     "id_raw": "AC-19 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Full Device / Container-Based  Encryption",
     "description": "The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]."
   },
@@ -3665,7 +3665,7 @@
     "id_raw": "AC-19a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"
   },
@@ -3675,7 +3675,7 @@
     "id_raw": "AC-19b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Authorizes the connection of mobile devices to organizational information systems."
   },
@@ -3685,7 +3685,7 @@
     "id_raw": "AC-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and"
   },
@@ -3695,7 +3695,7 @@
     "id_raw": "AC-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Access control policy [Assignment: organization-defined frequency]; and Access control procedures [Assignment: organization-defined frequency]."
   },
@@ -3705,7 +3705,7 @@
     "id_raw": "AC-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Account Management",
     "description": null
   },
@@ -3715,7 +3715,7 @@
     "id_raw": "AC-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated System Account Management",
     "description": "The organization employs automated mechanisms to support the management of information system accounts."
   },
@@ -3725,7 +3725,7 @@
     "id_raw": "AC-2 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Shared / Group Account Credential Termination",
     "description": "The information system terminates shared/group account credentials when members leave the group."
   },
@@ -3735,7 +3735,7 @@
     "id_raw": "AC-2 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Usage Conditions",
     "description": "The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]."
   },
@@ -3745,7 +3745,7 @@
     "id_raw": "AC-2 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Account Monitoring / Atypical Usage",
     "description": "The organization: Monitors information system accounts for [Assignment: organization-defined atypical usage]; and Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]."
   },
@@ -3755,7 +3755,7 @@
     "id_raw": "AC-2 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Disable Accounts For High-Risk Individuals",
     "description": "The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk."
   },
@@ -3765,7 +3765,7 @@
     "id_raw": "AC-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Removal Of Temporary / Emergency Accounts",
     "description": "The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]."
   },
@@ -3775,7 +3775,7 @@
     "id_raw": "AC-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Disable Inactive Accounts",
     "description": "The information system automatically disables inactive accounts after [Assignment: organization-defined time period]."
   },
@@ -3785,7 +3785,7 @@
     "id_raw": "AC-2 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Automated Audit Actions",
     "description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]."
   },
@@ -3795,7 +3795,7 @@
     "id_raw": "AC-2 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Inactivity Logout",
     "description": "The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]."
   },
@@ -3805,7 +3805,7 @@
     "id_raw": "AC-2 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Dynamic Privilege Management",
     "description": "The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]."
   },
@@ -3815,7 +3815,7 @@
     "id_raw": "AC-2 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Role-Based Schemes",
     "description": "The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate."
   },
@@ -3825,7 +3825,7 @@
     "id_raw": "AC-2 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Dynamic Account Creation",
     "description": "The information system creates [Assignment: organization-defined information system accounts] dynamically."
   },
@@ -3835,7 +3835,7 @@
     "id_raw": "AC-2 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Restrictions On Use Of Shared / Group Accounts",
     "description": "The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]."
   },
@@ -3845,7 +3845,7 @@
     "id_raw": "AC-20",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 20,
     "title": "Use Of External Information Systems",
     "description": null
   },
@@ -3855,7 +3855,7 @@
     "id_raw": "AC-20 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Limits On Authorized Use",
     "description": "The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."
   },
@@ -3865,7 +3865,7 @@
     "id_raw": "AC-20 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Portable Storage Devices",
     "description": "The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems."
   },
@@ -3875,7 +3875,7 @@
     "id_raw": "AC-20 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Non-Organizationally Owned Systems / Components / Devices",
     "description": "The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information."
   },
@@ -3885,7 +3885,7 @@
     "id_raw": "AC-20 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Network Accessible Storage Devices",
     "description": "The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems."
   },
@@ -3895,7 +3895,7 @@
     "id_raw": "AC-20a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and"
   },
@@ -3905,7 +3905,7 @@
     "id_raw": "AC-20b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Process, store, or transmit organization-controlled information using external information systems."
   },
@@ -3915,7 +3915,7 @@
     "id_raw": "AC-21",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 21,
     "title": "Information Sharing",
     "description": null
   },
@@ -3925,7 +3925,7 @@
     "id_raw": "AC-21 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Decision Support",
     "description": "The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."
   },
@@ -3935,7 +3935,7 @@
     "id_raw": "AC-21 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Information Search And Retrieval",
     "description": "The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]."
   },
@@ -3945,7 +3945,7 @@
     "id_raw": "AC-21a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and"
   },
@@ -3955,7 +3955,7 @@
     "id_raw": "AC-21b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions."
   },
@@ -3965,7 +3965,7 @@
     "id_raw": "AC-22",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 22,
     "title": "Publicly Accessible Content",
     "description": null
   },
@@ -3975,7 +3975,7 @@
     "id_raw": "AC-22a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Designates individuals authorized to post information onto a publicly accessible information system;"
   },
@@ -3985,7 +3985,7 @@
     "id_raw": "AC-22b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"
   },
@@ -3995,7 +3995,7 @@
     "id_raw": "AC-22c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"
   },
@@ -4005,7 +4005,7 @@
     "id_raw": "AC-22d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered."
   },
@@ -4015,7 +4015,7 @@
     "id_raw": "AC-23",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 23,
     "title": "Data Mining Protection",
     "description": null
   },
@@ -4025,7 +4025,7 @@
     "id_raw": "AC-24",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 24,
     "title": "Access Control Decisions",
     "description": null
   },
@@ -4035,7 +4035,7 @@
     "id_raw": "AC-24 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Transmit Access Authorization Information",
     "description": "The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions."
   },
@@ -4045,7 +4045,7 @@
     "id_raw": "AC-24 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "No User Or Process Identity",
     "description": "The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user."
   },
@@ -4055,7 +4055,7 @@
     "id_raw": "AC-25",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 25,
     "title": "Reference Monitor",
     "description": null
   },
@@ -4065,7 +4065,7 @@
     "id_raw": "AC-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];"
   },
@@ -4075,7 +4075,7 @@
     "id_raw": "AC-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Assigns account managers for information system accounts;"
   },
@@ -4085,7 +4085,7 @@
     "id_raw": "AC-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Establishes conditions for group and role membership;"
   },
@@ -4095,7 +4095,7 @@
     "id_raw": "AC-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"
   },
@@ -4105,7 +4105,7 @@
     "id_raw": "AC-2e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;"
   },
@@ -4115,7 +4115,7 @@
     "id_raw": "AC-2f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];"
   },
@@ -4125,7 +4125,7 @@
     "id_raw": "AC-2g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization: Monitors the use of information system accounts;"
   },
@@ -4135,7 +4135,7 @@
     "id_raw": "AC-2h.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes;"
   },
@@ -4145,7 +4145,7 @@
     "id_raw": "AC-2i.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": null,
     "description": "The organization: Authorizes access to the information system based on: A valid access authorization; Intended system usage; and Other attributes as required by the organization or associated missions/business functions;"
   },
@@ -4155,7 +4155,7 @@
     "id_raw": "AC-2j.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": null,
     "description": "The organization: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and"
   },
@@ -4165,7 +4165,7 @@
     "id_raw": "AC-2k.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": null,
     "description": "The organization: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group."
   },
@@ -4175,7 +4175,7 @@
     "id_raw": "AC-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Access Enforcement",
     "description": null
   },
@@ -4185,7 +4185,7 @@
     "id_raw": "AC-3 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Audited Override Of Access Control Mechanisms",
     "description": "The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]."
   },
@@ -4195,7 +4195,7 @@
     "id_raw": "AC-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Dual Authorization",
     "description": "The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]."
   },
@@ -4205,7 +4205,7 @@
     "id_raw": "AC-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Mandatory Access Control",
     "description": "The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes on subjects, objects, the information system, or information system components; Choosing the security attributes and attribute values to be associated with newly created or modified objects; or Changing the rules governing access control; and Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints."
   },
@@ -4215,7 +4215,7 @@
     "id_raw": "AC-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Discretionary Access Control",
     "description": "The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the information system, or the information system's components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control."
   },
@@ -4225,7 +4225,7 @@
     "id_raw": "AC-3 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Security-Relevant Information",
     "description": "The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states."
   },
@@ -4235,7 +4235,7 @@
     "id_raw": "AC-3 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Role-Based Access Control",
     "description": "The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]."
   },
@@ -4245,7 +4245,7 @@
     "id_raw": "AC-3 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Revocation Of Access Authorizations",
     "description": "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]."
   },
@@ -4255,7 +4255,7 @@
     "id_raw": "AC-3 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Controlled Release",
     "description": "The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release."
   },
@@ -4265,7 +4265,7 @@
     "id_raw": "AC-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Information Flow Enforcement",
     "description": null
   },
@@ -4275,7 +4275,7 @@
     "id_raw": "AC-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Object Security Attributes",
     "description": "The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."
   },
@@ -4285,7 +4285,7 @@
     "id_raw": "AC-4 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Enable / Disable Security Policy Filters",
     "description": "The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]."
   },
@@ -4295,7 +4295,7 @@
     "id_raw": "AC-4 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Configuration Of Security Policy Filters",
     "description": "The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies."
   },
@@ -4305,7 +4305,7 @@
     "id_raw": "AC-4 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Data Type Identifiers",
     "description": "The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions."
   },
@@ -4315,7 +4315,7 @@
     "id_raw": "AC-4 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Decomposition Into Policy-Relevant Subcomponents",
     "description": "The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms."
   },
@@ -4325,7 +4325,7 @@
     "id_raw": "AC-4 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Security Policy Filter Constraints",
     "description": "The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content."
   },
@@ -4335,7 +4335,7 @@
     "id_raw": "AC-4 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Detection Of Unsanctioned Information",
     "description": "The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]."
   },
@@ -4345,7 +4345,7 @@
     "id_raw": "AC-4 (17)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 17,
     "title": "Domain Authentication",
     "description": "The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer."
   },
@@ -4355,7 +4355,7 @@
     "id_raw": "AC-4 (18)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 18,
     "title": "Security Attribute Binding",
     "description": "The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement."
   },
@@ -4365,7 +4365,7 @@
     "id_raw": "AC-4 (19)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 19,
     "title": "Validation Of Metadata",
     "description": "The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."
   },
@@ -4375,7 +4375,7 @@
     "id_raw": "AC-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Processing Domains",
     "description": "The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."
   },
@@ -4385,7 +4385,7 @@
     "id_raw": "AC-4 (20)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 20,
     "title": "Approved Solutions",
     "description": "The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains."
   },
@@ -4395,7 +4395,7 @@
     "id_raw": "AC-4 (21)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 21,
     "title": "Physical / Logical Separation Of Information Flows",
     "description": "The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]."
   },
@@ -4405,7 +4405,7 @@
     "id_raw": "AC-4 (22)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 22,
     "title": "Access Only",
     "description": "The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."
   },
@@ -4415,7 +4415,7 @@
     "id_raw": "AC-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Dynamic Information Flow Control",
     "description": "The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]."
   },
@@ -4425,7 +4425,7 @@
     "id_raw": "AC-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Content Check Encrypted Information",
     "description": "The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]."
   },
@@ -4435,7 +4435,7 @@
     "id_raw": "AC-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Embedded Data Types",
     "description": "The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types."
   },
@@ -4445,7 +4445,7 @@
     "id_raw": "AC-4 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Metadata",
     "description": "The information system enforces information flow control based on [Assignment: organization-defined metadata]."
   },
@@ -4455,7 +4455,7 @@
     "id_raw": "AC-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "One-Way Flow Mechanisms",
     "description": "The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms."
   },
@@ -4465,7 +4465,7 @@
     "id_raw": "AC-4 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Security Policy Filters",
     "description": "The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]."
   },
@@ -4475,7 +4475,7 @@
     "id_raw": "AC-4 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Human Reviews",
     "description": "The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]."
   },
@@ -4485,7 +4485,7 @@
     "id_raw": "AC-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Separation Of Duties",
     "description": null
   },
@@ -4495,7 +4495,7 @@
     "id_raw": "AC-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Separates [Assignment: organization-defined duties of individuals];"
   },
@@ -4505,7 +4505,7 @@
     "id_raw": "AC-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents separation of duties of individuals; and"
   },
@@ -4515,7 +4515,7 @@
     "id_raw": "AC-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Defines information system access authorizations to support separation of duties."
   },
@@ -4525,7 +4525,7 @@
     "id_raw": "AC-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Least Privilege",
     "description": null
   },
@@ -4535,7 +4535,7 @@
     "id_raw": "AC-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Authorize Access To Security Functions",
     "description": "The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]."
   },
@@ -4545,7 +4545,7 @@
     "id_raw": "AC-6 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Prohibit Non-Privileged Users From Executing Privileged Functions",
     "description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
   },
@@ -4555,7 +4555,7 @@
     "id_raw": "AC-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Non-Privileged Access For Nonsecurity Functions",
     "description": "The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions."
   },
@@ -4565,7 +4565,7 @@
     "id_raw": "AC-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Network Access To Privileged Commands",
     "description": "The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system."
   },
@@ -4575,7 +4575,7 @@
     "id_raw": "AC-6 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Separate Processing Domains",
     "description": "The information system provides separate processing domains to enable finer-grained allocation of user privileges."
   },
@@ -4585,7 +4585,7 @@
     "id_raw": "AC-6 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Privileged Accounts",
     "description": "The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]."
   },
@@ -4595,7 +4595,7 @@
     "id_raw": "AC-6 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Privileged Access By Non-Organizational Users",
     "description": "The organization prohibits privileged access to the information system by non-organizational users."
   },
@@ -4605,7 +4605,7 @@
     "id_raw": "AC-6 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Review Of User Privileges",
     "description": "The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."
   },
@@ -4615,7 +4615,7 @@
     "id_raw": "AC-6 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Privilege Levels For Code Execution",
     "description": "The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software."
   },
@@ -4625,7 +4625,7 @@
     "id_raw": "AC-6 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Auditing Use Of Privileged Functions",
     "description": "The information system audits the execution of privileged functions."
   },
@@ -4635,7 +4635,7 @@
     "id_raw": "AC-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Unsuccessful Logon Attempts",
     "description": null
   },
@@ -4645,7 +4645,7 @@
     "id_raw": "AC-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Purge / Wipe Mobile Device",
     "description": "The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."
   },
@@ -4655,7 +4655,7 @@
     "id_raw": "AC-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and"
   },
@@ -4665,7 +4665,7 @@
     "id_raw": "AC-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded."
   },
@@ -4675,7 +4675,7 @@
     "id_raw": "AC-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "System Use Notification",
     "description": null
   },
@@ -4685,7 +4685,7 @@
     "id_raw": "AC-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording;"
   },
@@ -4695,7 +4695,7 @@
     "id_raw": "AC-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"
   },
@@ -4705,7 +4705,7 @@
     "id_raw": "AC-8c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The information system: For publicly accessible systems: Displays system use information [Assignment: organization-defined conditions], before granting further access; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system."
   },
@@ -4715,7 +4715,7 @@
     "id_raw": "AC-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Previous Logon (Access) Notification",
     "description": null
   },
@@ -4725,7 +4725,7 @@
     "id_raw": "AC-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Unsuccessful Logons",
     "description": "The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access."
   },
@@ -4735,7 +4735,7 @@
     "id_raw": "AC-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Successful / Unsuccessful Logons",
     "description": "The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]."
   },
@@ -4745,7 +4745,7 @@
     "id_raw": "AC-9 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Notification Of Account Changes",
     "description": "The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]."
   },
@@ -4755,7 +4755,7 @@
     "id_raw": "AC-9 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Additional Logon Information",
     "description": "The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]."
   },
@@ -4775,7 +4775,7 @@
     "id_raw": "AT-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Security Awareness and Training Policy and Procedures",
     "description": null
   },
@@ -4785,7 +4785,7 @@
     "id_raw": "AT-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"
   },
@@ -4795,7 +4795,7 @@
     "id_raw": "AT-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Security awareness and training policy [Assignment: organization-defined frequency]; and Security awareness and training procedures [Assignment: organization-defined frequency]."
   },
@@ -4805,7 +4805,7 @@
     "id_raw": "AT-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Security Awareness Training",
     "description": null
   },
@@ -4815,7 +4815,7 @@
     "id_raw": "AT-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Practical Exercises",
     "description": "The organization includes practical exercises in security awareness training that simulate actual cyber attacks."
   },
@@ -4825,7 +4825,7 @@
     "id_raw": "AT-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Insider Threat",
     "description": "The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."
   },
@@ -4835,7 +4835,7 @@
     "id_raw": "AT-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users;"
   },
@@ -4845,7 +4845,7 @@
     "id_raw": "AT-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and"
   },
@@ -4855,7 +4855,7 @@
     "id_raw": "AT-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [Assignment: organization-defined frequency] thereafter."
   },
@@ -4865,7 +4865,7 @@
     "id_raw": "AT-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Role-Based Security Training",
     "description": null
   },
@@ -4875,7 +4875,7 @@
     "id_raw": "AT-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Environmental Controls",
     "description": "The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls."
   },
@@ -4885,7 +4885,7 @@
     "id_raw": "AT-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Physical Security Controls",
     "description": "The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls."
   },
@@ -4895,7 +4895,7 @@
     "id_raw": "AT-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Practical Exercises",
     "description": "The organization includes practical exercises in security training that reinforce training objectives."
   },
@@ -4905,7 +4905,7 @@
     "id_raw": "AT-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Suspicious Communications And Anomalous System Behavior",
     "description": "The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems."
   },
@@ -4915,7 +4915,7 @@
     "id_raw": "AT-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties;"
   },
@@ -4925,7 +4925,7 @@
     "id_raw": "AT-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and"
   },
@@ -4935,7 +4935,7 @@
     "id_raw": "AT-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization provides role-based security training to personnel with assigned security roles and responsibilities: [Assignment: organization-defined frequency] thereafter."
   },
@@ -4945,7 +4945,7 @@
     "id_raw": "AT-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Security Training Records",
     "description": null
   },
@@ -4955,7 +4955,7 @@
     "id_raw": "AT-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"
   },
@@ -4965,7 +4965,7 @@
     "id_raw": "AT-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Retains individual training records for [Assignment: organization-defined time period]."
   },
@@ -4975,7 +4975,7 @@
     "id_raw": "AT-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Contacts With Security Groups and Associations",
     "description": null
   },
@@ -4995,7 +4995,7 @@
     "id_raw": "AU-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Audit and Accountability Policy and Procedures",
     "description": null
   },
@@ -5005,7 +5005,7 @@
     "id_raw": "AU-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Non-Repudiation",
     "description": null
   },
@@ -5015,7 +5015,7 @@
     "id_raw": "AU-10 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Association Of Identities",
     "description": "The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information."
   },
@@ -5025,7 +5025,7 @@
     "id_raw": "AU-10 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Validate Binding Of Information Producer Identity",
     "description": "The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error."
   },
@@ -5035,7 +5035,7 @@
     "id_raw": "AU-10 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Chain Of Custody",
     "description": "The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released."
   },
@@ -5045,7 +5045,7 @@
     "id_raw": "AU-10 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Validate Binding Of Information Reviewer Identity",
     "description": "The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error."
   },
@@ -5055,7 +5055,7 @@
     "id_raw": "AU-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Audit Record Retention",
     "description": null
   },
@@ -5065,7 +5065,7 @@
     "id_raw": "AU-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Long-Term Retrieval Capability",
     "description": "The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved."
   },
@@ -5075,7 +5075,7 @@
     "id_raw": "AU-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Audit Generation",
     "description": null
   },
@@ -5085,7 +5085,7 @@
     "id_raw": "AU-12 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "System-Wide / Time-Correlated Audit Trail",
     "description": "The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]."
   },
@@ -5095,7 +5095,7 @@
     "id_raw": "AU-12 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Standardized Formats",
     "description": "The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format."
   },
@@ -5105,7 +5105,7 @@
     "id_raw": "AU-12 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Changes By Authorized Individuals",
     "description": "The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]."
   },
@@ -5115,7 +5115,7 @@
     "id_raw": "AU-12a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];"
   },
@@ -5125,7 +5125,7 @@
     "id_raw": "AU-12b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and"
   },
@@ -5135,7 +5135,7 @@
     "id_raw": "AU-12c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The information system: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."
   },
@@ -5145,7 +5145,7 @@
     "id_raw": "AU-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Monitoring For Information Disclosure",
     "description": null
   },
@@ -5155,7 +5155,7 @@
     "id_raw": "AU-13 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Use Of Automated Tools",
     "description": "The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner."
   },
@@ -5165,7 +5165,7 @@
     "id_raw": "AU-13 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Review Of Monitored Sites",
     "description": "The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]."
   },
@@ -5175,7 +5175,7 @@
     "id_raw": "AU-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Session Audit",
     "description": null
   },
@@ -5185,7 +5185,7 @@
     "id_raw": "AU-14 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "System Start-Up",
     "description": "The information system initiates session audits at system start-up."
   },
@@ -5195,7 +5195,7 @@
     "id_raw": "AU-14 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Capture/Record And Log Content",
     "description": "The information system provides the capability for authorized users to capture/record and log content related to a user session."
   },
@@ -5205,7 +5205,7 @@
     "id_raw": "AU-14 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Remote Viewing / Listening",
     "description": "The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time."
   },
@@ -5215,7 +5215,7 @@
     "id_raw": "AU-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Alternate Audit Capability",
     "description": null
   },
@@ -5225,7 +5225,7 @@
     "id_raw": "AU-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Cross-Organizational Auditing",
     "description": null
   },
@@ -5235,7 +5235,7 @@
     "id_raw": "AU-16 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Identity Preservation",
     "description": "The organization requires that the identity of individuals be preserved in cross-organizational audit trails."
   },
@@ -5245,7 +5245,7 @@
     "id_raw": "AU-16 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Sharing Of Audit Information",
     "description": "The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]."
   },
@@ -5255,7 +5255,7 @@
     "id_raw": "AU-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"
   },
@@ -5265,7 +5265,7 @@
     "id_raw": "AU-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Audit and accountability policy [Assignment: organization-defined frequency]; and Audit and accountability procedures [Assignment: organization-defined frequency]."
   },
@@ -5275,7 +5275,7 @@
     "id_raw": "AU-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Audit Events",
     "description": null
   },
@@ -5285,7 +5285,7 @@
     "id_raw": "AU-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Reviews And Updates",
     "description": "The organization reviews and updates the audited events [Assignment: organization-defined frequency]."
   },
@@ -5295,7 +5295,7 @@
     "id_raw": "AU-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];"
   },
@@ -5305,7 +5305,7 @@
     "id_raw": "AU-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"
   },
@@ -5315,7 +5315,7 @@
     "id_raw": "AU-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"
   },
@@ -5325,7 +5325,7 @@
     "id_raw": "AU-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]."
   },
@@ -5335,7 +5335,7 @@
     "id_raw": "AU-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Content Of Audit Records",
     "description": null
   },
@@ -5345,7 +5345,7 @@
     "id_raw": "AU-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Additional Audit Information",
     "description": "The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]."
   },
@@ -5355,7 +5355,7 @@
     "id_raw": "AU-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Centralized Management Of Planned Audit Record Content",
     "description": "The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]."
   },
@@ -5365,7 +5365,7 @@
     "id_raw": "AU-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Audit Storage Capacity",
     "description": null
   },
@@ -5375,7 +5375,7 @@
     "id_raw": "AU-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Transfer To Alternate Storage",
     "description": "The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited."
   },
@@ -5385,7 +5385,7 @@
     "id_raw": "AU-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Response To Audit Processing Failures",
     "description": null
   },
@@ -5395,7 +5395,7 @@
     "id_raw": "AU-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Audit Storage Capacity",
     "description": "The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."
   },
@@ -5405,7 +5405,7 @@
     "id_raw": "AU-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Real-Time Alerts",
     "description": "The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]."
   },
@@ -5415,7 +5415,7 @@
     "id_raw": "AU-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Configurable Traffic Volume Thresholds",
     "description": "The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds."
   },
@@ -5425,7 +5425,7 @@
     "id_raw": "AU-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Shutdown On Failure",
     "description": "The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists."
   },
@@ -5435,7 +5435,7 @@
     "id_raw": "AU-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and"
   },
@@ -5445,7 +5445,7 @@
     "id_raw": "AU-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."
   },
@@ -5455,7 +5455,7 @@
     "id_raw": "AU-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Audit Review, Analysis, and Reporting",
     "description": null
   },
@@ -5465,7 +5465,7 @@
     "id_raw": "AU-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Process Integration",
     "description": "The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."
   },
@@ -5475,7 +5475,7 @@
     "id_raw": "AU-6 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Audit Level Adjustment",
     "description": "The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
   },
@@ -5485,7 +5485,7 @@
     "id_raw": "AU-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Correlate Audit Repositories",
     "description": "The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."
   },
@@ -5495,7 +5495,7 @@
     "id_raw": "AU-6 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Central Review And Analysis",
     "description": "The information system provides the capability to centrally review and analyze audit records from multiple components within the system."
   },
@@ -5505,7 +5505,7 @@
     "id_raw": "AU-6 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Integration / Scanning And Monitoring Capabilities",
     "description": "The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity."
   },
@@ -5515,7 +5515,7 @@
     "id_raw": "AU-6 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Correlation With Physical Monitoring",
     "description": "The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
   },
@@ -5525,7 +5525,7 @@
     "id_raw": "AU-6 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Permitted Actions",
     "description": "The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."
   },
@@ -5535,7 +5535,7 @@
     "id_raw": "AU-6 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Full Text Analysis Of Privileged Commands",
     "description": "The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis."
   },
@@ -5545,7 +5545,7 @@
     "id_raw": "AU-6 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Correlation With Information From Nontechnical Sources",
     "description": "The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness."
   },
@@ -5555,7 +5555,7 @@
     "id_raw": "AU-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and"
   },
@@ -5565,7 +5565,7 @@
     "id_raw": "AU-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reports findings to [Assignment: organization-defined personnel or roles]."
   },
@@ -5575,7 +5575,7 @@
     "id_raw": "AU-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Audit Reduction and Report Generation",
     "description": null
   },
@@ -5585,7 +5585,7 @@
     "id_raw": "AU-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automatic Processing",
     "description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]."
   },
@@ -5595,7 +5595,7 @@
     "id_raw": "AU-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automatic Sort And Search",
     "description": "The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]."
   },
@@ -5605,7 +5605,7 @@
     "id_raw": "AU-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"
   },
@@ -5615,7 +5615,7 @@
     "id_raw": "AU-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records."
   },
@@ -5625,7 +5625,7 @@
     "id_raw": "AU-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Time Stamps",
     "description": null
   },
@@ -5635,7 +5635,7 @@
     "id_raw": "AU-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Synchronization With Authoritative Time Source",
     "description": "The information system: Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]."
   },
@@ -5645,7 +5645,7 @@
     "id_raw": "AU-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Secondary Authoritative Time Source",
     "description": "The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source."
   },
@@ -5655,7 +5655,7 @@
     "id_raw": "AU-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Uses internal system clocks to generate time stamps for audit records; and"
   },
@@ -5665,7 +5665,7 @@
     "id_raw": "AU-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]."
   },
@@ -5675,7 +5675,7 @@
     "id_raw": "AU-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Protection Of Audit Information",
     "description": null
   },
@@ -5685,7 +5685,7 @@
     "id_raw": "AU-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Hardware Write-Once Media",
     "description": "The information system writes audit trails to hardware-enforced, write-once media."
   },
@@ -5695,7 +5695,7 @@
     "id_raw": "AU-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Audit Backup On Separate Physical Systems / Components",
     "description": "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited."
   },
@@ -5705,7 +5705,7 @@
     "id_raw": "AU-9 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Cryptographic Protection",
     "description": "The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."
   },
@@ -5715,7 +5715,7 @@
     "id_raw": "AU-9 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Access By Subset Of Privileged Users",
     "description": "The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]."
   },
@@ -5725,7 +5725,7 @@
     "id_raw": "AU-9 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Dual Authorization",
     "description": "The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]."
   },
@@ -5735,7 +5735,7 @@
     "id_raw": "AU-9 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Read Only Access",
     "description": "The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users]."
   },
@@ -5755,7 +5755,7 @@
     "id_raw": "CA-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Security Assessment and Authorization Policy and Procedures",
     "description": null
   },
@@ -5765,7 +5765,7 @@
     "id_raw": "CA-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"
   },
@@ -5775,7 +5775,7 @@
     "id_raw": "CA-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Security assessment and authorization policy [Assignment: organization-defined frequency]; and Security assessment and authorization procedures [Assignment: organization-defined frequency]."
   },
@@ -5785,7 +5785,7 @@
     "id_raw": "CA-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Security Assessments",
     "description": null
   },
@@ -5795,7 +5795,7 @@
     "id_raw": "CA-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Independent Assessors",
     "description": "The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments."
   },
@@ -5805,7 +5805,7 @@
     "id_raw": "CA-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Specialized Assessments",
     "description": "The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."
   },
@@ -5815,7 +5815,7 @@
     "id_raw": "CA-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "External Organizations",
     "description": "The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]."
   },
@@ -5825,7 +5825,7 @@
     "id_raw": "CA-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;"
   },
@@ -5835,7 +5835,7 @@
     "id_raw": "CA-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
   },
@@ -5845,7 +5845,7 @@
     "id_raw": "CA-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Produces a security assessment report that documents the results of the assessment; and"
   },
@@ -5855,7 +5855,7 @@
     "id_raw": "CA-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]."
   },
@@ -5865,7 +5865,7 @@
     "id_raw": "CA-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "System Interconnections",
     "description": null
   },
@@ -5875,7 +5875,7 @@
     "id_raw": "CA-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Unclassified National Security System Connections",
     "description": "The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]."
   },
@@ -5885,7 +5885,7 @@
     "id_raw": "CA-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Classified National Security System Connections",
     "description": "The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]."
   },
@@ -5895,7 +5895,7 @@
     "id_raw": "CA-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Unclassified Non-National Security System Connections",
     "description": "The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]."
   },
@@ -5905,7 +5905,7 @@
     "id_raw": "CA-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Connections To Public Networks",
     "description": "The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network."
   },
@@ -5915,7 +5915,7 @@
     "id_raw": "CA-3 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Restrictions On External System Connections",
     "description": "The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems."
   },
@@ -5925,7 +5925,7 @@
     "id_raw": "CA-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"
   },
@@ -5935,7 +5935,7 @@
     "id_raw": "CA-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"
   },
@@ -5945,7 +5945,7 @@
     "id_raw": "CA-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]."
   },
@@ -5955,7 +5955,7 @@
     "id_raw": "CA-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Security Certification",
     "description": null
   },
@@ -5965,7 +5965,7 @@
     "id_raw": "CA-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Plan Of Action and Milestones",
     "description": null
   },
@@ -5975,7 +5975,7 @@
     "id_raw": "CA-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automation Support For Accuracy / Currency",
     "description": "The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available."
   },
@@ -5985,7 +5985,7 @@
     "id_raw": "CA-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"
   },
@@ -5995,7 +5995,7 @@
     "id_raw": "CA-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."
   },
@@ -6005,7 +6005,7 @@
     "id_raw": "CA-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Security Authorization",
     "description": null
   },
@@ -6015,7 +6015,7 @@
     "id_raw": "CA-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Assigns a senior-level executive or manager as the authorizing official for the information system;"
   },
@@ -6025,7 +6025,7 @@
     "id_raw": "CA-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"
   },
@@ -6035,7 +6035,7 @@
     "id_raw": "CA-6c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Updates the security authorization [Assignment: organization-defined frequency]."
   },
@@ -6045,7 +6045,7 @@
     "id_raw": "CA-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Continuous Monitoring",
     "description": null
   },
@@ -6055,7 +6055,7 @@
     "id_raw": "CA-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Independent Assessment",
     "description": "The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis."
   },
@@ -6065,7 +6065,7 @@
     "id_raw": "CA-7 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Trend Analyses",
     "description": "The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
   },
@@ -6075,7 +6075,7 @@
     "id_raw": "CA-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored;"
   },
@@ -6085,7 +6085,7 @@
     "id_raw": "CA-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;"
   },
@@ -6095,7 +6095,7 @@
     "id_raw": "CA-7c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"
   },
@@ -6105,7 +6105,7 @@
     "id_raw": "CA-7d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"
   },
@@ -6115,7 +6115,7 @@
     "id_raw": "CA-7e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring;"
   },
@@ -6125,7 +6125,7 @@
     "id_raw": "CA-7f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and"
   },
@@ -6135,7 +6135,7 @@
     "id_raw": "CA-7g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]."
   },
@@ -6145,7 +6145,7 @@
     "id_raw": "CA-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Penetration Testing",
     "description": null
   },
@@ -6155,7 +6155,7 @@
     "id_raw": "CA-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Independent Penetration Agent Or Team",
     "description": "The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components."
   },
@@ -6165,7 +6165,7 @@
     "id_raw": "CA-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Red Team Exercises",
     "description": "The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement]."
   },
@@ -6175,7 +6175,7 @@
     "id_raw": "CA-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Internal System Connections",
     "description": null
   },
@@ -6185,7 +6185,7 @@
     "id_raw": "CA-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Security Compliance Checks",
     "description": "The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection."
   },
@@ -6195,7 +6195,7 @@
     "id_raw": "CA-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and"
   },
@@ -6205,7 +6205,7 @@
     "id_raw": "CA-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."
   },
@@ -6225,7 +6225,7 @@
     "id_raw": "CM-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Configuration Management Policy and Procedures",
     "description": null
   },
@@ -6235,7 +6235,7 @@
     "id_raw": "CM-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Software Usage Restrictions",
     "description": null
   },
@@ -6245,7 +6245,7 @@
     "id_raw": "CM-10 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Open Source Software",
     "description": "The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]."
   },
@@ -6255,7 +6255,7 @@
     "id_raw": "CM-10a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;"
   },
@@ -6265,7 +6265,7 @@
     "id_raw": "CM-10b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"
   },
@@ -6275,7 +6275,7 @@
     "id_raw": "CM-10c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
   },
@@ -6285,7 +6285,7 @@
     "id_raw": "CM-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "User-Installed Software",
     "description": null
   },
@@ -6295,7 +6295,7 @@
     "id_raw": "CM-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Alerts For Unauthorized Installations",
     "description": "The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected."
   },
@@ -6305,7 +6305,7 @@
     "id_raw": "CM-11 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Prohibit Installation Without Privileged Status",
     "description": "The information system prohibits user installation of software without explicit privileged status."
   },
@@ -6315,7 +6315,7 @@
     "id_raw": "CM-11a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;"
   },
@@ -6325,7 +6325,7 @@
     "id_raw": "CM-11b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and"
   },
@@ -6335,7 +6335,7 @@
     "id_raw": "CM-11c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Monitors policy compliance at [Assignment: organization-defined frequency]."
   },
@@ -6345,7 +6345,7 @@
     "id_raw": "CM-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"
   },
@@ -6355,7 +6355,7 @@
     "id_raw": "CM-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Configuration management policy [Assignment: organization-defined frequency]; and Configuration management procedures [Assignment: organization-defined frequency]."
   },
@@ -6365,7 +6365,7 @@
     "id_raw": "CM-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Baseline Configuration",
     "description": null
   },
@@ -6375,7 +6375,7 @@
     "id_raw": "CM-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Reviews And Updates",
     "description": "The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades."
   },
@@ -6385,7 +6385,7 @@
     "id_raw": "CM-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automation Support For Accuracy / Currency",
     "description": "The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."
   },
@@ -6395,7 +6395,7 @@
     "id_raw": "CM-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Retention Of Previous Configurations",
     "description": "The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback."
   },
@@ -6405,7 +6405,7 @@
     "id_raw": "CM-2 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Development And Test Environments",
     "description": "The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration."
   },
@@ -6415,7 +6415,7 @@
     "id_raw": "CM-2 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Configure Systems, Components, Or Devices For High-Risk Areas",
     "description": "The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."
   },
@@ -6425,7 +6425,7 @@
     "id_raw": "CM-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Configuration Change Control",
     "description": null
   },
@@ -6435,7 +6435,7 @@
     "id_raw": "CM-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Document / Notification / Prohibition Of Changes",
     "description": "The organization employs automated mechanisms to: Document proposed changes to the information system; Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed."
   },
@@ -6445,7 +6445,7 @@
     "id_raw": "CM-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Test / Validate / Document Changes",
     "description": "The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."
   },
@@ -6455,7 +6455,7 @@
     "id_raw": "CM-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automated Change Implementation",
     "description": "The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base."
   },
@@ -6465,7 +6465,7 @@
     "id_raw": "CM-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Security Representative",
     "description": "The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]."
   },
@@ -6475,7 +6475,7 @@
     "id_raw": "CM-3 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Automated Security Response",
     "description": "The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner."
   },
@@ -6485,7 +6485,7 @@
     "id_raw": "CM-3 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Cryptography Management",
     "description": "The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management."
   },
@@ -6495,7 +6495,7 @@
     "id_raw": "CM-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Determines the types of changes to the information system that are configuration-controlled;"
   },
@@ -6505,7 +6505,7 @@
     "id_raw": "CM-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"
   },
@@ -6515,7 +6515,7 @@
     "id_raw": "CM-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Documents configuration change decisions associated with the information system;"
   },
@@ -6525,7 +6525,7 @@
     "id_raw": "CM-3d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Implements approved configuration-controlled changes to the information system;"
   },
@@ -6535,7 +6535,7 @@
     "id_raw": "CM-3e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];"
   },
@@ -6545,7 +6545,7 @@
     "id_raw": "CM-3f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Audits and reviews activities associated with configuration-controlled changes to the information system; and"
   },
@@ -6555,7 +6555,7 @@
     "id_raw": "CM-3g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."
   },
@@ -6565,7 +6565,7 @@
     "id_raw": "CM-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Security Impact Analysis",
     "description": null
   },
@@ -6575,7 +6575,7 @@
     "id_raw": "CM-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Separate Test Environments",
     "description": "The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."
   },
@@ -6585,7 +6585,7 @@
     "id_raw": "CM-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Verification Of Security Functions",
     "description": "The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system."
   },
@@ -6595,7 +6595,7 @@
     "id_raw": "CM-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Access Restrictions For Change",
     "description": null
   },
@@ -6605,7 +6605,7 @@
     "id_raw": "CM-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Access Enforcement / Auditing",
     "description": "The information system enforces access restrictions and supports auditing of the enforcement actions."
   },
@@ -6615,7 +6615,7 @@
     "id_raw": "CM-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Review System Changes",
     "description": "The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred."
   },
@@ -6625,7 +6625,7 @@
     "id_raw": "CM-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Signed Components",
     "description": "The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."
   },
@@ -6635,7 +6635,7 @@
     "id_raw": "CM-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Dual Authorization",
     "description": "The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]."
   },
@@ -6645,7 +6645,7 @@
     "id_raw": "CM-5 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Limit Production / Operational Privileges",
     "description": "The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency]."
   },
@@ -6655,7 +6655,7 @@
     "id_raw": "CM-5 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Limit Library Privileges",
     "description": "The organization limits privileges to change software resident within software libraries."
   },
@@ -6665,7 +6665,7 @@
     "id_raw": "CM-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Configuration Settings",
     "description": null
   },
@@ -6675,7 +6675,7 @@
     "id_raw": "CM-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Central Management / Application / Verification",
     "description": "The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."
   },
@@ -6685,7 +6685,7 @@
     "id_raw": "CM-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Respond To Unauthorized Changes",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]."
   },
@@ -6695,7 +6695,7 @@
     "id_raw": "CM-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;"
   },
@@ -6705,7 +6705,7 @@
     "id_raw": "CM-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Implements the configuration settings;"
   },
@@ -6715,7 +6715,7 @@
     "id_raw": "CM-6c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and"
   },
@@ -6725,7 +6725,7 @@
     "id_raw": "CM-6d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."
   },
@@ -6735,7 +6735,7 @@
     "id_raw": "CM-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Least Functionality",
     "description": null
   },
@@ -6745,7 +6745,7 @@
     "id_raw": "CM-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Periodic Review",
     "description": "The organization: Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."
   },
@@ -6755,7 +6755,7 @@
     "id_raw": "CM-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Prevent Program Execution",
     "description": "The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]."
   },
@@ -6765,7 +6765,7 @@
     "id_raw": "CM-7 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Registration Compliance",
     "description": "The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]."
   },
@@ -6775,7 +6775,7 @@
     "id_raw": "CM-7 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Unauthorized Software / Blacklisting",
     "description": "The organization: Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]."
   },
@@ -6785,7 +6785,7 @@
     "id_raw": "CM-7 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Authorized Software / Whitelisting",
     "description": "The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]."
   },
@@ -6795,7 +6795,7 @@
     "id_raw": "CM-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Configures the information system to provide only essential capabilities; and"
   },
@@ -6805,7 +6805,7 @@
     "id_raw": "CM-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]."
   },
@@ -6815,7 +6815,7 @@
     "id_raw": "CM-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Information System Component Inventory",
     "description": null
   },
@@ -6825,7 +6825,7 @@
     "id_raw": "CM-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Updates During Installations / Removals",
     "description": "The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."
   },
@@ -6835,7 +6835,7 @@
     "id_raw": "CM-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Maintenance",
     "description": "The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."
   },
@@ -6845,7 +6845,7 @@
     "id_raw": "CM-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automated Unauthorized Component Detection",
     "description": "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."
   },
@@ -6855,7 +6855,7 @@
     "id_raw": "CM-8 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Accountability Information",
     "description": "The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."
   },
@@ -6865,7 +6865,7 @@
     "id_raw": "CM-8 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "No Duplicate Accounting Of Components",
     "description": "The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."
   },
@@ -6875,7 +6875,7 @@
     "id_raw": "CM-8 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Assessed Configurations / Approved Deviations",
     "description": "The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory."
   },
@@ -6885,7 +6885,7 @@
     "id_raw": "CM-8 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Centralized Repository",
     "description": "The organization provides a centralized repository for the inventory of information system components."
   },
@@ -6895,7 +6895,7 @@
     "id_raw": "CM-8 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Automated Location Tracking",
     "description": "The organization employs automated mechanisms to support tracking of information system components by geographic location."
   },
@@ -6905,7 +6905,7 @@
     "id_raw": "CM-8 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Assignment Of Components To Systems",
     "description": "The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment."
   },
@@ -6915,7 +6915,7 @@
     "id_raw": "CM-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and"
   },
@@ -6925,7 +6925,7 @@
     "id_raw": "CM-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the information system component inventory [Assignment: organization-defined frequency]."
   },
@@ -6935,7 +6935,7 @@
     "id_raw": "CM-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Configuration Management Plan",
     "description": null
   },
@@ -6945,7 +6945,7 @@
     "id_raw": "CM-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Assignment Of Responsibility",
     "description": "The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development."
   },
@@ -6955,7 +6955,7 @@
     "id_raw": "CM-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures;"
   },
@@ -6965,7 +6965,7 @@
     "id_raw": "CM-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization develops, documents, and implements a configuration management plan for the information system that: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"
   },
@@ -6975,7 +6975,7 @@
     "id_raw": "CM-9c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization develops, documents, and implements a configuration management plan for the information system that: Defines the configuration items for the information system and places the configuration items under configuration management; and"
   },
@@ -6985,7 +6985,7 @@
     "id_raw": "CM-9d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification."
   },
@@ -7005,7 +7005,7 @@
     "id_raw": "CP-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Contingency Planning Policy and Procedures",
     "description": null
   },
@@ -7015,7 +7015,7 @@
     "id_raw": "CP-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Information System Recovery and Reconstitution",
     "description": null
   },
@@ -7025,7 +7025,7 @@
     "id_raw": "CP-10 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Transaction Recovery",
     "description": "The information system implements transaction recovery for systems that are transaction-based."
   },
@@ -7035,7 +7035,7 @@
     "id_raw": "CP-10 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Restore Within Time Period",
     "description": "The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components."
   },
@@ -7045,7 +7045,7 @@
     "id_raw": "CP-10 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Component Protection",
     "description": "The organization protects backup and restoration hardware, firmware, and software."
   },
@@ -7055,7 +7055,7 @@
     "id_raw": "CP-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Alternate Communications Protocols",
     "description": null
   },
@@ -7065,7 +7065,7 @@
     "id_raw": "CP-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Safe Mode",
     "description": null
   },
@@ -7075,7 +7075,7 @@
     "id_raw": "CP-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Alternative Security Mechanisms",
     "description": null
   },
@@ -7085,7 +7085,7 @@
     "id_raw": "CP-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"
   },
@@ -7095,7 +7095,7 @@
     "id_raw": "CP-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Contingency planning policy [Assignment: organization-defined frequency]; and Contingency planning procedures [Assignment: organization-defined frequency]."
   },
@@ -7105,7 +7105,7 @@
     "id_raw": "CP-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Contingency Plan",
     "description": null
   },
@@ -7115,7 +7115,7 @@
     "id_raw": "CP-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Coordinate With Related Plans",
     "description": "The organization coordinates contingency plan development with organizational elements responsible for related plans."
   },
@@ -7125,7 +7125,7 @@
     "id_raw": "CP-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Capacity Planning",
     "description": "The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."
   },
@@ -7135,7 +7135,7 @@
     "id_raw": "CP-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Resume Essential Missions / Business Functions",
     "description": "The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."
   },
@@ -7145,7 +7145,7 @@
     "id_raw": "CP-2 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Resume All Missions / Business Functions",
     "description": "The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."
   },
@@ -7155,7 +7155,7 @@
     "id_raw": "CP-2 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Continue  Essential Missions / Business Functions",
     "description": "The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites."
   },
@@ -7165,7 +7165,7 @@
     "id_raw": "CP-2 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Alternate Processing / Storage Site",
     "description": "The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites."
   },
@@ -7175,7 +7175,7 @@
     "id_raw": "CP-2 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Coordinate  With External Service Providers",
     "description": "The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."
   },
@@ -7185,7 +7185,7 @@
     "id_raw": "CP-2 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Identify Critical Assets",
     "description": "The organization identifies critical information system assets supporting essential missions and business functions."
   },
@@ -7195,7 +7195,7 @@
     "id_raw": "CP-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
   },
@@ -7205,7 +7205,7 @@
     "id_raw": "CP-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];"
   },
@@ -7215,7 +7215,7 @@
     "id_raw": "CP-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Coordinates contingency planning activities with incident handling activities;"
   },
@@ -7225,7 +7225,7 @@
     "id_raw": "CP-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];"
   },
@@ -7235,7 +7235,7 @@
     "id_raw": "CP-2e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"
   },
@@ -7245,7 +7245,7 @@
     "id_raw": "CP-2f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and"
   },
@@ -7255,7 +7255,7 @@
     "id_raw": "CP-2g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization: Protects the contingency plan from unauthorized disclosure and modification."
   },
@@ -7265,7 +7265,7 @@
     "id_raw": "CP-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Contingency Training",
     "description": null
   },
@@ -7275,7 +7275,7 @@
     "id_raw": "CP-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Simulated Events",
     "description": "The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."
   },
@@ -7285,7 +7285,7 @@
     "id_raw": "CP-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Training Environments",
     "description": "The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment."
   },
@@ -7295,7 +7295,7 @@
     "id_raw": "CP-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;"
   },
@@ -7305,7 +7305,7 @@
     "id_raw": "CP-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"
   },
@@ -7315,7 +7315,7 @@
     "id_raw": "CP-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."
   },
@@ -7325,7 +7325,7 @@
     "id_raw": "CP-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Contingency Plan Testing",
     "description": null
   },
@@ -7335,7 +7335,7 @@
     "id_raw": "CP-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Coordinate With Related Plans",
     "description": "The organization coordinates contingency plan testing with organizational elements responsible for related plans."
   },
@@ -7345,7 +7345,7 @@
     "id_raw": "CP-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Alternate Processing Site",
     "description": "The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations."
   },
@@ -7355,7 +7355,7 @@
     "id_raw": "CP-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automated Testing",
     "description": "The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan."
   },
@@ -7365,7 +7365,7 @@
     "id_raw": "CP-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Full Recovery / Reconstitution",
     "description": "The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing."
   },
@@ -7375,7 +7375,7 @@
     "id_raw": "CP-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;"
   },
@@ -7385,7 +7385,7 @@
     "id_raw": "CP-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews the contingency plan test results; and"
   },
@@ -7395,7 +7395,7 @@
     "id_raw": "CP-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Initiates corrective actions, if needed."
   },
@@ -7405,7 +7405,7 @@
     "id_raw": "CP-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Contingency Plan Update",
     "description": null
   },
@@ -7415,7 +7415,7 @@
     "id_raw": "CP-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Alternate Storage Site",
     "description": null
   },
@@ -7425,7 +7425,7 @@
     "id_raw": "CP-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Separation From Primary Site",
     "description": "The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."
   },
@@ -7435,7 +7435,7 @@
     "id_raw": "CP-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Recovery Time / Point Objectives",
     "description": "The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."
   },
@@ -7445,7 +7445,7 @@
     "id_raw": "CP-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Accessibility",
     "description": "The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."
   },
@@ -7455,7 +7455,7 @@
     "id_raw": "CP-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"
   },
@@ -7465,7 +7465,7 @@
     "id_raw": "CP-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."
   },
@@ -7475,7 +7475,7 @@
     "id_raw": "CP-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Alternate Processing Site",
     "description": null
   },
@@ -7485,7 +7485,7 @@
     "id_raw": "CP-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Separation From Primary Site",
     "description": "The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."
   },
@@ -7495,7 +7495,7 @@
     "id_raw": "CP-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Accessibility",
     "description": "The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."
   },
@@ -7505,7 +7505,7 @@
     "id_raw": "CP-7 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Priority Of Service",
     "description": "The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."
   },
@@ -7515,7 +7515,7 @@
     "id_raw": "CP-7 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Preparation For Use",
     "description": "The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."
   },
@@ -7525,7 +7525,7 @@
     "id_raw": "CP-7 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Inability To Return To Primary Site",
     "description": "The organization plans and prepares for circumstances that preclude returning to the primary processing site."
   },
@@ -7535,7 +7535,7 @@
     "id_raw": "CP-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;"
   },
@@ -7545,7 +7545,7 @@
     "id_raw": "CP-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and"
   },
@@ -7555,7 +7555,7 @@
     "id_raw": "CP-7c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."
   },
@@ -7565,7 +7565,7 @@
     "id_raw": "CP-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Telecommunications Services",
     "description": null
   },
@@ -7575,7 +7575,7 @@
     "id_raw": "CP-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Priority Of Service Provisions",
     "description": "The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier."
   },
@@ -7585,7 +7585,7 @@
     "id_raw": "CP-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Single Points Of Failure",
     "description": "The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."
   },
@@ -7595,7 +7595,7 @@
     "id_raw": "CP-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Separation Of Primary / Alternate Providers",
     "description": "The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."
   },
@@ -7605,7 +7605,7 @@
     "id_raw": "CP-8 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Provider Contingency Plan",
     "description": "The organization: Requires primary and alternate telecommunications service providers to have contingency plans; Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]."
   },
@@ -7615,7 +7615,7 @@
     "id_raw": "CP-8 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Alternate Telecommunication Service Testing",
     "description": "The organization tests alternate telecommunication services [Assignment: organization-defined frequency]."
   },
@@ -7625,7 +7625,7 @@
     "id_raw": "CP-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Information System Backup",
     "description": null
   },
@@ -7635,7 +7635,7 @@
     "id_raw": "CP-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Testing For Reliability / Integrity",
     "description": "The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity."
   },
@@ -7645,7 +7645,7 @@
     "id_raw": "CP-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Test Restoration Using Sampling",
     "description": "The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."
   },
@@ -7655,7 +7655,7 @@
     "id_raw": "CP-9 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Separate Storage For Critical Information",
     "description": "The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system."
   },
@@ -7665,7 +7665,7 @@
     "id_raw": "CP-9 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Transfer To Alternate Storage Site",
     "description": "The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]."
   },
@@ -7675,7 +7675,7 @@
     "id_raw": "CP-9 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Redundant Secondary System",
     "description": "The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations."
   },
@@ -7685,7 +7685,7 @@
     "id_raw": "CP-9 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Dual Authorization",
     "description": "The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]."
   },
@@ -7695,7 +7695,7 @@
     "id_raw": "CP-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"
   },
@@ -7705,7 +7705,7 @@
     "id_raw": "CP-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"
   },
@@ -7715,7 +7715,7 @@
     "id_raw": "CP-9c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and"
   },
@@ -7725,7 +7725,7 @@
     "id_raw": "CP-9d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Protects the confidentiality, integrity, and availability of backup information at storage locations."
   },
@@ -7745,7 +7745,7 @@
     "id_raw": "IA-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Identification and Authentication Policy and Procedures",
     "description": null
   },
@@ -7755,7 +7755,7 @@
     "id_raw": "IA-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Adaptive Identification and Authentication",
     "description": null
   },
@@ -7765,7 +7765,7 @@
     "id_raw": "IA-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Re-Authentication",
     "description": null
   },
@@ -7775,7 +7775,7 @@
     "id_raw": "IA-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"
   },
@@ -7785,7 +7785,7 @@
     "id_raw": "IA-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Identification and authentication policy [Assignment: organization-defined frequency]; and Identification and authentication procedures [Assignment: organization-defined frequency]."
   },
@@ -7795,7 +7795,7 @@
     "id_raw": "IA-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Identification and Authentication (Organizational Users)",
     "description": null
   },
@@ -7805,7 +7805,7 @@
     "id_raw": "IA-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Network Access To Privileged Accounts",
     "description": "The information system implements multifactor authentication for network access to privileged accounts."
   },
@@ -7815,7 +7815,7 @@
     "id_raw": "IA-2 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Single Sign-On",
     "description": "The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services]."
   },
@@ -7825,7 +7825,7 @@
     "id_raw": "IA-2 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Remote Access  - Separate Device",
     "description": "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."
   },
@@ -7835,7 +7835,7 @@
     "id_raw": "IA-2 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Acceptance Of Piv Credentials",
     "description": "The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."
   },
@@ -7845,7 +7845,7 @@
     "id_raw": "IA-2 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Out-Of-Band Authentication",
     "description": "The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]."
   },
@@ -7855,7 +7855,7 @@
     "id_raw": "IA-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Network Access To Non-Privileged Accounts",
     "description": "The information system implements multifactor authentication for network access to non-privileged accounts."
   },
@@ -7865,7 +7865,7 @@
     "id_raw": "IA-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Local Access To Privileged Accounts",
     "description": "The information system implements multifactor authentication for local access to privileged accounts."
   },
@@ -7875,7 +7875,7 @@
     "id_raw": "IA-2 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Local Access To Non-Privileged Accounts",
     "description": "The information system implements multifactor authentication for local access to non-privileged accounts."
   },
@@ -7885,7 +7885,7 @@
     "id_raw": "IA-2 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Group Authentication",
     "description": "The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed."
   },
@@ -7895,7 +7895,7 @@
     "id_raw": "IA-2 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Network Access To Privileged Accounts - Separate Device",
     "description": "The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."
   },
@@ -7905,7 +7905,7 @@
     "id_raw": "IA-2 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Network Access To Non-Privileged Accounts - Separate Device",
     "description": "The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."
   },
@@ -7915,7 +7915,7 @@
     "id_raw": "IA-2 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Network Access To Privileged Accounts - Replay Resistant",
     "description": "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."
   },
@@ -7925,7 +7925,7 @@
     "id_raw": "IA-2 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Network Access To Non-Privileged Accounts - Replay Resistant",
     "description": "The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."
   },
@@ -7935,7 +7935,7 @@
     "id_raw": "IA-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Device Identification and Authentication",
     "description": null
   },
@@ -7945,7 +7945,7 @@
     "id_raw": "IA-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Cryptographic Bidirectional Authentication",
     "description": "The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based."
   },
@@ -7955,7 +7955,7 @@
     "id_raw": "IA-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Dynamic Address Allocation",
     "description": "The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device."
   },
@@ -7965,7 +7965,7 @@
     "id_raw": "IA-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Device Attestation",
     "description": "The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]."
   },
@@ -7975,7 +7975,7 @@
     "id_raw": "IA-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Identifier Management",
     "description": null
   },
@@ -7985,7 +7985,7 @@
     "id_raw": "IA-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Prohibit Account Identifiers As Public Identifiers",
     "description": "The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts."
   },
@@ -7995,7 +7995,7 @@
     "id_raw": "IA-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Supervisor Authorization",
     "description": "The organization requires that the registration process to receive an individual identifier includes supervisor authorization."
   },
@@ -8005,7 +8005,7 @@
     "id_raw": "IA-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Multiple Forms Of Certification",
     "description": "The organization requires multiple forms of certification of individual identification be presented to the registration authority."
   },
@@ -8015,7 +8015,7 @@
     "id_raw": "IA-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Identify User Status",
     "description": "The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]."
   },
@@ -8025,7 +8025,7 @@
     "id_raw": "IA-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Dynamic Management",
     "description": "The information system dynamically manages identifiers."
   },
@@ -8035,7 +8035,7 @@
     "id_raw": "IA-4 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Cross-Organization Management",
     "description": "The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers."
   },
@@ -8045,7 +8045,7 @@
     "id_raw": "IA-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "In-Person Registration",
     "description": "The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority."
   },
@@ -8055,7 +8055,7 @@
     "id_raw": "IA-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;"
   },
@@ -8065,7 +8065,7 @@
     "id_raw": "IA-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization manages information system identifiers by: Selecting an identifier that identifies an individual, group, role, or device;"
   },
@@ -8075,7 +8075,7 @@
     "id_raw": "IA-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization manages information system identifiers by: Assigning the identifier to the intended individual, group, role, or device;"
   },
@@ -8085,7 +8085,7 @@
     "id_raw": "IA-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization manages information system identifiers by: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and"
   },
@@ -8095,7 +8095,7 @@
     "id_raw": "IA-4e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization manages information system identifiers by: Disabling the identifier after [Assignment: organization-defined time period of inactivity]."
   },
@@ -8105,7 +8105,7 @@
     "id_raw": "IA-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Authenticator Management",
     "description": null
   },
@@ -8115,7 +8115,7 @@
     "id_raw": "IA-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Password-Based Authentication",
     "description": "The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and transmits only cryptographically-protected passwords; Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; Prohibits password reuse for [Assignment: organization-defined number] generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password."
   },
@@ -8125,7 +8125,7 @@
     "id_raw": "IA-5 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Dynamic Credential Association",
     "description": "The information system dynamically provisions identities."
   },
@@ -8135,7 +8135,7 @@
     "id_raw": "IA-5 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Hardware Token-Based Authentication",
     "description": "The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."
   },
@@ -8145,7 +8145,7 @@
     "id_raw": "IA-5 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Biometric-Based Authentication",
     "description": "The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]."
   },
@@ -8155,7 +8155,7 @@
     "id_raw": "IA-5 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Expiration Of Cached Authenticators",
     "description": "The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]."
   },
@@ -8165,7 +8165,7 @@
     "id_raw": "IA-5 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Managing Content Of Pki Trust Stores",
     "description": "The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications."
   },
@@ -8175,7 +8175,7 @@
     "id_raw": "IA-5 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Ficam-Approved Products And Services",
     "description": "The organization uses only FICAM-approved path discovery and validation products and services."
   },
@@ -8185,7 +8185,7 @@
     "id_raw": "IA-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Pki-Based Authentication",
     "description": "The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."
   },
@@ -8195,7 +8195,7 @@
     "id_raw": "IA-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "In-Person Or Trusted Third-Party Registration",
     "description": "The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]."
   },
@@ -8205,7 +8205,7 @@
     "id_raw": "IA-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Automated Support  For Password Strength Determination",
     "description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]."
   },
@@ -8215,7 +8215,7 @@
     "id_raw": "IA-5 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Change Authenticators Prior To Delivery",
     "description": "The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation."
   },
@@ -8225,7 +8225,7 @@
     "id_raw": "IA-5 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Protection Of Authenticators",
     "description": "The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access."
   },
@@ -8235,7 +8235,7 @@
     "id_raw": "IA-5 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "No Embedded Unencrypted Static Authenticators",
     "description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys."
   },
@@ -8245,7 +8245,7 @@
     "id_raw": "IA-5 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Multiple Information System Accounts",
     "description": "The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems."
   },
@@ -8255,7 +8255,7 @@
     "id_raw": "IA-5 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Cross-Organization Credential Management",
     "description": "The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials."
   },
@@ -8265,7 +8265,7 @@
     "id_raw": "IA-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"
   },
@@ -8275,7 +8275,7 @@
     "id_raw": "IA-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization manages information system authenticators by: Establishing initial authenticator content for authenticators defined by the organization;"
   },
@@ -8285,7 +8285,7 @@
     "id_raw": "IA-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization manages information system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;"
   },
@@ -8295,7 +8295,7 @@
     "id_raw": "IA-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization manages information system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;"
   },
@@ -8305,7 +8305,7 @@
     "id_raw": "IA-5e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization manages information system authenticators by: Changing default content of authenticators prior to information system installation;"
   },
@@ -8315,7 +8315,7 @@
     "id_raw": "IA-5f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization manages information system authenticators by: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"
   },
@@ -8325,7 +8325,7 @@
     "id_raw": "IA-5g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization manages information system authenticators by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];"
   },
@@ -8335,7 +8335,7 @@
     "id_raw": "IA-5h.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "The organization manages information system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;"
   },
@@ -8345,7 +8345,7 @@
     "id_raw": "IA-5i.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": null,
     "description": "The organization manages information system authenticators by: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"
   },
@@ -8355,7 +8355,7 @@
     "id_raw": "IA-5j.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": null,
     "description": "The organization manages information system authenticators by: Changing authenticators for group/role accounts when membership to those accounts changes."
   },
@@ -8365,7 +8365,7 @@
     "id_raw": "IA-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Authenticator Feedback",
     "description": null
   },
@@ -8375,7 +8375,7 @@
     "id_raw": "IA-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Cryptographic Module Authentication",
     "description": null
   },
@@ -8385,7 +8385,7 @@
     "id_raw": "IA-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Identification and Authentication (Non-Organizational Users)",
     "description": null
   },
@@ -8395,7 +8395,7 @@
     "id_raw": "IA-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Acceptance Of Piv Credentials From Other Agencies",
     "description": "The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."
   },
@@ -8405,7 +8405,7 @@
     "id_raw": "IA-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Acceptance Of Third-Party Credentials",
     "description": "The information system accepts only FICAM-approved third-party credentials."
   },
@@ -8415,7 +8415,7 @@
     "id_raw": "IA-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Use Of Ficam-Approved Products",
     "description": "The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials."
   },
@@ -8425,7 +8425,7 @@
     "id_raw": "IA-8 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Use Of Ficam-Issued Profiles",
     "description": "The information system conforms to FICAM-issued profiles."
   },
@@ -8435,7 +8435,7 @@
     "id_raw": "IA-8 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Acceptance Of Piv-I Credentials",
     "description": "The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials."
   },
@@ -8445,7 +8445,7 @@
     "id_raw": "IA-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Service Identification and Authentication",
     "description": null
   },
@@ -8455,7 +8455,7 @@
     "id_raw": "IA-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Information Exchange",
     "description": "The organization ensures that service providers receive, validate, and transmit identification and authentication information."
   },
@@ -8465,7 +8465,7 @@
     "id_raw": "IA-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Transmission Of Decisions",
     "description": "The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies."
   },
@@ -8485,7 +8485,7 @@
     "id_raw": "IR-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Incident Response Policy and Procedures",
     "description": null
   },
@@ -8495,7 +8495,7 @@
     "id_raw": "IR-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Integrated Information Security Analysis Team",
     "description": null
   },
@@ -8505,7 +8505,7 @@
     "id_raw": "IR-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"
   },
@@ -8515,7 +8515,7 @@
     "id_raw": "IR-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Incident response policy [Assignment: organization-defined frequency]; and Incident response procedures [Assignment: organization-defined frequency]."
   },
@@ -8525,7 +8525,7 @@
     "id_raw": "IR-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Incident Response Training",
     "description": null
   },
@@ -8535,7 +8535,7 @@
     "id_raw": "IR-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Simulated Events",
     "description": "The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."
   },
@@ -8545,7 +8545,7 @@
     "id_raw": "IR-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Training Environments",
     "description": "The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."
   },
@@ -8555,7 +8555,7 @@
     "id_raw": "IR-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;"
   },
@@ -8565,7 +8565,7 @@
     "id_raw": "IR-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization provides incident response training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"
   },
@@ -8575,7 +8575,7 @@
     "id_raw": "IR-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization provides incident response training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."
   },
@@ -8585,7 +8585,7 @@
     "id_raw": "IR-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Incident Response Testing",
     "description": null
   },
@@ -8595,7 +8595,7 @@
     "id_raw": "IR-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Testing",
     "description": "The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability."
   },
@@ -8605,7 +8605,7 @@
     "id_raw": "IR-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Coordination With Related Plans",
     "description": "The organization coordinates incident response testing with organizational elements responsible for related plans."
   },
@@ -8615,7 +8615,7 @@
     "id_raw": "IR-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Incident Handling",
     "description": null
   },
@@ -8625,7 +8625,7 @@
     "id_raw": "IR-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Incident Handling Processes",
     "description": "The organization employs automated mechanisms to support the incident handling process."
   },
@@ -8635,7 +8635,7 @@
     "id_raw": "IR-4 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Supply Chain Coordination",
     "description": "The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain."
   },
@@ -8645,7 +8645,7 @@
     "id_raw": "IR-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Dynamic Reconfiguration",
     "description": "The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability."
   },
@@ -8655,7 +8655,7 @@
     "id_raw": "IR-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Continuity Of Operations",
     "description": "The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions."
   },
@@ -8665,7 +8665,7 @@
     "id_raw": "IR-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Information Correlation",
     "description": "The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."
   },
@@ -8675,7 +8675,7 @@
     "id_raw": "IR-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Automatic Disabling Of Information System",
     "description": "The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected."
   },
@@ -8685,7 +8685,7 @@
     "id_raw": "IR-4 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Insider Threats - Specific Capabilities",
     "description": "The organization implements incident handling capability for insider threats."
   },
@@ -8695,7 +8695,7 @@
     "id_raw": "IR-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Insider Threats - Intra-Organization Coordination",
     "description": "The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]."
   },
@@ -8705,7 +8705,7 @@
     "id_raw": "IR-4 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Correlation With External Organizations",
     "description": "The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses."
   },
@@ -8715,7 +8715,7 @@
     "id_raw": "IR-4 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Dynamic Response Capability",
     "description": "The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents."
   },
@@ -8725,7 +8725,7 @@
     "id_raw": "IR-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"
   },
@@ -8735,7 +8735,7 @@
     "id_raw": "IR-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Coordinates incident handling activities with contingency planning activities; and"
   },
@@ -8745,7 +8745,7 @@
     "id_raw": "IR-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."
   },
@@ -8755,7 +8755,7 @@
     "id_raw": "IR-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Incident Monitoring",
     "description": null
   },
@@ -8765,7 +8765,7 @@
     "id_raw": "IR-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Tracking / Data Collection / Analysis",
     "description": "The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."
   },
@@ -8775,7 +8775,7 @@
     "id_raw": "IR-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Incident Reporting",
     "description": null
   },
@@ -8785,7 +8785,7 @@
     "id_raw": "IR-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Reporting",
     "description": "The organization employs automated mechanisms to assist in the reporting of security incidents."
   },
@@ -8795,7 +8795,7 @@
     "id_raw": "IR-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Vulnerabilities Related To Incidents",
     "description": "The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles]."
   },
@@ -8805,7 +8805,7 @@
     "id_raw": "IR-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Coordination With Supply Chain",
     "description": "The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident."
   },
@@ -8815,7 +8815,7 @@
     "id_raw": "IR-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and"
   },
@@ -8825,7 +8825,7 @@
     "id_raw": "IR-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reports security incident information to [Assignment: organization-defined authorities]."
   },
@@ -8835,7 +8835,7 @@
     "id_raw": "IR-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Incident Response Assistance",
     "description": null
   },
@@ -8845,7 +8845,7 @@
     "id_raw": "IR-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automation Support For Availability Of Information / Support",
     "description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support."
   },
@@ -8855,7 +8855,7 @@
     "id_raw": "IR-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Coordination With External Providers",
     "description": "The organization: Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and Identifies organizational incident response team members to the external providers."
   },
@@ -8865,7 +8865,7 @@
     "id_raw": "IR-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Incident Response Plan",
     "description": null
   },
@@ -8875,7 +8875,7 @@
     "id_raw": "IR-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"
   },
@@ -8885,7 +8885,7 @@
     "id_raw": "IR-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];"
   },
@@ -8895,7 +8895,7 @@
     "id_raw": "IR-8c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews the incident response plan [Assignment: organization-defined frequency];"
   },
@@ -8905,7 +8905,7 @@
     "id_raw": "IR-8d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;"
   },
@@ -8915,7 +8915,7 @@
     "id_raw": "IR-8e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and"
   },
@@ -8925,7 +8925,7 @@
     "id_raw": "IR-8f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Protects the incident response plan from unauthorized disclosure and modification."
   },
@@ -8935,7 +8935,7 @@
     "id_raw": "IR-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Information Spillage Response",
     "description": null
   },
@@ -8945,7 +8945,7 @@
     "id_raw": "IR-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Responsible Personnel",
     "description": "The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills."
   },
@@ -8955,7 +8955,7 @@
     "id_raw": "IR-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Training",
     "description": "The organization provides information spillage response training [Assignment: organization-defined frequency]."
   },
@@ -8965,7 +8965,7 @@
     "id_raw": "IR-9 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Post-Spill Operations",
     "description": "The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."
   },
@@ -8975,7 +8975,7 @@
     "id_raw": "IR-9 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Exposure To Unauthorized Personnel",
     "description": "The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations."
   },
@@ -8985,7 +8985,7 @@
     "id_raw": "IR-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization responds to information spills by: Identifying the specific information involved in the information system contamination;"
   },
@@ -8995,7 +8995,7 @@
     "id_raw": "IR-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization responds to information spills by: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;"
   },
@@ -9005,7 +9005,7 @@
     "id_raw": "IR-9c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization responds to information spills by: Isolating the contaminated information system or system component;"
   },
@@ -9015,7 +9015,7 @@
     "id_raw": "IR-9d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization responds to information spills by: Eradicating the information from the contaminated information system or component;"
   },
@@ -9025,7 +9025,7 @@
     "id_raw": "IR-9e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization responds to information spills by: Identifying other information systems or system components that may have been subsequently contaminated; and"
   },
@@ -9035,7 +9035,7 @@
     "id_raw": "IR-9f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization responds to information spills by: Performing other [Assignment: organization-defined actions]."
   },
@@ -9055,7 +9055,7 @@
     "id_raw": "MA-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "System Maintenance Policy and Procedures",
     "description": null
   },
@@ -9065,7 +9065,7 @@
     "id_raw": "MA-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"
   },
@@ -9075,7 +9075,7 @@
     "id_raw": "MA-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: System maintenance policy [Assignment: organization-defined frequency]; and System maintenance procedures [Assignment: organization-defined frequency]."
   },
@@ -9085,7 +9085,7 @@
     "id_raw": "MA-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Controlled Maintenance",
     "description": null
   },
@@ -9095,7 +9095,7 @@
     "id_raw": "MA-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Maintenance Activities",
     "description": "The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."
   },
@@ -9105,7 +9105,7 @@
     "id_raw": "MA-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"
   },
@@ -9115,7 +9115,7 @@
     "id_raw": "MA-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"
   },
@@ -9125,7 +9125,7 @@
     "id_raw": "MA-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"
   },
@@ -9135,7 +9135,7 @@
     "id_raw": "MA-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"
   },
@@ -9145,7 +9145,7 @@
     "id_raw": "MA-2e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"
   },
@@ -9155,7 +9155,7 @@
     "id_raw": "MA-2f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records."
   },
@@ -9165,7 +9165,7 @@
     "id_raw": "MA-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Maintenance Tools",
     "description": null
   },
@@ -9175,7 +9175,7 @@
     "id_raw": "MA-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Inspect Tools",
     "description": "The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."
   },
@@ -9185,7 +9185,7 @@
     "id_raw": "MA-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Inspect Media",
     "description": "The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."
   },
@@ -9195,7 +9195,7 @@
     "id_raw": "MA-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Prevent Unauthorized Removal",
     "description": "The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility."
   },
@@ -9205,7 +9205,7 @@
     "id_raw": "MA-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Restricted Tool Use",
     "description": "The information system restricts the use of maintenance tools to authorized personnel only."
   },
@@ -9215,7 +9215,7 @@
     "id_raw": "MA-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Nonlocal Maintenance",
     "description": null
   },
@@ -9225,7 +9225,7 @@
     "id_raw": "MA-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Auditing And Review",
     "description": "The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions."
   },
@@ -9235,7 +9235,7 @@
     "id_raw": "MA-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Document Nonlocal Maintenance",
     "description": "The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."
   },
@@ -9245,7 +9245,7 @@
     "id_raw": "MA-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Comparable Security / Sanitization",
     "description": "The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."
   },
@@ -9255,7 +9255,7 @@
     "id_raw": "MA-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Authentication / Separation Of Maintenance Sessions",
     "description": "The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption."
   },
@@ -9265,7 +9265,7 @@
     "id_raw": "MA-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Approvals And Notifications",
     "description": "The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance."
   },
@@ -9275,7 +9275,7 @@
     "id_raw": "MA-4 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Cryptographic Protection",
     "description": "The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications."
   },
@@ -9285,7 +9285,7 @@
     "id_raw": "MA-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Remote Disconnect Verification",
     "description": "The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions."
   },
@@ -9295,7 +9295,7 @@
     "id_raw": "MA-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Approves and monitors nonlocal maintenance and diagnostic activities;"
   },
@@ -9305,7 +9305,7 @@
     "id_raw": "MA-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"
   },
@@ -9315,7 +9315,7 @@
     "id_raw": "MA-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"
   },
@@ -9325,7 +9325,7 @@
     "id_raw": "MA-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Maintains records for nonlocal maintenance and diagnostic activities; and"
   },
@@ -9335,7 +9335,7 @@
     "id_raw": "MA-4e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Terminates session and network connections when nonlocal maintenance is completed."
   },
@@ -9345,7 +9345,7 @@
     "id_raw": "MA-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Maintenance Personnel",
     "description": null
   },
@@ -9355,7 +9355,7 @@
     "id_raw": "MA-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Individuals Without Appropriate Access",
     "description": "The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."
   },
@@ -9365,7 +9365,7 @@
     "id_raw": "MA-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Security Clearances For Classified Systems",
     "description": "The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system."
   },
@@ -9375,7 +9375,7 @@
     "id_raw": "MA-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Citizenship Requirements For Classified Systems",
     "description": "The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens."
   },
@@ -9385,7 +9385,7 @@
     "id_raw": "MA-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Foreign Nationals",
     "description": "The organization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements."
   },
@@ -9395,7 +9395,7 @@
     "id_raw": "MA-5 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Nonsystem-Related Maintenance",
     "description": "The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations."
   },
@@ -9405,7 +9405,7 @@
     "id_raw": "MA-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"
   },
@@ -9415,7 +9415,7 @@
     "id_raw": "MA-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"
   },
@@ -9425,7 +9425,7 @@
     "id_raw": "MA-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."
   },
@@ -9435,7 +9435,7 @@
     "id_raw": "MA-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Timely Maintenance",
     "description": null
   },
@@ -9445,7 +9445,7 @@
     "id_raw": "MA-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Preventive Maintenance",
     "description": "The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."
   },
@@ -9455,7 +9455,7 @@
     "id_raw": "MA-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Predictive Maintenance",
     "description": "The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."
   },
@@ -9465,7 +9465,7 @@
     "id_raw": "MA-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automated Support For Predictive Maintenance",
     "description": "The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system."
   },
@@ -9485,7 +9485,7 @@
     "id_raw": "MP-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Media Protection Policy and Procedures",
     "description": null
   },
@@ -9495,7 +9495,7 @@
     "id_raw": "MP-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"
   },
@@ -9505,7 +9505,7 @@
     "id_raw": "MP-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Media protection policy [Assignment: organization-defined frequency]; and Media protection procedures [Assignment: organization-defined frequency]."
   },
@@ -9515,7 +9515,7 @@
     "id_raw": "MP-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Media Access",
     "description": null
   },
@@ -9525,7 +9525,7 @@
     "id_raw": "MP-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Media Marking",
     "description": null
   },
@@ -9535,7 +9535,7 @@
     "id_raw": "MP-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"
   },
@@ -9545,7 +9545,7 @@
     "id_raw": "MP-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]."
   },
@@ -9555,7 +9555,7 @@
     "id_raw": "MP-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Media Storage",
     "description": null
   },
@@ -9565,7 +9565,7 @@
     "id_raw": "MP-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Restricted Access",
     "description": "The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted."
   },
@@ -9575,7 +9575,7 @@
     "id_raw": "MP-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and"
   },
@@ -9585,7 +9585,7 @@
     "id_raw": "MP-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
   },
@@ -9595,7 +9595,7 @@
     "id_raw": "MP-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Media Transport",
     "description": null
   },
@@ -9605,7 +9605,7 @@
     "id_raw": "MP-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Custodians",
     "description": "The organization employs an identified custodian during transport of information system media outside of controlled areas."
   },
@@ -9615,7 +9615,7 @@
     "id_raw": "MP-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Cryptographic Protection",
     "description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."
   },
@@ -9625,7 +9625,7 @@
     "id_raw": "MP-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];"
   },
@@ -9635,7 +9635,7 @@
     "id_raw": "MP-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Maintains accountability for information system media during transport outside of controlled areas;"
   },
@@ -9645,7 +9645,7 @@
     "id_raw": "MP-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Documents activities associated with the transport of information system media; and"
   },
@@ -9655,7 +9655,7 @@
     "id_raw": "MP-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Restricts the activities associated with the transport of information system media to authorized personnel."
   },
@@ -9665,7 +9665,7 @@
     "id_raw": "MP-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Media Sanitization",
     "description": null
   },
@@ -9675,7 +9675,7 @@
     "id_raw": "MP-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Review / Approve / Track / Document / Verify",
     "description": "The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."
   },
@@ -9685,7 +9685,7 @@
     "id_raw": "MP-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Equipment Testing",
     "description": "The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved."
   },
@@ -9695,7 +9695,7 @@
     "id_raw": "MP-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Nondestructive Techniques",
     "description": "The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]."
   },
@@ -9705,7 +9705,7 @@
     "id_raw": "MP-6 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Dual Authorization",
     "description": "The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media]."
   },
@@ -9715,7 +9715,7 @@
     "id_raw": "MP-6 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Remote Purging / Wiping Of Information",
     "description": "The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]."
   },
@@ -9725,7 +9725,7 @@
     "id_raw": "MP-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and"
   },
@@ -9735,7 +9735,7 @@
     "id_raw": "MP-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."
   },
@@ -9745,7 +9745,7 @@
     "id_raw": "MP-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Media Use",
     "description": null
   },
@@ -9755,7 +9755,7 @@
     "id_raw": "MP-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Prohibit Use Without Owner",
     "description": "The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."
   },
@@ -9765,7 +9765,7 @@
     "id_raw": "MP-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Prohibit Use Of Sanitization-Resistant Media",
     "description": "The organization prohibits the use of sanitization-resistant media in organizational information systems."
   },
@@ -9775,7 +9775,7 @@
     "id_raw": "MP-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Media Downgrading",
     "description": null
   },
@@ -9785,7 +9785,7 @@
     "id_raw": "MP-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Documentation Of Process",
     "description": "The organization documents information system media downgrading actions."
   },
@@ -9795,7 +9795,7 @@
     "id_raw": "MP-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Equipment Testing",
     "description": "The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]."
   },
@@ -9805,7 +9805,7 @@
     "id_raw": "MP-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Controlled Unclassified Information",
     "description": "The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies."
   },
@@ -9815,7 +9815,7 @@
     "id_raw": "MP-8 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Classified Information",
     "description": "The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies."
   },
@@ -9825,7 +9825,7 @@
     "id_raw": "MP-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];"
   },
@@ -9835,7 +9835,7 @@
     "id_raw": "MP-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;"
   },
@@ -9845,7 +9845,7 @@
     "id_raw": "MP-8c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Identifies [Assignment: organization-defined information system media requiring downgrading]; and"
   },
@@ -9855,7 +9855,7 @@
     "id_raw": "MP-8d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Downgrades the identified information system media using the established process."
   },
@@ -9875,7 +9875,7 @@
     "id_raw": "PE-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Physical and Environmental Protection Policy and Procedures",
     "description": null
   },
@@ -9885,7 +9885,7 @@
     "id_raw": "PE-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Emergency Shutoff",
     "description": null
   },
@@ -9895,7 +9895,7 @@
     "id_raw": "PE-10a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations;"
   },
@@ -9905,7 +9905,7 @@
     "id_raw": "PE-10b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and"
   },
@@ -9915,7 +9915,7 @@
     "id_raw": "PE-10c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Protects emergency power shutoff capability from unauthorized activation."
   },
@@ -9925,7 +9925,7 @@
     "id_raw": "PE-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Emergency Power",
     "description": null
   },
@@ -9935,7 +9935,7 @@
     "id_raw": "PE-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Long-Term Alternate Power Supply - Minimal Operational Capability",
     "description": "The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."
   },
@@ -9945,7 +9945,7 @@
     "id_raw": "PE-11 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Long-Term Alternate Power Supply - Self-Contained",
     "description": "The organization provides a long-term alternate power supply for the information system that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source."
   },
@@ -9955,7 +9955,7 @@
     "id_raw": "PE-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Emergency Lighting",
     "description": null
   },
@@ -9965,7 +9965,7 @@
     "id_raw": "PE-12 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Essential Missions / Business Functions",
     "description": "The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions."
   },
@@ -9975,7 +9975,7 @@
     "id_raw": "PE-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Fire Protection",
     "description": null
   },
@@ -9985,7 +9985,7 @@
     "id_raw": "PE-13 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Detection Devices / Systems",
     "description": "The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire."
   },
@@ -9995,7 +9995,7 @@
     "id_raw": "PE-13 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Suppression Devices / Systems",
     "description": "The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]."
   },
@@ -10005,7 +10005,7 @@
     "id_raw": "PE-13 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automatic Fire Suppression",
     "description": "The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."
   },
@@ -10015,7 +10015,7 @@
     "id_raw": "PE-13 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Inspections",
     "description": "The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]."
   },
@@ -10025,7 +10025,7 @@
     "id_raw": "PE-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Temperature and Humidity Controls",
     "description": null
   },
@@ -10035,7 +10035,7 @@
     "id_raw": "PE-14 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automatic Controls",
     "description": "The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system."
   },
@@ -10045,7 +10045,7 @@
     "id_raw": "PE-14 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Monitoring With Alarms / Notifications",
     "description": "The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment."
   },
@@ -10055,7 +10055,7 @@
     "id_raw": "PE-14a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and"
   },
@@ -10065,7 +10065,7 @@
     "id_raw": "PE-14b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Monitors temperature and humidity levels [Assignment: organization-defined frequency]."
   },
@@ -10075,7 +10075,7 @@
     "id_raw": "PE-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Water Damage Protection",
     "description": null
   },
@@ -10085,7 +10085,7 @@
     "id_raw": "PE-15 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automation Support",
     "description": "The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]."
   },
@@ -10095,7 +10095,7 @@
     "id_raw": "PE-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Delivery and Removal",
     "description": null
   },
@@ -10105,7 +10105,7 @@
     "id_raw": "PE-17",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 17,
     "title": "Alternate Work Site",
     "description": null
   },
@@ -10115,7 +10115,7 @@
     "id_raw": "PE-17a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Employs [Assignment: organization-defined security controls] at alternate work sites;"
   },
@@ -10125,7 +10125,7 @@
     "id_raw": "PE-17b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and"
   },
@@ -10135,7 +10135,7 @@
     "id_raw": "PE-17c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Provides a means for employees to communicate with information security personnel in case of security incidents or problems."
   },
@@ -10145,7 +10145,7 @@
     "id_raw": "PE-18",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 18,
     "title": "Location Of Information System Components",
     "description": null
   },
@@ -10155,7 +10155,7 @@
     "id_raw": "PE-18 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Facility Site",
     "description": "The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy."
   },
@@ -10165,7 +10165,7 @@
     "id_raw": "PE-19",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 19,
     "title": "Information Leakage",
     "description": null
   },
@@ -10175,7 +10175,7 @@
     "id_raw": "PE-19 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "National Emissions / Tempest Policies And Procedures",
     "description": "The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information."
   },
@@ -10185,7 +10185,7 @@
     "id_raw": "PE-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"
   },
@@ -10195,7 +10195,7 @@
     "id_raw": "PE-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Physical and environmental protection policy [Assignment: organization-defined frequency]; and Physical and environmental protection procedures [Assignment: organization-defined frequency]."
   },
@@ -10205,7 +10205,7 @@
     "id_raw": "PE-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Physical Access Authorizations",
     "description": null
   },
@@ -10215,7 +10215,7 @@
     "id_raw": "PE-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Access By Position / Role",
     "description": "The organization authorizes physical access to the facility where the information system resides based on position or role."
   },
@@ -10225,7 +10225,7 @@
     "id_raw": "PE-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Two Forms Of Identification",
     "description": "The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides."
   },
@@ -10235,7 +10235,7 @@
     "id_raw": "PE-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Restrict Unescorted Access",
     "description": "The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]]."
   },
@@ -10245,7 +10245,7 @@
     "id_raw": "PE-20",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 20,
     "title": "Asset Monitoring and Tracking",
     "description": null
   },
@@ -10255,7 +10255,7 @@
     "id_raw": "PE-20a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and"
   },
@@ -10265,7 +10265,7 @@
     "id_raw": "PE-20b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance."
   },
@@ -10275,7 +10275,7 @@
     "id_raw": "PE-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Physical Access Control",
     "description": null
   },
@@ -10285,7 +10285,7 @@
     "id_raw": "PE-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Information System Access",
     "description": "The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]."
   },
@@ -10295,7 +10295,7 @@
     "id_raw": "PE-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Facility / Information System Boundaries",
     "description": "The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components."
   },
@@ -10305,7 +10305,7 @@
     "id_raw": "PE-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Continuous Guards / Alarms / Monitoring",
     "description": "The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week."
   },
@@ -10315,7 +10315,7 @@
     "id_raw": "PE-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Lockable Casings",
     "description": "The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access."
   },
@@ -10325,7 +10325,7 @@
     "id_raw": "PE-3 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Tamper Protection",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system."
   },
@@ -10335,7 +10335,7 @@
     "id_raw": "PE-3 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Facility Penetration Testing",
     "description": "The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility."
   },
@@ -10345,7 +10345,7 @@
     "id_raw": "PE-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];"
   },
@@ -10355,7 +10355,7 @@
     "id_raw": "PE-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];"
   },
@@ -10365,7 +10365,7 @@
     "id_raw": "PE-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;"
   },
@@ -10375,7 +10375,7 @@
     "id_raw": "PE-3d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];"
   },
@@ -10385,7 +10385,7 @@
     "id_raw": "PE-3e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Secures keys, combinations, and other physical access devices;"
   },
@@ -10395,7 +10395,7 @@
     "id_raw": "PE-3f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and"
   },
@@ -10405,7 +10405,7 @@
     "id_raw": "PE-3g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."
   },
@@ -10415,7 +10415,7 @@
     "id_raw": "PE-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Access Control For Transmission Medium",
     "description": null
   },
@@ -10425,7 +10425,7 @@
     "id_raw": "PE-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Access Control For Output Devices",
     "description": null
   },
@@ -10435,7 +10435,7 @@
     "id_raw": "PE-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Access To Output By Authorized Individuals",
     "description": "The organization: Controls physical access to output from [Assignment: organization-defined output devices]; and Ensures that only authorized individuals receive output from the device."
   },
@@ -10445,7 +10445,7 @@
     "id_raw": "PE-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Access To Output By Individual Identity",
     "description": "The information system: Controls physical access to output from [Assignment: organization-defined output devices]; and Links individual identity to receipt of the output from the device."
   },
@@ -10455,7 +10455,7 @@
     "id_raw": "PE-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Marking Output Devices",
     "description": "The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device."
   },
@@ -10465,7 +10465,7 @@
     "id_raw": "PE-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Monitoring Physical Access",
     "description": null
   },
@@ -10475,7 +10475,7 @@
     "id_raw": "PE-6 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Intrusion Alarms / Surveillance Equipment",
     "description": "The organization monitors physical intrusion alarms and surveillance equipment."
   },
@@ -10485,7 +10485,7 @@
     "id_raw": "PE-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Intrusion Recognition / Responses",
     "description": "The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]."
   },
@@ -10495,7 +10495,7 @@
     "id_raw": "PE-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Video Surveillance",
     "description": "The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]."
   },
@@ -10505,7 +10505,7 @@
     "id_raw": "PE-6 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Monitoring Physical Access To Information Systems",
     "description": "The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]."
   },
@@ -10515,7 +10515,7 @@
     "id_raw": "PE-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"
   },
@@ -10525,7 +10525,7 @@
     "id_raw": "PE-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and"
   },
@@ -10535,7 +10535,7 @@
     "id_raw": "PE-6c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Coordinates results of reviews and investigations with the organizational incident response capability."
   },
@@ -10545,7 +10545,7 @@
     "id_raw": "PE-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Visitor Control",
     "description": null
   },
@@ -10555,7 +10555,7 @@
     "id_raw": "PE-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Visitor Access Records",
     "description": null
   },
@@ -10565,7 +10565,7 @@
     "id_raw": "PE-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Records Maintenance / Review",
     "description": "The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."
   },
@@ -10575,7 +10575,7 @@
     "id_raw": "PE-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and"
   },
@@ -10585,7 +10585,7 @@
     "id_raw": "PE-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews visitor access records [Assignment: organization-defined frequency]."
   },
@@ -10595,7 +10595,7 @@
     "id_raw": "PE-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Power Equipment and Cabling",
     "description": null
   },
@@ -10605,7 +10605,7 @@
     "id_raw": "PE-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Redundant Cabling",
     "description": "The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]."
   },
@@ -10615,7 +10615,7 @@
     "id_raw": "PE-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automatic Voltage Controls",
     "description": "The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]."
   },
@@ -10635,7 +10635,7 @@
     "id_raw": "PL-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Security Planning Policy and Procedures",
     "description": null
   },
@@ -10645,7 +10645,7 @@
     "id_raw": "PL-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"
   },
@@ -10655,7 +10655,7 @@
     "id_raw": "PL-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Security planning policy [Assignment: organization-defined frequency]; and Security planning procedures [Assignment: organization-defined frequency]."
   },
@@ -10665,7 +10665,7 @@
     "id_raw": "PL-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "System Security Plan",
     "description": null
   },
@@ -10675,7 +10675,7 @@
     "id_raw": "PL-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Plan / Coordinate With Other Organizational Entities",
     "description": "The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities."
   },
@@ -10685,7 +10685,7 @@
     "id_raw": "PL-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
   },
@@ -10695,7 +10695,7 @@
     "id_raw": "PL-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];"
   },
@@ -10705,7 +10705,7 @@
     "id_raw": "PL-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency];"
   },
@@ -10715,7 +10715,7 @@
     "id_raw": "PL-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and"
   },
@@ -10725,7 +10725,7 @@
     "id_raw": "PL-2e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Protects the security plan from unauthorized disclosure and modification."
   },
@@ -10735,7 +10735,7 @@
     "id_raw": "PL-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "System Security Plan Update",
     "description": null
   },
@@ -10745,7 +10745,7 @@
     "id_raw": "PL-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Rules Of Behavior",
     "description": null
   },
@@ -10755,7 +10755,7 @@
     "id_raw": "PL-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Social Media And Networking Restrictions",
     "description": "The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."
   },
@@ -10765,7 +10765,7 @@
     "id_raw": "PL-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"
   },
@@ -10775,7 +10775,7 @@
     "id_raw": "PL-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"
   },
@@ -10785,7 +10785,7 @@
     "id_raw": "PL-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and"
   },
@@ -10795,7 +10795,7 @@
     "id_raw": "PL-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated."
   },
@@ -10805,7 +10805,7 @@
     "id_raw": "PL-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Privacy Impact Assessment",
     "description": null
   },
@@ -10815,7 +10815,7 @@
     "id_raw": "PL-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Security-Related Activity Planning",
     "description": null
   },
@@ -10825,7 +10825,7 @@
     "id_raw": "PL-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Security Concept Of Operations",
     "description": null
   },
@@ -10835,7 +10835,7 @@
     "id_raw": "PL-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and"
   },
@@ -10845,7 +10845,7 @@
     "id_raw": "PL-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the CONOPS [Assignment: organization-defined frequency]."
   },
@@ -10855,7 +10855,7 @@
     "id_raw": "PL-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Information Security Architecture",
     "description": null
   },
@@ -10865,7 +10865,7 @@
     "id_raw": "PL-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Defense-In-Depth",
     "description": "The organization designs its security architecture using a defense-in-depth approach that: Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner."
   },
@@ -10875,7 +10875,7 @@
     "id_raw": "PL-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Supplier Diversity",
     "description": "The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers."
   },
@@ -10885,7 +10885,7 @@
     "id_raw": "PL-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services;"
   },
@@ -10895,7 +10895,7 @@
     "id_raw": "PL-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and"
   },
@@ -10905,7 +10905,7 @@
     "id_raw": "PL-8c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."
   },
@@ -10915,7 +10915,7 @@
     "id_raw": "PL-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Central Management",
     "description": null
   },
@@ -10935,7 +10935,7 @@
     "id_raw": "PM-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Information Security Program Plan",
     "description": null
   },
@@ -10945,7 +10945,7 @@
     "id_raw": "PM-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Security Authorization Process",
     "description": null
   },
@@ -10955,7 +10955,7 @@
     "id_raw": "PM-10a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;"
   },
@@ -10965,7 +10965,7 @@
     "id_raw": "PM-10b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"
   },
@@ -10975,7 +10975,7 @@
     "id_raw": "PM-10c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Fully integrates the security authorization processes into an organization-wide risk management program."
   },
@@ -10985,7 +10985,7 @@
     "id_raw": "PM-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Mission/Business Process Definition",
     "description": null
   },
@@ -10995,7 +10995,7 @@
     "id_raw": "PM-11a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"
   },
@@ -11005,7 +11005,7 @@
     "id_raw": "PM-11b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained."
   },
@@ -11015,7 +11015,7 @@
     "id_raw": "PM-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Insider Threat Program",
     "description": null
   },
@@ -11025,7 +11025,7 @@
     "id_raw": "PM-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Information Security Workforce",
     "description": null
   },
@@ -11035,7 +11035,7 @@
     "id_raw": "PM-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Testing, Training, and Monitoring",
     "description": null
   },
@@ -11045,7 +11045,7 @@
     "id_raw": "PM-14a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner;"
   },
@@ -11055,7 +11055,7 @@
     "id_raw": "PM-14b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."
   },
@@ -11065,7 +11065,7 @@
     "id_raw": "PM-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Contacts With Security Groups and Associations",
     "description": null
   },
@@ -11075,7 +11075,7 @@
     "id_raw": "PM-15a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel;"
   },
@@ -11085,7 +11085,7 @@
     "id_raw": "PM-15b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization establishes and institutionalizes contact with selected groups and associations within the security community: To maintain currency with recommended security practices, techniques, and technologies; and"
   },
@@ -11095,7 +11095,7 @@
     "id_raw": "PM-15c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization establishes and institutionalizes contact with selected groups and associations within the security community: To share current security-related information including threats, vulnerabilities, and incidents."
   },
@@ -11105,7 +11105,7 @@
     "id_raw": "PM-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Threat Awareness Program",
     "description": null
   },
@@ -11115,7 +11115,7 @@
     "id_raw": "PM-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
   },
@@ -11125,7 +11125,7 @@
     "id_raw": "PM-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];"
   },
@@ -11135,7 +11135,7 @@
     "id_raw": "PM-1c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and"
   },
@@ -11145,7 +11145,7 @@
     "id_raw": "PM-1d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Protects the information security program plan from unauthorized disclosure and modification."
   },
@@ -11155,7 +11155,7 @@
     "id_raw": "PM-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Senior Information Security Officer",
     "description": null
   },
@@ -11165,7 +11165,7 @@
     "id_raw": "PM-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Information Security Resources",
     "description": null
   },
@@ -11175,7 +11175,7 @@
     "id_raw": "PM-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;"
   },
@@ -11185,7 +11185,7 @@
     "id_raw": "PM-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and"
   },
@@ -11195,7 +11195,7 @@
     "id_raw": "PM-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Ensures that information security resources are available for expenditure as planned."
   },
@@ -11205,7 +11205,7 @@
     "id_raw": "PM-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Plan Of Action and Milestones Process",
     "description": null
   },
@@ -11215,7 +11215,7 @@
     "id_raw": "PM-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB FISMA reporting requirements."
   },
@@ -11225,7 +11225,7 @@
     "id_raw": "PM-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."
   },
@@ -11235,7 +11235,7 @@
     "id_raw": "PM-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Information System Inventory",
     "description": null
   },
@@ -11245,7 +11245,7 @@
     "id_raw": "PM-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Information Security Measures Of Performance",
     "description": null
   },
@@ -11255,7 +11255,7 @@
     "id_raw": "PM-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Enterprise Architecture",
     "description": null
   },
@@ -11265,7 +11265,7 @@
     "id_raw": "PM-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Critical Infrastructure Plan",
     "description": null
   },
@@ -11275,7 +11275,7 @@
     "id_raw": "PM-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Risk Management Strategy",
     "description": null
   },
@@ -11285,7 +11285,7 @@
     "id_raw": "PM-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;"
   },
@@ -11295,7 +11295,7 @@
     "id_raw": "PM-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Implements the risk management strategy consistently across the organization; and"
   },
@@ -11305,7 +11305,7 @@
     "id_raw": "PM-9c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes."
   },
@@ -11325,7 +11325,7 @@
     "id_raw": "PS-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Personnel Security Policy and Procedures",
     "description": null
   },
@@ -11335,7 +11335,7 @@
     "id_raw": "PS-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"
   },
@@ -11345,7 +11345,7 @@
     "id_raw": "PS-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Personnel security policy [Assignment: organization-defined frequency]; and Personnel security procedures [Assignment: organization-defined frequency]."
   },
@@ -11355,7 +11355,7 @@
     "id_raw": "PS-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Position Risk Designation",
     "description": null
   },
@@ -11365,7 +11365,7 @@
     "id_raw": "PS-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Assigns a risk designation to all organizational positions;"
   },
@@ -11375,7 +11375,7 @@
     "id_raw": "PS-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Establishes screening criteria for individuals filling those positions; and"
   },
@@ -11385,7 +11385,7 @@
     "id_raw": "PS-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews and updates position risk designations [Assignment: organization-defined frequency]."
   },
@@ -11395,7 +11395,7 @@
     "id_raw": "PS-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Personnel Screening",
     "description": null
   },
@@ -11405,7 +11405,7 @@
     "id_raw": "PS-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Classified Information",
     "description": "The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."
   },
@@ -11415,7 +11415,7 @@
     "id_raw": "PS-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Formal Indoctrination",
     "description": "The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system."
   },
@@ -11425,7 +11425,7 @@
     "id_raw": "PS-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Information With Special Protection Measures",
     "description": "The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria]."
   },
@@ -11435,7 +11435,7 @@
     "id_raw": "PS-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Screens individuals prior to authorizing access to the information system; and"
   },
@@ -11445,7 +11445,7 @@
     "id_raw": "PS-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."
   },
@@ -11455,7 +11455,7 @@
     "id_raw": "PS-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Personnel Termination",
     "description": null
   },
@@ -11465,7 +11465,7 @@
     "id_raw": "PS-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Post-Employment Requirements",
     "description": "The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."
   },
@@ -11475,7 +11475,7 @@
     "id_raw": "PS-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Notification",
     "description": "The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual."
   },
@@ -11485,7 +11485,7 @@
     "id_raw": "PS-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period];"
   },
@@ -11495,7 +11495,7 @@
     "id_raw": "PS-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual;"
   },
@@ -11505,7 +11505,7 @@
     "id_raw": "PS-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];"
   },
@@ -11515,7 +11515,7 @@
     "id_raw": "PS-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization, upon termination of individual employment: Retrieves all security-related organizational information system-related property;"
   },
@@ -11525,7 +11525,7 @@
     "id_raw": "PS-4e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization, upon termination of individual employment: Retains access to organizational information and information systems formerly controlled by terminated individual; and"
   },
@@ -11535,7 +11535,7 @@
     "id_raw": "PS-4f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
   },
@@ -11545,7 +11545,7 @@
     "id_raw": "PS-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Personnel Transfer",
     "description": null
   },
@@ -11555,7 +11555,7 @@
     "id_raw": "PS-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;"
   },
@@ -11565,7 +11565,7 @@
     "id_raw": "PS-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];"
   },
@@ -11575,7 +11575,7 @@
     "id_raw": "PS-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"
   },
@@ -11585,7 +11585,7 @@
     "id_raw": "PS-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
   },
@@ -11595,7 +11595,7 @@
     "id_raw": "PS-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Access Agreements",
     "description": null
   },
@@ -11605,7 +11605,7 @@
     "id_raw": "PS-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Classified Information Requiring Special Protection",
     "description": "The organization ensures that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties; Satisfy associated personnel security criteria; and Have read, understood, and signed a nondisclosure agreement."
   },
@@ -11615,7 +11615,7 @@
     "id_raw": "PS-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Post-Employment Requirements",
     "description": "The organization: Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."
   },
@@ -11625,7 +11625,7 @@
     "id_raw": "PS-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops and documents access agreements for organizational information systems;"
   },
@@ -11635,7 +11635,7 @@
     "id_raw": "PS-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the access agreements [Assignment: organization-defined frequency]; and"
   },
@@ -11645,7 +11645,7 @@
     "id_raw": "PS-6c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]."
   },
@@ -11655,7 +11655,7 @@
     "id_raw": "PS-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Third-Party Personnel Security",
     "description": null
   },
@@ -11665,7 +11665,7 @@
     "id_raw": "PS-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers;"
   },
@@ -11675,7 +11675,7 @@
     "id_raw": "PS-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Requires third-party providers to comply with personnel security policies and procedures established by the organization;"
   },
@@ -11685,7 +11685,7 @@
     "id_raw": "PS-7c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Documents personnel security requirements;"
   },
@@ -11695,7 +11695,7 @@
     "id_raw": "PS-7d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and"
   },
@@ -11705,7 +11705,7 @@
     "id_raw": "PS-7e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Monitors provider compliance."
   },
@@ -11715,7 +11715,7 @@
     "id_raw": "PS-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Personnel Sanctions",
     "description": null
   },
@@ -11725,7 +11725,7 @@
     "id_raw": "PS-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"
   },
@@ -11735,7 +11735,7 @@
     "id_raw": "PS-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
   },
@@ -11755,7 +11755,7 @@
     "id_raw": "RA-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "Risk Assessment Policy and Procedures",
     "description": null
   },
@@ -11765,7 +11765,7 @@
     "id_raw": "RA-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"
   },
@@ -11775,7 +11775,7 @@
     "id_raw": "RA-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: Risk assessment policy [Assignment: organization-defined frequency]; and Risk assessment procedures [Assignment: organization-defined frequency]."
   },
@@ -11785,7 +11785,7 @@
     "id_raw": "RA-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Security Categorization",
     "description": null
   },
@@ -11795,7 +11795,7 @@
     "id_raw": "RA-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
   },
@@ -11805,7 +11805,7 @@
     "id_raw": "RA-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"
   },
@@ -11815,7 +11815,7 @@
     "id_raw": "RA-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."
   },
@@ -11825,7 +11825,7 @@
     "id_raw": "RA-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Risk Assessment",
     "description": null
   },
@@ -11835,7 +11835,7 @@
     "id_raw": "RA-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"
   },
@@ -11845,7 +11845,7 @@
     "id_raw": "RA-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];"
   },
@@ -11855,7 +11855,7 @@
     "id_raw": "RA-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Reviews risk assessment results [Assignment: organization-defined frequency];"
   },
@@ -11865,7 +11865,7 @@
     "id_raw": "RA-3d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and"
   },
@@ -11875,7 +11875,7 @@
     "id_raw": "RA-3e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."
   },
@@ -11885,7 +11885,7 @@
     "id_raw": "RA-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Risk Assessment Update",
     "description": null
   },
@@ -11895,7 +11895,7 @@
     "id_raw": "RA-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Vulnerability Scanning",
     "description": null
   },
@@ -11905,7 +11905,7 @@
     "id_raw": "RA-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Update Tool Capability",
     "description": "The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."
   },
@@ -11915,7 +11915,7 @@
     "id_raw": "RA-5 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Correlate Scanning Information",
     "description": "The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."
   },
@@ -11925,7 +11925,7 @@
     "id_raw": "RA-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Update By Frequency / Prior To New Scan / When Identified",
     "description": "The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]."
   },
@@ -11935,7 +11935,7 @@
     "id_raw": "RA-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Breadth / Depth Of Coverage",
     "description": "The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."
   },
@@ -11945,7 +11945,7 @@
     "id_raw": "RA-5 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Discoverable Information",
     "description": "The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]."
   },
@@ -11955,7 +11955,7 @@
     "id_raw": "RA-5 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Privileged Access",
     "description": "The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]."
   },
@@ -11965,7 +11965,7 @@
     "id_raw": "RA-5 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Automated Trend Analyses",
     "description": "The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities."
   },
@@ -11975,7 +11975,7 @@
     "id_raw": "RA-5 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Review Historic Audit Logs",
     "description": "The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited."
   },
@@ -11985,7 +11985,7 @@
     "id_raw": "RA-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;"
   },
@@ -11995,7 +11995,7 @@
     "id_raw": "RA-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact;"
   },
@@ -12005,7 +12005,7 @@
     "id_raw": "RA-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Analyzes vulnerability scan reports and results from security control assessments;"
   },
@@ -12015,7 +12015,7 @@
     "id_raw": "RA-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and"
   },
@@ -12025,7 +12025,7 @@
     "id_raw": "RA-5e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."
   },
@@ -12035,7 +12035,7 @@
     "id_raw": "RA-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Technical Surveillance Countermeasures Survey",
     "description": null
   },
@@ -12055,7 +12055,7 @@
     "id_raw": "SA-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "System and Services Acquisition Policy and Procedures",
     "description": null
   },
@@ -12065,7 +12065,7 @@
     "id_raw": "SA-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Developer Configuration Management",
     "description": null
   },
@@ -12075,7 +12075,7 @@
     "id_raw": "SA-10 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Software / Firmware Integrity Verification",
     "description": "The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."
   },
@@ -12085,7 +12085,7 @@
     "id_raw": "SA-10 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Alternative Configuration Management Processes",
     "description": "The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team."
   },
@@ -12095,7 +12095,7 @@
     "id_raw": "SA-10 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Hardware Integrity Verification",
     "description": "The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components."
   },
@@ -12105,7 +12105,7 @@
     "id_raw": "SA-10 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Trusted Generation",
     "description": "The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions."
   },
@@ -12115,7 +12115,7 @@
     "id_raw": "SA-10 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Mapping Integrity For Version Control",
     "description": "The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."
   },
@@ -12125,7 +12125,7 @@
     "id_raw": "SA-10 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Trusted Distribution",
     "description": "The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."
   },
@@ -12135,7 +12135,7 @@
     "id_raw": "SA-10a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];"
   },
@@ -12145,7 +12145,7 @@
     "id_raw": "SA-10b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];"
   },
@@ -12155,7 +12155,7 @@
     "id_raw": "SA-10c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Implement only organization-approved changes to the system, component, or service;"
   },
@@ -12165,7 +12165,7 @@
     "id_raw": "SA-10d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Document approved changes to the system, component, or service and the potential security impacts of such changes; and"
   },
@@ -12175,7 +12175,7 @@
     "id_raw": "SA-10e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."
   },
@@ -12185,7 +12185,7 @@
     "id_raw": "SA-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Developer Security Testing and Evaluation",
     "description": null
   },
@@ -12195,7 +12195,7 @@
     "id_raw": "SA-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Static Code Analysis",
     "description": "The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."
   },
@@ -12205,7 +12205,7 @@
     "id_raw": "SA-11 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Threat And Vulnerability Analyses",
     "description": "The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."
   },
@@ -12215,7 +12215,7 @@
     "id_raw": "SA-11 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Independent Verification Of Assessment Plans / Evidence",
     "description": "The organization: Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information."
   },
@@ -12225,7 +12225,7 @@
     "id_raw": "SA-11 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Manual Code Reviews",
     "description": "The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]."
   },
@@ -12235,7 +12235,7 @@
     "id_raw": "SA-11 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Penetration Testing",
     "description": "The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]."
   },
@@ -12245,7 +12245,7 @@
     "id_raw": "SA-11 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Attack Surface Reviews",
     "description": "The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews."
   },
@@ -12255,7 +12255,7 @@
     "id_raw": "SA-11 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Verify Scope Of Testing / Evaluation",
     "description": "The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]."
   },
@@ -12265,7 +12265,7 @@
     "id_raw": "SA-11 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Dynamic Code Analysis",
     "description": "The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."
   },
@@ -12275,7 +12275,7 @@
     "id_raw": "SA-11a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan;"
   },
@@ -12285,7 +12285,7 @@
     "id_raw": "SA-11b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];"
   },
@@ -12295,7 +12295,7 @@
     "id_raw": "SA-11c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;"
   },
@@ -12305,7 +12305,7 @@
     "id_raw": "SA-11d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and"
   },
@@ -12315,7 +12315,7 @@
     "id_raw": "SA-11e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation."
   },
@@ -12325,7 +12325,7 @@
     "id_raw": "SA-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Supply Chain Protection",
     "description": null
   },
@@ -12335,7 +12335,7 @@
     "id_raw": "SA-12 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Acquisition Strategies / Tools / Methods",
     "description": "The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers."
   },
@@ -12345,7 +12345,7 @@
     "id_raw": "SA-12 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Validate As Genuine And Not Altered",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered."
   },
@@ -12355,7 +12355,7 @@
     "id_raw": "SA-12 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Penetration Testing / Analysis Of Elements, Processes, And Actors",
     "description": "The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service."
   },
@@ -12365,7 +12365,7 @@
     "id_raw": "SA-12 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Inter-Organizational Agreements",
     "description": "The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service."
   },
@@ -12375,7 +12375,7 @@
     "id_raw": "SA-12 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Critical Information System Components",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]."
   },
@@ -12385,7 +12385,7 @@
     "id_raw": "SA-12 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Identity And Traceability",
     "description": "The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service."
   },
@@ -12395,7 +12395,7 @@
     "id_raw": "SA-12 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Processes To Address Weaknesses Or Deficiencies",
     "description": "The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements."
   },
@@ -12405,7 +12405,7 @@
     "id_raw": "SA-12 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Supplier Reviews",
     "description": "The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service."
   },
@@ -12415,7 +12415,7 @@
     "id_raw": "SA-12 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Limitation Of Harm",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain."
   },
@@ -12425,7 +12425,7 @@
     "id_raw": "SA-12 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Assessments Prior To Selection / Acceptance / Update",
     "description": "The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update."
   },
@@ -12435,7 +12435,7 @@
     "id_raw": "SA-12 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Use Of All-Source Intelligence",
     "description": "The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service."
   },
@@ -12445,7 +12445,7 @@
     "id_raw": "SA-12 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Operations Security",
     "description": "The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service."
   },
@@ -12455,7 +12455,7 @@
     "id_raw": "SA-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Trustworthiness",
     "description": null
   },
@@ -12465,7 +12465,7 @@
     "id_raw": "SA-13a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and"
   },
@@ -12475,7 +12475,7 @@
     "id_raw": "SA-13b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness."
   },
@@ -12485,7 +12485,7 @@
     "id_raw": "SA-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Criticality Analysis",
     "description": null
   },
@@ -12495,7 +12495,7 @@
     "id_raw": "SA-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Development Process, Standards, and Tools",
     "description": null
   },
@@ -12505,7 +12505,7 @@
     "id_raw": "SA-15 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Quality Metrics",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]."
   },
@@ -12515,7 +12515,7 @@
     "id_raw": "SA-15 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Incident Response Plan",
     "description": "The organization requires the developer of the information system, system component, or information system service to provide an incident response plan."
   },
@@ -12525,7 +12525,7 @@
     "id_raw": "SA-15 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Archive Information System / Component",
     "description": "The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review."
   },
@@ -12535,7 +12535,7 @@
     "id_raw": "SA-15 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Security Tracking Tools",
     "description": "The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process."
   },
@@ -12545,7 +12545,7 @@
     "id_raw": "SA-15 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Criticality Analysis",
     "description": "The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]."
   },
@@ -12555,7 +12555,7 @@
     "id_raw": "SA-15 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Threat Modeling / Vulnerability Analysis",
     "description": "The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria]."
   },
@@ -12565,7 +12565,7 @@
     "id_raw": "SA-15 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Attack Surface Reduction",
     "description": "The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]."
   },
@@ -12575,7 +12575,7 @@
     "id_raw": "SA-15 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Continuous Improvement",
     "description": "The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process."
   },
@@ -12585,7 +12585,7 @@
     "id_raw": "SA-15 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Automated Vulnerability Analysis",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]."
   },
@@ -12595,7 +12595,7 @@
     "id_raw": "SA-15 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Reuse Of Threat / Vulnerability Information",
     "description": "The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."
   },
@@ -12605,7 +12605,7 @@
     "id_raw": "SA-15 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Use Of Live Data",
     "description": "The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service."
   },
@@ -12615,7 +12615,7 @@
     "id_raw": "SA-15a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"
   },
@@ -12625,7 +12625,7 @@
     "id_raw": "SA-15b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]."
   },
@@ -12635,7 +12635,7 @@
     "id_raw": "SA-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Developer-Provided Training",
     "description": null
   },
@@ -12645,7 +12645,7 @@
     "id_raw": "SA-17",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 17,
     "title": "Developer Security Architecture and Design",
     "description": null
   },
@@ -12655,7 +12655,7 @@
     "id_raw": "SA-17 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Formal Policy Model",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented."
   },
@@ -12665,7 +12665,7 @@
     "id_raw": "SA-17 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Security-Relevant Components",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."
   },
@@ -12675,7 +12675,7 @@
     "id_raw": "SA-17 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Formal Correspondence",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
   },
@@ -12685,7 +12685,7 @@
     "id_raw": "SA-17 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Informal Correspondence",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."
   },
@@ -12695,7 +12695,7 @@
     "id_raw": "SA-17 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Conceptually Simple Design",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."
   },
@@ -12705,7 +12705,7 @@
     "id_raw": "SA-17 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Structure For Testing",
     "description": "The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing."
   },
@@ -12715,7 +12715,7 @@
     "id_raw": "SA-17 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Structure For Least Privilege",
     "description": "The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."
   },
@@ -12725,7 +12725,7 @@
     "id_raw": "SA-17a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;"
   },
@@ -12735,7 +12735,7 @@
     "id_raw": "SA-17b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"
   },
@@ -12745,7 +12745,7 @@
     "id_raw": "SA-17c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."
   },
@@ -12755,7 +12755,7 @@
     "id_raw": "SA-18",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 18,
     "title": "Tamper Resistance and Detection",
     "description": null
   },
@@ -12765,7 +12765,7 @@
     "id_raw": "SA-18 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Multiple Phases Of Sdlc",
     "description": "The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance."
   },
@@ -12775,7 +12775,7 @@
     "id_raw": "SA-18 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Inspection Of Information Systems, Components, Or Devices",
     "description": "The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering."
   },
@@ -12785,7 +12785,7 @@
     "id_raw": "SA-19",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 19,
     "title": "Component Authenticity",
     "description": null
   },
@@ -12795,7 +12795,7 @@
     "id_raw": "SA-19 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Anti-Counterfeit Training",
     "description": "The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware)."
   },
@@ -12805,7 +12805,7 @@
     "id_raw": "SA-19 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Configuration Control For Component Service / Repair",
     "description": "The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service."
   },
@@ -12815,7 +12815,7 @@
     "id_raw": "SA-19 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Component Disposal",
     "description": "The organization disposes of information system components using [Assignment: organization-defined techniques and methods]."
   },
@@ -12825,7 +12825,7 @@
     "id_raw": "SA-19 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Anti-Counterfeit Scanning",
     "description": "The organization scans for counterfeit information system components [Assignment: organization-defined frequency]."
   },
@@ -12835,7 +12835,7 @@
     "id_raw": "SA-19a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and"
   },
@@ -12845,7 +12845,7 @@
     "id_raw": "SA-19b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]."
   },
@@ -12855,7 +12855,7 @@
     "id_raw": "SA-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"
   },
@@ -12865,7 +12865,7 @@
     "id_raw": "SA-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: System and services acquisition policy [Assignment: organization-defined frequency]; and System and services acquisition procedures [Assignment: organization-defined frequency]."
   },
@@ -12875,7 +12875,7 @@
     "id_raw": "SA-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Allocation Of Resources",
     "description": null
   },
@@ -12885,7 +12885,7 @@
     "id_raw": "SA-20",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 20,
     "title": "Customized Development Of Critical Components",
     "description": null
   },
@@ -12895,7 +12895,7 @@
     "id_raw": "SA-21",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 21,
     "title": "Developer Screening",
     "description": null
   },
@@ -12905,7 +12905,7 @@
     "id_raw": "SA-21 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Validation Of Screening",
     "description": "The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied."
   },
@@ -12915,7 +12915,7 @@
     "id_raw": "SA-21a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and"
   },
@@ -12925,7 +12925,7 @@
     "id_raw": "SA-21b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Satisfy [Assignment: organization-defined additional personnel screening criteria]."
   },
@@ -12935,7 +12935,7 @@
     "id_raw": "SA-22",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 22,
     "title": "Unsupported System Components",
     "description": null
   },
@@ -12945,7 +12945,7 @@
     "id_raw": "SA-22 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Alternative Sources For Continued Support",
     "description": "The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components."
   },
@@ -12955,7 +12955,7 @@
     "id_raw": "SA-22a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and"
   },
@@ -12965,7 +12965,7 @@
     "id_raw": "SA-22b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs."
   },
@@ -12975,7 +12975,7 @@
     "id_raw": "SA-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Determines information security requirements for the information system or information system service in mission/business process planning;"
   },
@@ -12985,7 +12985,7 @@
     "id_raw": "SA-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"
   },
@@ -12995,7 +12995,7 @@
     "id_raw": "SA-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Establishes a discrete line item for information security in organizational programming and budgeting documentation."
   },
@@ -13005,7 +13005,7 @@
     "id_raw": "SA-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "System Development Life Cycle",
     "description": null
   },
@@ -13015,7 +13015,7 @@
     "id_raw": "SA-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;"
   },
@@ -13025,7 +13025,7 @@
     "id_raw": "SA-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;"
   },
@@ -13035,7 +13035,7 @@
     "id_raw": "SA-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Identifies individuals having information security roles and responsibilities; and"
   },
@@ -13045,7 +13045,7 @@
     "id_raw": "SA-3d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Integrates the organizational information security risk management process into system development life cycle activities."
   },
@@ -13055,7 +13055,7 @@
     "id_raw": "SA-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Acquisition Process",
     "description": null
   },
@@ -13065,7 +13065,7 @@
     "id_raw": "SA-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Functional Properties Of Security Controls",
     "description": "The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."
   },
@@ -13075,7 +13075,7 @@
     "id_raw": "SA-4 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Use Of Approved Piv Products",
     "description": "The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."
   },
@@ -13085,7 +13085,7 @@
     "id_raw": "SA-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Design / Implementation Information For Security Controls",
     "description": "The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]."
   },
@@ -13095,7 +13095,7 @@
     "id_raw": "SA-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Development Methods / Techniques / Practices",
     "description": "The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]."
   },
@@ -13105,7 +13105,7 @@
     "id_raw": "SA-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "System / Component / Service Configurations",
     "description": "The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."
   },
@@ -13115,7 +13115,7 @@
     "id_raw": "SA-4 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Use Of Information Assurance Products",
     "description": "The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures."
   },
@@ -13125,7 +13125,7 @@
     "id_raw": "SA-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Niap-Approved  Protection Profiles",
     "description": "The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated."
   },
@@ -13135,7 +13135,7 @@
     "id_raw": "SA-4 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Continuous Monitoring Plan",
     "description": "The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]."
   },
@@ -13145,7 +13145,7 @@
     "id_raw": "SA-4 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Functions / Ports / Protocols / Services In Use",
     "description": "The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."
   },
@@ -13155,7 +13155,7 @@
     "id_raw": "SA-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements;"
   },
@@ -13165,7 +13165,7 @@
     "id_raw": "SA-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;"
   },
@@ -13175,7 +13175,7 @@
     "id_raw": "SA-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements;"
   },
@@ -13185,7 +13185,7 @@
     "id_raw": "SA-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;"
   },
@@ -13195,7 +13195,7 @@
     "id_raw": "SA-4e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation;"
   },
@@ -13205,7 +13205,7 @@
     "id_raw": "SA-4f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and"
   },
@@ -13215,7 +13215,7 @@
     "id_raw": "SA-4g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria."
   },
@@ -13225,7 +13225,7 @@
     "id_raw": "SA-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Information System Documentation",
     "description": null
   },
@@ -13235,7 +13235,7 @@
     "id_raw": "SA-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"
   },
@@ -13245,7 +13245,7 @@
     "id_raw": "SA-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and User responsibilities in maintaining the security of the system, component, or service;"
   },
@@ -13255,7 +13255,7 @@
     "id_raw": "SA-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;"
   },
@@ -13265,7 +13265,7 @@
     "id_raw": "SA-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Protects documentation as required, in accordance with the risk management strategy; and"
   },
@@ -13275,7 +13275,7 @@
     "id_raw": "SA-5e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Distributes documentation to [Assignment: organization-defined personnel or roles]."
   },
@@ -13285,7 +13285,7 @@
     "id_raw": "SA-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Software Usage Restrictions",
     "description": null
   },
@@ -13295,7 +13295,7 @@
     "id_raw": "SA-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "User-Installed Software",
     "description": null
   },
@@ -13305,7 +13305,7 @@
     "id_raw": "SA-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Security Engineering Principles",
     "description": null
   },
@@ -13315,7 +13315,7 @@
     "id_raw": "SA-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "External Information System Services",
     "description": null
   },
@@ -13325,7 +13325,7 @@
     "id_raw": "SA-9 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Risk Assessments / Organizational Approvals",
     "description": "The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]."
   },
@@ -13335,7 +13335,7 @@
     "id_raw": "SA-9 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Identification Of Functions / Ports / Protocols / Services",
     "description": "The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services."
   },
@@ -13345,7 +13345,7 @@
     "id_raw": "SA-9 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Establish / Maintain Trust Relationship With Providers",
     "description": "The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]."
   },
@@ -13355,7 +13355,7 @@
     "id_raw": "SA-9 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Consistent Interests Of Consumers And Providers",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests."
   },
@@ -13365,7 +13365,7 @@
     "id_raw": "SA-9 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Processing, Storage, And Service Location",
     "description": "The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]."
   },
@@ -13375,7 +13375,7 @@
     "id_raw": "SA-9a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"
   },
@@ -13385,7 +13385,7 @@
     "id_raw": "SA-9b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"
   },
@@ -13395,7 +13395,7 @@
     "id_raw": "SA-9c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis."
   },
@@ -13415,7 +13415,7 @@
     "id_raw": "SC-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "System and Communications Protection Policy and Procedures",
     "description": null
   },
@@ -13425,7 +13425,7 @@
     "id_raw": "SC-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Network Disconnect",
     "description": null
   },
@@ -13435,7 +13435,7 @@
     "id_raw": "SC-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Trusted Path",
     "description": null
   },
@@ -13445,7 +13445,7 @@
     "id_raw": "SC-11 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Logical Isolation",
     "description": "The information system provides a trusted communications path that is logically isolated and distinguishable from other paths."
   },
@@ -13455,7 +13455,7 @@
     "id_raw": "SC-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Cryptographic Key Establishment and Management",
     "description": null
   },
@@ -13465,7 +13465,7 @@
     "id_raw": "SC-12 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Availability",
     "description": "The organization maintains availability of information in the event of the loss of cryptographic keys by users."
   },
@@ -13475,7 +13475,7 @@
     "id_raw": "SC-12 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Symmetric Keys",
     "description": "The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."
   },
@@ -13485,7 +13485,7 @@
     "id_raw": "SC-12 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Asymmetric Keys",
     "description": "The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]."
   },
@@ -13495,7 +13495,7 @@
     "id_raw": "SC-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Cryptographic Protection",
     "description": null
   },
@@ -13505,7 +13505,7 @@
     "id_raw": "SC-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Public Access Protections",
     "description": null
   },
@@ -13515,7 +13515,7 @@
     "id_raw": "SC-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Collaborative Computing Devices",
     "description": null
   },
@@ -13525,7 +13525,7 @@
     "id_raw": "SC-15 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Physical Disconnect",
     "description": "The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use."
   },
@@ -13535,7 +13535,7 @@
     "id_raw": "SC-15 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Disabling / Removal In Secure Work Areas",
     "description": "The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]."
   },
@@ -13545,7 +13545,7 @@
     "id_raw": "SC-15 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Explicitly Indicate Current Participants",
     "description": "The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]."
   },
@@ -13555,7 +13555,7 @@
     "id_raw": "SC-15a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and"
   },
@@ -13565,7 +13565,7 @@
     "id_raw": "SC-15b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Provides an explicit indication of use to users physically present at the devices."
   },
@@ -13575,7 +13575,7 @@
     "id_raw": "SC-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Transmission Of Security Attributes",
     "description": null
   },
@@ -13585,7 +13585,7 @@
     "id_raw": "SC-16 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Integrity Validation",
     "description": "The information system validates the integrity of transmitted security attributes."
   },
@@ -13595,7 +13595,7 @@
     "id_raw": "SC-17",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 17,
     "title": "Public Key Infrastructure Certificates",
     "description": null
   },
@@ -13605,7 +13605,7 @@
     "id_raw": "SC-18",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 18,
     "title": "Mobile Code",
     "description": null
   },
@@ -13615,7 +13615,7 @@
     "id_raw": "SC-18 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Identify Unacceptable Code / Take Corrective Actions",
     "description": "The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]."
   },
@@ -13625,7 +13625,7 @@
     "id_raw": "SC-18 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Acquisition / Development / Use",
     "description": "The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]."
   },
@@ -13635,7 +13635,7 @@
     "id_raw": "SC-18 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Prevent Downloading / Execution",
     "description": "The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code]."
   },
@@ -13645,7 +13645,7 @@
     "id_raw": "SC-18 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Prevent Automatic Execution",
     "description": "The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code."
   },
@@ -13655,7 +13655,7 @@
     "id_raw": "SC-18 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Allow Execution Only In Confined Environments",
     "description": "The organization allows execution of permitted mobile code only in confined virtual machine environments."
   },
@@ -13665,7 +13665,7 @@
     "id_raw": "SC-18a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Defines acceptable and unacceptable mobile code and mobile code technologies;"
   },
@@ -13675,7 +13675,7 @@
     "id_raw": "SC-18b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"
   },
@@ -13685,7 +13685,7 @@
     "id_raw": "SC-18c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Authorizes, monitors, and controls the use of mobile code within the information system."
   },
@@ -13695,7 +13695,7 @@
     "id_raw": "SC-19",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 19,
     "title": "Voice Over Internet Protocol",
     "description": null
   },
@@ -13705,7 +13705,7 @@
     "id_raw": "SC-19a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"
   },
@@ -13715,7 +13715,7 @@
     "id_raw": "SC-19b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Authorizes, monitors, and controls the use of VoIP within the information system."
   },
@@ -13725,7 +13725,7 @@
     "id_raw": "SC-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"
   },
@@ -13735,7 +13735,7 @@
     "id_raw": "SC-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: System and communications protection policy [Assignment: organization-defined frequency]; and System and communications protection procedures [Assignment: organization-defined frequency]."
   },
@@ -13745,7 +13745,7 @@
     "id_raw": "SC-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Application Partitioning",
     "description": null
   },
@@ -13755,7 +13755,7 @@
     "id_raw": "SC-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Interfaces For Non-Privileged Users",
     "description": "The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users."
   },
@@ -13765,7 +13765,7 @@
     "id_raw": "SC-20",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 20,
     "title": "Secure Name / Address Resolution Service (Authoritative Source)",
     "description": null
   },
@@ -13775,7 +13775,7 @@
     "id_raw": "SC-20 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Data Origin / Integrity",
     "description": "The information system provides data origin and integrity protection artifacts for internal name/address resolution queries."
   },
@@ -13785,7 +13785,7 @@
     "id_raw": "SC-20a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"
   },
@@ -13795,7 +13795,7 @@
     "id_raw": "SC-20b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."
   },
@@ -13805,7 +13805,7 @@
     "id_raw": "SC-21",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 21,
     "title": "Secure Name / Address Resolution Service (Recursive Or Caching Resolver)",
     "description": null
   },
@@ -13815,7 +13815,7 @@
     "id_raw": "SC-22",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 22,
     "title": "Architecture and Provisioning For Name / Address Resolution Service",
     "description": null
   },
@@ -13825,7 +13825,7 @@
     "id_raw": "SC-23",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 23,
     "title": "Session Authenticity",
     "description": null
   },
@@ -13835,7 +13835,7 @@
     "id_raw": "SC-23 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Invalidate Session Identifiers At Logout",
     "description": "The information system invalidates session identifiers upon user logout or other session termination."
   },
@@ -13845,7 +13845,7 @@
     "id_raw": "SC-23 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Unique Session Identifiers With Randomization",
     "description": "The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated."
   },
@@ -13855,7 +13855,7 @@
     "id_raw": "SC-23 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Allowed Certificate Authorities",
     "description": "The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions."
   },
@@ -13865,7 +13865,7 @@
     "id_raw": "SC-24",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 24,
     "title": "Fail In Known State",
     "description": null
   },
@@ -13875,7 +13875,7 @@
     "id_raw": "SC-25",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 25,
     "title": "Thin Nodes",
     "description": null
   },
@@ -13885,7 +13885,7 @@
     "id_raw": "SC-26",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 26,
     "title": "Honeypots",
     "description": null
   },
@@ -13895,7 +13895,7 @@
     "id_raw": "SC-27",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 27,
     "title": "Platform-Independent Applications",
     "description": null
   },
@@ -13905,7 +13905,7 @@
     "id_raw": "SC-28",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 28,
     "title": "Protection Of Information At Rest",
     "description": null
   },
@@ -13915,7 +13915,7 @@
     "id_raw": "SC-28 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Cryptographic Protection",
     "description": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]."
   },
@@ -13925,7 +13925,7 @@
     "id_raw": "SC-28 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Off-Line Storage",
     "description": "The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]."
   },
@@ -13935,7 +13935,7 @@
     "id_raw": "SC-29",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 29,
     "title": "Heterogeneity",
     "description": null
   },
@@ -13945,7 +13945,7 @@
     "id_raw": "SC-29 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Virtualization Techniques",
     "description": "The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]."
   },
@@ -13955,7 +13955,7 @@
     "id_raw": "SC-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Security Function Isolation",
     "description": null
   },
@@ -13965,7 +13965,7 @@
     "id_raw": "SC-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Hardware Separation",
     "description": "The information system utilizes underlying hardware separation mechanisms to implement security function isolation."
   },
@@ -13975,7 +13975,7 @@
     "id_raw": "SC-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Access / Flow Control Functions",
     "description": "The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions."
   },
@@ -13985,7 +13985,7 @@
     "id_raw": "SC-3 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Minimize Nonsecurity Functionality",
     "description": "The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions."
   },
@@ -13995,7 +13995,7 @@
     "id_raw": "SC-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Module Coupling And Cohesiveness",
     "description": "The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."
   },
@@ -14005,7 +14005,7 @@
     "id_raw": "SC-3 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Layered Structures",
     "description": "The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."
   },
@@ -14015,7 +14015,7 @@
     "id_raw": "SC-30",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 30,
     "title": "Concealment and Misdirection",
     "description": null
   },
@@ -14025,7 +14025,7 @@
     "id_raw": "SC-30 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Randomness",
     "description": "The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets."
   },
@@ -14035,7 +14035,7 @@
     "id_raw": "SC-30 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Change Processing / Storage Locations",
     "description": "The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]."
   },
@@ -14045,7 +14045,7 @@
     "id_raw": "SC-30 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Misleading Information",
     "description": "The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture."
   },
@@ -14055,7 +14055,7 @@
     "id_raw": "SC-30 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Concealment Of System Components",
     "description": "The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]."
   },
@@ -14065,7 +14065,7 @@
     "id_raw": "SC-31",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 31,
     "title": "Covert Channel Analysis",
     "description": null
   },
@@ -14075,7 +14075,7 @@
     "id_raw": "SC-31 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Test Covert Channels For Exploitability",
     "description": "The organization tests a subset of the identified covert channels to determine which channels are exploitable."
   },
@@ -14085,7 +14085,7 @@
     "id_raw": "SC-31 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Maximum Bandwidth",
     "description": "The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]."
   },
@@ -14095,7 +14095,7 @@
     "id_raw": "SC-31 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Measure Bandwidth In Operational Environments",
     "description": "The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system."
   },
@@ -14105,7 +14105,7 @@
     "id_raw": "SC-31a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and"
   },
@@ -14115,7 +14115,7 @@
     "id_raw": "SC-31b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Estimates the maximum bandwidth of those channels."
   },
@@ -14125,7 +14125,7 @@
     "id_raw": "SC-32",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 32,
     "title": "Information System Partitioning",
     "description": null
   },
@@ -14135,7 +14135,7 @@
     "id_raw": "SC-33",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 33,
     "title": "Transmission Preparation Integrity",
     "description": null
   },
@@ -14145,7 +14145,7 @@
     "id_raw": "SC-34",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 34,
     "title": "Non-Modifiable Executable Programs",
     "description": null
   },
@@ -14155,7 +14155,7 @@
     "id_raw": "SC-34 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "No Writable Storage",
     "description": "The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off."
   },
@@ -14165,7 +14165,7 @@
     "id_raw": "SC-34 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Integrity Protection / Read-Only Media",
     "description": "The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media."
   },
@@ -14175,7 +14175,7 @@
     "id_raw": "SC-34 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Hardware-Based Protection",
     "description": "The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."
   },
@@ -14185,7 +14185,7 @@
     "id_raw": "SC-34a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and"
   },
@@ -14195,7 +14195,7 @@
     "id_raw": "SC-34b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system at [Assignment: organization-defined information system components]: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media."
   },
@@ -14205,7 +14205,7 @@
     "id_raw": "SC-35",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 35,
     "title": "Honeyclients",
     "description": null
   },
@@ -14215,7 +14215,7 @@
     "id_raw": "SC-36",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 36,
     "title": "Distributed Processing and Storage",
     "description": null
   },
@@ -14225,7 +14225,7 @@
     "id_raw": "SC-36 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Polling Techniques",
     "description": "The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]."
   },
@@ -14235,7 +14235,7 @@
     "id_raw": "SC-37",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 37,
     "title": "Out-Of-Band Channels",
     "description": null
   },
@@ -14245,7 +14245,7 @@
     "id_raw": "SC-37 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Ensure Delivery / Transmission",
     "description": "The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]."
   },
@@ -14255,7 +14255,7 @@
     "id_raw": "SC-38",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 38,
     "title": "Operations Security",
     "description": null
   },
@@ -14265,7 +14265,7 @@
     "id_raw": "SC-39",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 39,
     "title": "Process Isolation",
     "description": null
   },
@@ -14275,7 +14275,7 @@
     "id_raw": "SC-39 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Hardware Separation",
     "description": "The information system implements underlying hardware separation mechanisms to facilitate process separation."
   },
@@ -14285,7 +14285,7 @@
     "id_raw": "SC-39 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Thread Isolation",
     "description": "The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]."
   },
@@ -14295,7 +14295,7 @@
     "id_raw": "SC-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Information In Shared Resources",
     "description": null
   },
@@ -14305,7 +14305,7 @@
     "id_raw": "SC-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Periods Processing",
     "description": "The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories."
   },
@@ -14315,7 +14315,7 @@
     "id_raw": "SC-40",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 40,
     "title": "Wireless Link Protection",
     "description": null
   },
@@ -14325,7 +14325,7 @@
     "id_raw": "SC-40 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Electromagnetic Interference",
     "description": "The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference."
   },
@@ -14335,7 +14335,7 @@
     "id_raw": "SC-40 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Reduce Detection Potential",
     "description": "The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]."
   },
@@ -14345,7 +14345,7 @@
     "id_raw": "SC-40 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Imitative Or Manipulative Communications Deception",
     "description": "The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."
   },
@@ -14355,7 +14355,7 @@
     "id_raw": "SC-40 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Signal Parameter Identification",
     "description": "The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters."
   },
@@ -14365,7 +14365,7 @@
     "id_raw": "SC-41",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 41,
     "title": "Port and I/O Device Access",
     "description": null
   },
@@ -14375,7 +14375,7 @@
     "id_raw": "SC-42",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 42,
     "title": "Sensor Capability and Data",
     "description": null
   },
@@ -14385,7 +14385,7 @@
     "id_raw": "SC-42 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Reporting To Authorized Individuals Or Roles",
     "description": "The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles."
   },
@@ -14395,7 +14395,7 @@
     "id_raw": "SC-42 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Authorized Use",
     "description": "The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes."
   },
@@ -14405,7 +14405,7 @@
     "id_raw": "SC-42 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Prohibit Use Of Devices",
     "description": "The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]."
   },
@@ -14415,7 +14415,7 @@
     "id_raw": "SC-42a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and"
   },
@@ -14425,7 +14425,7 @@
     "id_raw": "SC-42b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]."
   },
@@ -14435,7 +14435,7 @@
     "id_raw": "SC-43",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 43,
     "title": "Usage Restrictions",
     "description": null
   },
@@ -14445,7 +14445,7 @@
     "id_raw": "SC-43a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and"
   },
@@ -14455,7 +14455,7 @@
     "id_raw": "SC-43b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Authorizes, monitors, and controls the use of such components within the information system."
   },
@@ -14465,7 +14465,7 @@
     "id_raw": "SC-44",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 44,
     "title": "Detonation Chambers",
     "description": null
   },
@@ -14475,7 +14475,7 @@
     "id_raw": "SC-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Denial Of Service Protection",
     "description": null
   },
@@ -14485,7 +14485,7 @@
     "id_raw": "SC-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Restrict Internal Users",
     "description": "The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems."
   },
@@ -14495,7 +14495,7 @@
     "id_raw": "SC-5 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Excess Capacity / Bandwidth / Redundancy",
     "description": "The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks."
   },
@@ -14505,7 +14505,7 @@
     "id_raw": "SC-5 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Detection / Monitoring",
     "description": "The organization: Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks."
   },
@@ -14515,7 +14515,7 @@
     "id_raw": "SC-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Resource Availability",
     "description": null
   },
@@ -14525,7 +14525,7 @@
     "id_raw": "SC-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Boundary Protection",
     "description": null
   },
@@ -14535,7 +14535,7 @@
     "id_raw": "SC-7 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Prevent Unauthorized Exfiltration",
     "description": "The organization prevents the unauthorized exfiltration of information across managed interfaces."
   },
@@ -14545,7 +14545,7 @@
     "id_raw": "SC-7 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Restrict Incoming Communications Traffic",
     "description": "The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]."
   },
@@ -14555,7 +14555,7 @@
     "id_raw": "SC-7 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Host-Based Protection",
     "description": "The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]."
   },
@@ -14565,7 +14565,7 @@
     "id_raw": "SC-7 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Isolation Of Security Tools / Mechanisms / Support Components",
     "description": "The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."
   },
@@ -14575,7 +14575,7 @@
     "id_raw": "SC-7 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Protects Against Unauthorized Physical Connections",
     "description": "The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]."
   },
@@ -14585,7 +14585,7 @@
     "id_raw": "SC-7 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Route Privileged Network Accesses",
     "description": "The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."
   },
@@ -14595,7 +14595,7 @@
     "id_raw": "SC-7 (16)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 16,
     "title": "Prevent Discovery Of Components / Devices",
     "description": "The information system prevents discovery of specific system components composing a managed interface."
   },
@@ -14605,7 +14605,7 @@
     "id_raw": "SC-7 (17)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 17,
     "title": "Automated Enforcement Of Protocol Formats",
     "description": "The information system enforces adherence to protocol formats."
   },
@@ -14615,7 +14615,7 @@
     "id_raw": "SC-7 (18)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 18,
     "title": "Fail Secure",
     "description": "The information system fails securely in the event of an operational failure of a boundary protection device."
   },
@@ -14625,7 +14625,7 @@
     "id_raw": "SC-7 (19)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 19,
     "title": "Blocks Communication From Non-Organizationally Configured Hosts",
     "description": "The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers."
   },
@@ -14635,7 +14635,7 @@
     "id_raw": "SC-7 (20)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 20,
     "title": "Dynamic Isolation / Segregation",
     "description": "The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system."
   },
@@ -14645,7 +14645,7 @@
     "id_raw": "SC-7 (21)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 21,
     "title": "Isolation Of Information System Components",
     "description": "The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]."
   },
@@ -14655,7 +14655,7 @@
     "id_raw": "SC-7 (22)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 22,
     "title": "Separate Subnets For Connecting To Different Security Domains",
     "description": "The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains."
   },
@@ -14665,7 +14665,7 @@
     "id_raw": "SC-7 (23)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 23,
     "title": "Disable Sender Feedback On Protocol Validation Failure",
     "description": "The information system disables feedback to senders on protocol format validation failure."
   },
@@ -14675,7 +14675,7 @@
     "id_raw": "SC-7 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Access Points",
     "description": "The organization limits the number of external network connections to the information system."
   },
@@ -14685,7 +14685,7 @@
     "id_raw": "SC-7 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "External Telecommunications Services",
     "description": "The organization: Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need."
   },
@@ -14695,7 +14695,7 @@
     "id_raw": "SC-7 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Deny By Default / Allow By Exception",
     "description": "The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."
   },
@@ -14705,7 +14705,7 @@
     "id_raw": "SC-7 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Prevent Split Tunneling For Remote Devices",
     "description": "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."
   },
@@ -14715,7 +14715,7 @@
     "id_raw": "SC-7 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Route Traffic To Authenticated Proxy Servers",
     "description": "The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces."
   },
@@ -14725,7 +14725,7 @@
     "id_raw": "SC-7 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Restrict Threatening Outgoing Communications Traffic",
     "description": "The information system: Detects and denies outgoing communications traffic posing a threat to external information systems; and Audits the identity of internal users associated with denied communications."
   },
@@ -14735,7 +14735,7 @@
     "id_raw": "SC-7a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"
   },
@@ -14745,7 +14745,7 @@
     "id_raw": "SC-7b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and"
   },
@@ -14755,7 +14755,7 @@
     "id_raw": "SC-7c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The information system: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."
   },
@@ -14765,7 +14765,7 @@
     "id_raw": "SC-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Transmission Confidentiality and Integrity",
     "description": null
   },
@@ -14775,7 +14775,7 @@
     "id_raw": "SC-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Cryptographic Or Alternate Physical Protection",
     "description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."
   },
@@ -14785,7 +14785,7 @@
     "id_raw": "SC-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Pre / Post Transmission Handling",
     "description": "The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception."
   },
@@ -14795,7 +14795,7 @@
     "id_raw": "SC-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Cryptographic Protection For Message Externals",
     "description": "The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."
   },
@@ -14805,7 +14805,7 @@
     "id_raw": "SC-8 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Conceal / Randomize Communications",
     "description": "The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."
   },
@@ -14815,7 +14815,7 @@
     "id_raw": "SC-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Transmission Confidentiality",
     "description": null
   },
@@ -14835,7 +14835,7 @@
     "id_raw": "SI-1",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": "System and Information Integrity Policy and Procedures",
     "description": null
   },
@@ -14845,7 +14845,7 @@
     "id_raw": "SI-10",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": "Information Input Validation",
     "description": null
   },
@@ -14855,7 +14855,7 @@
     "id_raw": "SI-10 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Manual Override Capability",
     "description": "The information system: Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and Audits the use of the manual override capability."
   },
@@ -14865,7 +14865,7 @@
     "id_raw": "SI-10 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Review / Resolution Of Errors",
     "description": "The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]."
   },
@@ -14875,7 +14875,7 @@
     "id_raw": "SI-10 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Predictable Behavior",
     "description": "The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received."
   },
@@ -14885,7 +14885,7 @@
     "id_raw": "SI-10 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Review / Timing Interactions",
     "description": "The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs."
   },
@@ -14895,7 +14895,7 @@
     "id_raw": "SI-10 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Restrict Inputs To Trusted Sources And Approved Formats",
     "description": "The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]."
   },
@@ -14905,7 +14905,7 @@
     "id_raw": "SI-11",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": "Error Handling",
     "description": null
   },
@@ -14915,7 +14915,7 @@
     "id_raw": "SI-11a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"
   },
@@ -14925,7 +14925,7 @@
     "id_raw": "SI-11b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Reveals error messages only to [Assignment: organization-defined personnel or roles]."
   },
@@ -14935,7 +14935,7 @@
     "id_raw": "SI-12",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": "Information Handling and Retention",
     "description": null
   },
@@ -14945,7 +14945,7 @@
     "id_raw": "SI-13",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 13,
     "title": "Predictable Failure Prevention",
     "description": null
   },
@@ -14955,7 +14955,7 @@
     "id_raw": "SI-13 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Transferring Component Responsibilities",
     "description": "The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure."
   },
@@ -14965,7 +14965,7 @@
     "id_raw": "SI-13 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Manual Transfer Between Components",
     "description": "The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]."
   },
@@ -14975,7 +14975,7 @@
     "id_raw": "SI-13 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Standby Component Installation / Notification",
     "description": "The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]."
   },
@@ -14985,7 +14985,7 @@
     "id_raw": "SI-13 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Failover Capability",
     "description": "The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system."
   },
@@ -14995,7 +14995,7 @@
     "id_raw": "SI-13a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and"
   },
@@ -15005,7 +15005,7 @@
     "id_raw": "SI-13b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]."
   },
@@ -15015,7 +15015,7 @@
     "id_raw": "SI-14",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 14,
     "title": "Non-Persistence",
     "description": null
   },
@@ -15025,7 +15025,7 @@
     "id_raw": "SI-14 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Refresh From Trusted Sources",
     "description": "The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]."
   },
@@ -15035,7 +15035,7 @@
     "id_raw": "SI-15",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 15,
     "title": "Information Output Filtering",
     "description": null
   },
@@ -15045,7 +15045,7 @@
     "id_raw": "SI-16",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 16,
     "title": "Memory Protection",
     "description": null
   },
@@ -15055,7 +15055,7 @@
     "id_raw": "SI-17",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 17,
     "title": "Fail-Safe Procedures",
     "description": null
   },
@@ -15065,7 +15065,7 @@
     "id_raw": "SI-1a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"
   },
@@ -15075,7 +15075,7 @@
     "id_raw": "SI-1b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Reviews and updates the current: System and information integrity policy [Assignment: organization-defined frequency]; and System and information integrity procedures [Assignment: organization-defined frequency]."
   },
@@ -15085,7 +15085,7 @@
     "id_raw": "SI-2",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": "Flaw Remediation",
     "description": null
   },
@@ -15095,7 +15095,7 @@
     "id_raw": "SI-2 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Central Management",
     "description": "The organization centrally manages the flaw remediation process."
   },
@@ -15105,7 +15105,7 @@
     "id_raw": "SI-2 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Flaw Remediation Status",
     "description": "The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation."
   },
@@ -15115,7 +15115,7 @@
     "id_raw": "SI-2 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Time To Remediate Flaws / Benchmarks For Corrective Actions",
     "description": "The organization: Measures the time between flaw identification and flaw remediation; and Establishes [Assignment: organization-defined benchmarks] for taking corrective actions."
   },
@@ -15125,7 +15125,7 @@
     "id_raw": "SI-2 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Automatic Software / Firmware Updates",
     "description": "The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]."
   },
@@ -15135,7 +15135,7 @@
     "id_raw": "SI-2 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Removal Of Previous Versions Of Software / Firmware",
     "description": "The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed."
   },
@@ -15145,7 +15145,7 @@
     "id_raw": "SI-2a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Identifies, reports, and corrects information system flaws;"
   },
@@ -15155,7 +15155,7 @@
     "id_raw": "SI-2b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"
   },
@@ -15165,7 +15165,7 @@
     "id_raw": "SI-2c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and"
   },
@@ -15175,7 +15175,7 @@
     "id_raw": "SI-2d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Incorporates flaw remediation into the organizational configuration management process."
   },
@@ -15185,7 +15185,7 @@
     "id_raw": "SI-3",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": "Malicious Code Protection",
     "description": null
   },
@@ -15195,7 +15195,7 @@
     "id_raw": "SI-3 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Central Management",
     "description": "The organization centrally manages malicious code protection mechanisms."
   },
@@ -15205,7 +15205,7 @@
     "id_raw": "SI-3 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Malicious Code Analysis",
     "description": "The organization: Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes."
   },
@@ -15215,7 +15215,7 @@
     "id_raw": "SI-3 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automatic Updates",
     "description": "The information system automatically updates malicious code protection mechanisms."
   },
@@ -15225,7 +15225,7 @@
     "id_raw": "SI-3 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Updates Only By Privileged Users",
     "description": "The information system updates malicious code protection mechanisms only when directed by a privileged user."
   },
@@ -15235,7 +15235,7 @@
     "id_raw": "SI-3 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Testing / Verification",
     "description": "The organization: Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and Verifies that both detection of the test case and associated incident reporting occur."
   },
@@ -15245,7 +15245,7 @@
     "id_raw": "SI-3 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Nonsignature-Based Detection",
     "description": "The information system implements nonsignature-based malicious code detection mechanisms."
   },
@@ -15255,7 +15255,7 @@
     "id_raw": "SI-3 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Detect Unauthorized Commands",
     "description": "The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command]."
   },
@@ -15265,7 +15265,7 @@
     "id_raw": "SI-3 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Authenticate Remote Commands",
     "description": "The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]."
   },
@@ -15275,7 +15275,7 @@
     "id_raw": "SI-3a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"
   },
@@ -15285,7 +15285,7 @@
     "id_raw": "SI-3b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"
   },
@@ -15295,7 +15295,7 @@
     "id_raw": "SI-3c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and"
   },
@@ -15305,7 +15305,7 @@
     "id_raw": "SI-3d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."
   },
@@ -15315,7 +15315,7 @@
     "id_raw": "SI-4",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": "Information System Monitoring",
     "description": null
   },
@@ -15325,7 +15325,7 @@
     "id_raw": "SI-4 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "System-Wide Intrusion Detection System",
     "description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system."
   },
@@ -15335,7 +15335,7 @@
     "id_raw": "SI-4 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Visibility Of Encrypted Communications",
     "description": "The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]."
   },
@@ -15345,7 +15345,7 @@
     "id_raw": "SI-4 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Analyze Communications Traffic Anomalies",
     "description": "The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."
   },
@@ -15355,7 +15355,7 @@
     "id_raw": "SI-4 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Automated Alerts",
     "description": "The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]."
   },
@@ -15365,7 +15365,7 @@
     "id_raw": "SI-4 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Analyze Traffic / Event Patterns",
     "description": "The organization: Analyzes communications traffic/event patterns for the information system; Develops profiles representing common traffic patterns and/or events; and Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives."
   },
@@ -15375,7 +15375,7 @@
     "id_raw": "SI-4 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Wireless Intrusion Detection",
     "description": "The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system."
   },
@@ -15385,7 +15385,7 @@
     "id_raw": "SI-4 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Wireless To Wireline Communications",
     "description": "The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."
   },
@@ -15395,7 +15395,7 @@
     "id_raw": "SI-4 (16)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 16,
     "title": "Correlate Monitoring Information",
     "description": "The organization correlates information from monitoring tools employed throughout the information system."
   },
@@ -15405,7 +15405,7 @@
     "id_raw": "SI-4 (17)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 17,
     "title": "Integrated Situational Awareness",
     "description": "The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."
   },
@@ -15415,7 +15415,7 @@
     "id_raw": "SI-4 (18)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 18,
     "title": "Analyze Traffic / Covert Exfiltration",
     "description": "The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."
   },
@@ -15425,7 +15425,7 @@
     "id_raw": "SI-4 (19)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 19,
     "title": "Individuals Posing Greater Risk",
     "description": "The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk."
   },
@@ -15435,7 +15435,7 @@
     "id_raw": "SI-4 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Tools For Real-Time Analysis",
     "description": "The organization employs automated tools to support near real-time analysis of events."
   },
@@ -15445,7 +15445,7 @@
     "id_raw": "SI-4 (20)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 20,
     "title": "Privileged Users",
     "description": "The organization implements [Assignment: organization-defined additional monitoring] of privileged users."
   },
@@ -15455,7 +15455,7 @@
     "id_raw": "SI-4 (21)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 21,
     "title": "Probationary Periods",
     "description": "The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]."
   },
@@ -15465,7 +15465,7 @@
     "id_raw": "SI-4 (22)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 22,
     "title": "Unauthorized Network Services",
     "description": "The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]."
   },
@@ -15475,7 +15475,7 @@
     "id_raw": "SI-4 (23)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 23,
     "title": "Host-Based Devices",
     "description": "The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]."
   },
@@ -15485,7 +15485,7 @@
     "id_raw": "SI-4 (24)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 24,
     "title": "Indicators Of Compromise",
     "description": "The information system discovers, collects, distributes, and uses indicators of compromise."
   },
@@ -15495,7 +15495,7 @@
     "id_raw": "SI-4 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Automated Tool Integration",
     "description": "The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination."
   },
@@ -15505,7 +15505,7 @@
     "id_raw": "SI-4 (4)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": "Inbound And Outbound Communications Traffic",
     "description": "The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions."
   },
@@ -15515,7 +15515,7 @@
     "id_raw": "SI-4 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "System-Generated Alerts",
     "description": "The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]."
   },
@@ -15525,7 +15525,7 @@
     "id_raw": "SI-4 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Automated Response To Suspicious Events",
     "description": "The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]."
   },
@@ -15535,7 +15535,7 @@
     "id_raw": "SI-4 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Testing Of Monitoring Tools",
     "description": "The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency]."
   },
@@ -15545,7 +15545,7 @@
     "id_raw": "SI-4a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections;"
   },
@@ -15555,7 +15555,7 @@
     "id_raw": "SI-4b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];"
   },
@@ -15565,7 +15565,7 @@
     "id_raw": "SI-4c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization;"
   },
@@ -15575,7 +15575,7 @@
     "id_raw": "SI-4d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"
   },
@@ -15585,7 +15585,7 @@
     "id_raw": "SI-4e.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"
   },
@@ -15595,7 +15595,7 @@
     "id_raw": "SI-4f.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"
   },
@@ -15605,7 +15605,7 @@
     "id_raw": "SI-4g.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]."
   },
@@ -15615,7 +15615,7 @@
     "id_raw": "SI-5",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": "Security Alerts, Advisories, and Directives",
     "description": null
   },
@@ -15625,7 +15625,7 @@
     "id_raw": "SI-5 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Automated Alerts And Advisories",
     "description": "The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."
   },
@@ -15635,7 +15635,7 @@
     "id_raw": "SI-5a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;"
   },
@@ -15645,7 +15645,7 @@
     "id_raw": "SI-5b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Generates internal security alerts, advisories, and directives as deemed necessary;"
   },
@@ -15655,7 +15655,7 @@
     "id_raw": "SI-5c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The organization: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and"
   },
@@ -15665,7 +15665,7 @@
     "id_raw": "SI-5d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."
   },
@@ -15675,7 +15675,7 @@
     "id_raw": "SI-6",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": "Security Function Verification",
     "description": null
   },
@@ -15685,7 +15685,7 @@
     "id_raw": "SI-6 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automation Support For Distributed Testing",
     "description": "The information system implements automated mechanisms to support the management of distributed security testing."
   },
@@ -15695,7 +15695,7 @@
     "id_raw": "SI-6 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Report Verification Results",
     "description": "The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]."
   },
@@ -15705,7 +15705,7 @@
     "id_raw": "SI-6a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The information system: Verifies the correct operation of [Assignment: organization-defined security functions];"
   },
@@ -15715,7 +15715,7 @@
     "id_raw": "SI-6b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];"
   },
@@ -15725,7 +15725,7 @@
     "id_raw": "SI-6c.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and"
   },
@@ -15735,7 +15735,7 @@
     "id_raw": "SI-6d.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered."
   },
@@ -15745,7 +15745,7 @@
     "id_raw": "SI-7",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": "Software, Firmware, and Information Integrity",
     "description": null
   },
@@ -15755,7 +15755,7 @@
     "id_raw": "SI-7 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Integrity Checks",
     "description": "The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]."
   },
@@ -15765,7 +15765,7 @@
     "id_raw": "SI-7 (10)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 10,
     "title": "Protection Of Boot Firmware",
     "description": "The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]."
   },
@@ -15775,7 +15775,7 @@
     "id_raw": "SI-7 (11)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 11,
     "title": "Confined Environments With Limited Privileges",
     "description": "The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges."
   },
@@ -15785,7 +15785,7 @@
     "id_raw": "SI-7 (12)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 12,
     "title": "Integrity Verification",
     "description": "The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution."
   },
@@ -15795,7 +15795,7 @@
     "id_raw": "SI-7 (13)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 13,
     "title": "Code Execution In Protected Environments",
     "description": "The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]."
   },
@@ -15805,7 +15805,7 @@
     "id_raw": "SI-7 (14)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 14,
     "title": "Binary Or Machine Executable Code",
     "description": "The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official."
   },
@@ -15815,7 +15815,7 @@
     "id_raw": "SI-7 (15)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 15,
     "title": "Code Authentication",
     "description": "The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation."
   },
@@ -15825,7 +15825,7 @@
     "id_raw": "SI-7 (16)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 16,
     "title": "Time Limit On Process Execution W/O Supervision",
     "description": "The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]."
   },
@@ -15835,7 +15835,7 @@
     "id_raw": "SI-7 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automated Notifications Of Integrity Violations",
     "description": "The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification."
   },
@@ -15845,7 +15845,7 @@
     "id_raw": "SI-7 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Centrally-Managed Integrity Tools",
     "description": "The organization employs centrally managed integrity verification tools."
   },
@@ -15855,7 +15855,7 @@
     "id_raw": "SI-7 (5)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 5,
     "title": "Automated Response To Integrity Violations",
     "description": "The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered."
   },
@@ -15865,7 +15865,7 @@
     "id_raw": "SI-7 (6)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 6,
     "title": "Cryptographic Protection",
     "description": "The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."
   },
@@ -15875,7 +15875,7 @@
     "id_raw": "SI-7 (7)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 7,
     "title": "Integration Of Detection And Response",
     "description": "The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability."
   },
@@ -15885,7 +15885,7 @@
     "id_raw": "SI-7 (8)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 8,
     "title": "Auditing Capability For Significant Events",
     "description": "The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]."
   },
@@ -15895,7 +15895,7 @@
     "id_raw": "SI-7 (9)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 9,
     "title": "Verify Boot Process",
     "description": "The information system verifies the integrity of the boot process of [Assignment: organization-defined devices]."
   },
@@ -15905,7 +15905,7 @@
     "id_raw": "SI-8",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": "Spam Protection",
     "description": null
   },
@@ -15915,7 +15915,7 @@
     "id_raw": "SI-8 (1)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": "Central Management",
     "description": "The organization centrally manages spam protection mechanisms."
   },
@@ -15925,7 +15925,7 @@
     "id_raw": "SI-8 (2)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": "Automatic Updates",
     "description": "The information system automatically updates spam protection mechanisms."
   },
@@ -15935,7 +15935,7 @@
     "id_raw": "SI-8 (3)",
     "tier_raw": "Enhancement",
     "tier": 2,
-    "seq": null,
+    "seq": 3,
     "title": "Continuous Learning Capability",
     "description": "The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."
   },
@@ -15945,7 +15945,7 @@
     "id_raw": "SI-8a.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"
   },
@@ -15955,7 +15955,7 @@
     "id_raw": "SI-8b.",
     "tier_raw": "Statement",
     "tier": 2,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "The organization: Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."
   },
@@ -15965,7 +15965,7 @@
     "id_raw": "SI-9",
     "tier_raw": "Control",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": "Information Input Restrictions",
     "description": null
   },
@@ -17605,7 +17605,7 @@
     "id_raw": "1.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the use of a secure software development lifecycle that addresses security in all stages of development. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17615,7 +17615,7 @@
     "id_raw": "1.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing."
   },
@@ -17625,7 +17625,7 @@
     "id_raw": "1.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that all user stories and features contain functional security constraints, such as \"As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile\""
   },
@@ -17635,7 +17635,7 @@
     "id_raw": "1.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify documentation and justification of all the application's trust boundaries, components, and significant data flows."
   },
@@ -17645,7 +17645,7 @@
     "id_raw": "1.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify definition and security analysis of the application's high-level architecture and all connected remote services. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17655,7 +17655,7 @@
     "id_raw": "1.1.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17665,7 +17665,7 @@
     "id_raw": "1.1.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers."
   },
@@ -17675,7 +17675,7 @@
     "id_raw": "1.10.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes."
   },
@@ -17685,7 +17685,7 @@
     "id_raw": "1.11.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the definition and documentation of all application components in terms of the business or security functions they provide."
   },
@@ -17695,7 +17695,7 @@
     "id_raw": "1.11.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state."
   },
@@ -17705,7 +17705,7 @@
     "id_raw": "1.11.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions."
   },
@@ -17715,7 +17715,7 @@
     "id_raw": "1.12.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that user-uploaded files are stored outside of the web root."
   },
@@ -17725,7 +17725,7 @@
     "id_raw": "1.12.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file."
   },
@@ -17735,7 +17735,7 @@
     "id_raw": "1.14.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms."
   },
@@ -17745,7 +17745,7 @@
     "id_raw": "1.14.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints."
   },
@@ -17755,7 +17755,7 @@
     "id_raw": "1.14.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions."
   },
@@ -17765,7 +17765,7 @@
     "id_raw": "1.14.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."
   },
@@ -17775,7 +17775,7 @@
     "id_raw": "1.14.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17785,7 +17785,7 @@
     "id_raw": "1.14.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets."
   },
@@ -17795,7 +17795,7 @@
     "id_raw": "1.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17805,7 +17805,7 @@
     "id_raw": "1.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17815,7 +17815,7 @@
     "id_raw": "1.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches."
   },
@@ -17825,7 +17825,7 @@
     "id_raw": "1.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application."
   },
@@ -17835,7 +17835,7 @@
     "id_raw": "1.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client."
   },
@@ -17845,7 +17845,7 @@
     "id_raw": "1.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the chosen access control solution is flexible enough to meet the application's needs."
   },
@@ -17855,7 +17855,7 @@
     "id_raw": "1.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege."
   },
@@ -17865,7 +17865,7 @@
     "id_raw": "1.4.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17875,7 +17875,7 @@
     "id_raw": "1.4.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17885,7 +17885,7 @@
     "id_raw": "1.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance."
   },
@@ -17895,7 +17895,7 @@
     "id_raw": "1.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection."
   },
@@ -17905,7 +17905,7 @@
     "id_raw": "1.5.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that input validation is enforced on a trusted service layer. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17915,7 +17915,7 @@
     "id_raw": "1.5.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17925,7 +17925,7 @@
     "id_raw": "1.6.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57."
   },
@@ -17935,7 +17935,7 @@
     "id_raw": "1.6.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives."
   },
@@ -17945,7 +17945,7 @@
     "id_raw": "1.6.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data."
   },
@@ -17955,7 +17955,7 @@
     "id_raw": "1.6.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such."
   },
@@ -17965,7 +17965,7 @@
     "id_raw": "1.7.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a common logging format and approach is used across the system.  ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17975,7 +17975,7 @@
     "id_raw": "1.7.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -17985,7 +17985,7 @@
     "id_raw": "1.8.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all sensitive data is identified and classified into protection levels."
   },
@@ -17995,7 +17995,7 @@
     "id_raw": "1.8.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture."
   },
@@ -18005,7 +18005,7 @@
     "id_raw": "1.9.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18015,7 +18015,7 @@
     "id_raw": "1.9.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains."
   },
@@ -18025,7 +18025,7 @@
     "id_raw": "2.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that user set passwords are at least 12 characters in length. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18035,7 +18035,7 @@
     "id_raw": "2.1.10",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": null,
     "description": "Verify that there are no periodic credential rotation or password history requirements."
   },
@@ -18045,7 +18045,7 @@
     "id_raw": "2.1.11",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 11,
     "title": null,
     "description": "Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted."
   },
@@ -18055,7 +18055,7 @@
     "id_raw": "2.1.12",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 12,
     "title": null,
     "description": "Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality."
   },
@@ -18065,7 +18065,7 @@
     "id_raw": "2.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that passwords 64 characters or longer are permitted. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18075,7 +18075,7 @@
     "id_raw": "2.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18085,7 +18085,7 @@
     "id_raw": "2.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."
   },
@@ -18095,7 +18095,7 @@
     "id_raw": "2.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify users can change their password."
   },
@@ -18105,7 +18105,7 @@
     "id_raw": "2.1.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that password change functionality requires the user's current and new password."
   },
@@ -18115,7 +18115,7 @@
     "id_raw": "2.1.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18125,7 +18125,7 @@
     "id_raw": "2.1.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify that a password strength meter is provided to help users set a stronger password."
   },
@@ -18135,7 +18135,7 @@
     "id_raw": "2.1.9",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": null,
     "description": "Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18145,7 +18145,7 @@
     "id_raw": "2.10.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged accounts."
   },
@@ -18155,7 +18155,7 @@
     "id_raw": "2.10.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that if passwords are required, the credentials are not a default account."
   },
@@ -18165,7 +18165,7 @@
     "id_raw": "2.10.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access."
   },
@@ -18175,7 +18175,7 @@
     "id_raw": "2.10.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform module (TPM), or a hardware security module (L3) is recommended for password storage."
   },
@@ -18185,7 +18185,7 @@
     "id_raw": "2.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account."
   },
@@ -18195,7 +18195,7 @@
     "id_raw": "2.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise."
   },
@@ -18205,7 +18205,7 @@
     "id_raw": "2.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification."
   },
@@ -18215,7 +18215,7 @@
     "id_raw": "2.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates."
   },
@@ -18225,7 +18225,7 @@
     "id_raw": "2.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints."
   },
@@ -18235,7 +18235,7 @@
     "id_raw": "2.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup codes."
   },
@@ -18245,7 +18245,7 @@
     "id_raw": "2.2.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key."
   },
@@ -18255,7 +18255,7 @@
     "id_raw": "2.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password."
   },
@@ -18265,7 +18265,7 @@
     "id_raw": "2.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or FIDO tokens."
   },
@@ -18275,7 +18275,7 @@
     "id_raw": "2.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that renewal instructions are sent with sufficient time to renew time bound authenticators."
   },
@@ -18285,7 +18285,7 @@
     "id_raw": "2.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18295,7 +18295,7 @@
     "id_raw": "2.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18305,7 +18305,7 @@
     "id_raw": "2.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18315,7 +18315,7 @@
     "id_raw": "2.4.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18325,7 +18325,7 @@
     "id_raw": "2.4.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module)."
   },
@@ -18335,7 +18335,7 @@
     "id_raw": "2.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18345,7 +18345,7 @@
     "id_raw": "2.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify password hints or knowledge-based authentication (so-called \"secret questions\") are not present."
   },
@@ -18355,7 +18355,7 @@
     "id_raw": "2.5.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify password credential recovery does not reveal the current password in any way. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18365,7 +18365,7 @@
     "id_raw": "2.5.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify shared or default accounts are not present (e.g. \"root\", \"admin\", or \"sa\")."
   },
@@ -18375,7 +18375,7 @@
     "id_raw": "2.5.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that if an authentication factor is changed or replaced, that the user is notified of this event."
   },
@@ -18385,7 +18385,7 @@
     "id_raw": "2.5.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18395,7 +18395,7 @@
     "id_raw": "2.5.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment."
   },
@@ -18405,7 +18405,7 @@
     "id_raw": "2.6.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that lookup secrets can be used only once."
   },
@@ -18415,7 +18415,7 @@
     "id_raw": "2.6.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash."
   },
@@ -18425,7 +18425,7 @@
     "id_raw": "2.6.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that lookup secrets are resistant to offline attacks, such as predictable values."
   },
@@ -18435,7 +18435,7 @@
     "id_raw": "2.7.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that clear text out of band (NIST \"restricted\") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first."
   },
@@ -18445,7 +18445,7 @@
     "id_raw": "2.7.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes."
   },
@@ -18455,7 +18455,7 @@
     "id_raw": "2.7.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request."
   },
@@ -18465,7 +18465,7 @@
     "id_raw": "2.7.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the out of band authenticator and verifier communicates over a secure independent channel."
   },
@@ -18475,7 +18475,7 @@
     "id_raw": "2.7.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that the out of band verifier retains only a hashed version of the authentication code."
   },
@@ -18485,7 +18485,7 @@
     "id_raw": "2.7.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient)."
   },
@@ -18495,7 +18495,7 @@
     "id_raw": "2.8.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that time-based OTPs have a defined lifetime before expiring."
   },
@@ -18505,7 +18505,7 @@
     "id_raw": "2.8.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage."
   },
@@ -18515,7 +18515,7 @@
     "id_raw": "2.8.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
   },
@@ -18525,7 +18525,7 @@
     "id_raw": "2.8.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that time-based OTP can be used only once within the validity period."
   },
@@ -18535,7 +18535,7 @@
     "id_raw": "2.8.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device."
   },
@@ -18545,7 +18545,7 @@
     "id_raw": "2.8.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location."
   },
@@ -18555,7 +18555,7 @@
     "id_raw": "2.8.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know."
   },
@@ -18565,7 +18565,7 @@
     "id_raw": "2.9.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage."
   },
@@ -18575,7 +18575,7 @@
     "id_raw": "2.9.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device."
   },
@@ -18585,7 +18585,7 @@
     "id_raw": "2.9.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."
   },
@@ -18595,7 +18595,7 @@
     "id_raw": "3.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application never reveals session tokens in URL parameters or error messages."
   },
@@ -18605,7 +18605,7 @@
     "id_raw": "3.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application generates a new session token on user authentication. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18615,7 +18615,7 @@
     "id_raw": "3.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that session tokens possess at least 64 bits of entropy. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18625,7 +18625,7 @@
     "id_raw": "3.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage."
   },
@@ -18635,7 +18635,7 @@
     "id_raw": "3.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that session token are generated using approved cryptographic algorithms. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18645,7 +18645,7 @@
     "id_raw": "3.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18655,7 +18655,7 @@
     "id_raw": "3.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18665,7 +18665,7 @@
     "id_raw": "3.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties."
   },
@@ -18675,7 +18675,7 @@
     "id_raw": "3.3.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that users are able to view and log out of any or all currently active sessions and devices."
   },
@@ -18685,7 +18685,7 @@
     "id_raw": "3.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18695,7 +18695,7 @@
     "id_raw": "3.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18705,7 +18705,7 @@
     "id_raw": "3.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18715,7 +18715,7 @@
     "id_raw": "3.4.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that cookie-based session tokens use \"__Host-\" prefix (see references) to provide session cookie confidentiality."
   },
@@ -18725,7 +18725,7 @@
     "id_raw": "3.4.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18735,7 +18735,7 @@
     "id_raw": "3.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications."
   },
@@ -18745,7 +18745,7 @@
     "id_raw": "3.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations."
   },
@@ -18755,7 +18755,7 @@
     "id_raw": "3.5.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks."
   },
@@ -18765,7 +18765,7 @@
     "id_raw": "3.6.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven't used a session within that period."
   },
@@ -18775,7 +18775,7 @@
     "id_raw": "3.6.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user."
   },
@@ -18785,7 +18785,7 @@
     "id_raw": "3.7.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications."
   },
@@ -18795,7 +18795,7 @@
     "id_raw": "4.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed."
   },
@@ -18805,7 +18805,7 @@
     "id_raw": "4.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized."
   },
@@ -18815,7 +18815,7 @@
     "id_raw": "4.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18825,7 +18825,7 @@
     "id_raw": "4.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.  ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18835,7 +18835,7 @@
     "id_raw": "4.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that access controls fail securely including when an exception occurs. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18845,7 +18845,7 @@
     "id_raw": "4.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records."
   },
@@ -18855,7 +18855,7 @@
     "id_raw": "4.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality."
   },
@@ -18865,7 +18865,7 @@
     "id_raw": "4.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use."
   },
@@ -18875,7 +18875,7 @@
     "id_raw": "4.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders."
   },
@@ -18885,7 +18885,7 @@
     "id_raw": "4.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud."
   },
@@ -18895,7 +18895,7 @@
     "id_raw": "5.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables)."
   },
@@ -18905,7 +18905,7 @@
     "id_raw": "5.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18915,7 +18915,7 @@
     "id_raw": "5.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18925,7 +18925,7 @@
     "id_raw": "5.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18935,7 +18935,7 @@
     "id_raw": "5.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content."
   },
@@ -18945,7 +18945,7 @@
     "id_raw": "5.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -18955,7 +18955,7 @@
     "id_raw": "5.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length."
   },
@@ -18965,7 +18965,7 @@
     "id_raw": "5.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection."
   },
@@ -18975,7 +18975,7 @@
     "id_raw": "5.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed."
   },
@@ -18985,7 +18985,7 @@
     "id_raw": "5.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed."
   },
@@ -18995,7 +18995,7 @@
     "id_raw": "5.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports."
   },
@@ -19005,7 +19005,7 @@
     "id_raw": "5.2.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject."
   },
@@ -19015,7 +19015,7 @@
     "id_raw": "5.2.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar."
   },
@@ -19025,7 +19025,7 @@
     "id_raw": "5.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19035,7 +19035,7 @@
     "id_raw": "5.3.10",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 10,
     "title": null,
     "description": "Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19045,7 +19045,7 @@
     "id_raw": "5.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19055,7 +19055,7 @@
     "id_raw": "5.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19065,7 +19065,7 @@
     "id_raw": "5.3.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19075,7 +19075,7 @@
     "id_raw": "5.3.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19085,7 +19085,7 @@
     "id_raw": "5.3.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19095,7 +19095,7 @@
     "id_raw": "5.3.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19105,7 +19105,7 @@
     "id_raw": "5.3.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19115,7 +19115,7 @@
     "id_raw": "5.3.9",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 9,
     "title": null,
     "description": "Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks."
   },
@@ -19125,7 +19125,7 @@
     "id_raw": "5.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows."
   },
@@ -19135,7 +19135,7 @@
     "id_raw": "5.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that format strings do not take potentially hostile input, and are constant."
   },
@@ -19145,7 +19145,7 @@
     "id_raw": "5.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that sign, range, and input validation techniques are used to prevent integer overflows."
   },
@@ -19155,7 +19155,7 @@
     "id_raw": "5.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19165,7 +19165,7 @@
     "id_raw": "5.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE."
   },
@@ -19175,7 +19175,7 @@
     "id_raw": "5.5.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers)."
   },
@@ -19185,7 +19185,7 @@
     "id_raw": "5.5.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON."
   },
@@ -19195,7 +19195,7 @@
     "id_raw": "6.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR."
   },
@@ -19205,7 +19205,7 @@
     "id_raw": "6.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records."
   },
@@ -19215,7 +19215,7 @@
     "id_raw": "6.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records."
   },
@@ -19225,7 +19225,7 @@
     "id_raw": "6.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks."
   },
@@ -19235,7 +19235,7 @@
     "id_raw": "6.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19245,7 +19245,7 @@
     "id_raw": "6.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice."
   },
@@ -19255,7 +19255,7 @@
     "id_raw": "6.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19265,7 +19265,7 @@
     "id_raw": "6.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility."
   },
@@ -19275,7 +19275,7 @@
     "id_raw": "6.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used."
   },
@@ -19285,7 +19285,7 @@
     "id_raw": "6.2.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party."
   },
@@ -19295,7 +19295,7 @@
     "id_raw": "6.2.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information."
   },
@@ -19305,7 +19305,7 @@
     "id_raw": "6.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker."
   },
@@ -19315,7 +19315,7 @@
     "id_raw": "6.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable."
   },
@@ -19325,7 +19325,7 @@
     "id_raw": "6.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances."
   },
@@ -19335,7 +19335,7 @@
     "id_raw": "6.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19345,7 +19345,7 @@
     "id_raw": "6.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19355,7 +19355,7 @@
     "id_raw": "7.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19365,7 +19365,7 @@
     "id_raw": "7.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19375,7 +19375,7 @@
     "id_raw": "7.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures. ([C5, C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19385,7 +19385,7 @@
     "id_raw": "7.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19395,7 +19395,7 @@
     "id_raw": "7.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations."
   },
@@ -19405,7 +19405,7 @@
     "id_raw": "7.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations."
   },
@@ -19415,7 +19415,7 @@
     "id_raw": "7.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application appropriately encodes user-supplied data to prevent log injection. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19425,7 +19425,7 @@
     "id_raw": "7.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all events are protected from injection when viewed in log viewing software. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19435,7 +19435,7 @@
     "id_raw": "7.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that security logs are protected from unauthorized access and modification. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19445,7 +19445,7 @@
     "id_raw": "7.3.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19455,7 +19455,7 @@
     "id_raw": "7.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.  ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19465,7 +19465,7 @@
     "id_raw": "7.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19475,7 +19475,7 @@
     "id_raw": "7.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that a \"last resort\" error handler is defined which will catch all unhandled exceptions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19485,7 +19485,7 @@
     "id_raw": "8.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application protects sensitive data from being cached in server components such as load balancers and application caches."
   },
@@ -19495,7 +19495,7 @@
     "id_raw": "8.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data."
   },
@@ -19505,7 +19505,7 @@
     "id_raw": "8.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values."
   },
@@ -19515,7 +19515,7 @@
     "id_raw": "8.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application."
   },
@@ -19525,7 +19525,7 @@
     "id_raw": "8.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that regular backups of important data are performed and that test restoration of data is performed."
   },
@@ -19535,7 +19535,7 @@
     "id_raw": "8.1.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that backups are stored securely to prevent data from being stolen or corrupted."
   },
@@ -19545,7 +19545,7 @@
     "id_raw": "8.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers."
   },
@@ -19555,7 +19555,7 @@
     "id_raw": "8.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII."
   },
@@ -19565,7 +19565,7 @@
     "id_raw": "8.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated."
   },
@@ -19575,7 +19575,7 @@
     "id_raw": "8.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data."
   },
@@ -19585,7 +19585,7 @@
     "id_raw": "8.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that users have a method to remove or export their data on demand."
   },
@@ -19595,7 +19595,7 @@
     "id_raw": "8.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way."
   },
@@ -19605,7 +19605,7 @@
     "id_raw": "8.3.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19615,7 +19615,7 @@
     "id_raw": "8.3.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required."
   },
@@ -19625,7 +19625,7 @@
     "id_raw": "8.3.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data."
   },
@@ -19635,7 +19635,7 @@
     "id_raw": "8.3.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19645,7 +19645,7 @@
     "id_raw": "8.3.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires."
   },
@@ -19655,7 +19655,7 @@
     "id_raw": "9.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19665,7 +19665,7 @@
     "id_raw": "9.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred."
   },
@@ -19675,7 +19675,7 @@
     "id_raw": "9.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite."
   },
@@ -19685,7 +19685,7 @@
     "id_raw": "9.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected."
   },
@@ -19695,7 +19695,7 @@
     "id_raw": "9.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols."
   },
@@ -19705,7 +19705,7 @@
     "id_raw": "9.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated."
   },
@@ -19715,7 +19715,7 @@
     "id_raw": "9.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured."
   },
@@ -19725,7 +19725,7 @@
     "id_raw": "9.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that backend TLS connection failures are logged."
   },
@@ -19735,7 +19735,7 @@
     "id_raw": "10.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections."
   },
@@ -19745,7 +19745,7 @@
     "id_raw": "10.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate  before collecting any data."
   },
@@ -19755,7 +19755,7 @@
     "id_raw": "10.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location."
   },
@@ -19765,7 +19765,7 @@
     "id_raw": "10.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."
   },
@@ -19775,7 +19775,7 @@
     "id_raw": "10.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the application source code and third party libraries does not contain time bombs by searching for date and time related functions."
   },
@@ -19785,7 +19785,7 @@
     "id_raw": "10.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that the application source code and third party libraries does not contain malicious code, such as salami attacks, logic bypasses, or logic bombs."
   },
@@ -19795,7 +19795,7 @@
     "id_raw": "10.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality."
   },
@@ -19805,7 +19805,7 @@
     "id_raw": "10.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update."
   },
@@ -19815,7 +19815,7 @@
     "id_raw": "10.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet."
   },
@@ -19825,7 +19825,7 @@
     "id_raw": "10.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change."
   },
@@ -19835,7 +19835,7 @@
     "id_raw": "11.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps."
   },
@@ -19845,7 +19845,7 @@
     "id_raw": "11.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly."
   },
@@ -19855,7 +19855,7 @@
     "id_raw": "11.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis."
   },
@@ -19865,7 +19865,7 @@
     "id_raw": "11.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks."
   },
@@ -19875,7 +19875,7 @@
     "id_raw": "11.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies."
   },
@@ -19885,7 +19885,7 @@
     "id_raw": "11.1.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify the application does not suffer from \"time of check to time of use\" (TOCTOU) issues or other race conditions for sensitive operations."
   },
@@ -19895,7 +19895,7 @@
     "id_raw": "11.1.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -19905,7 +19905,7 @@
     "id_raw": "11.1.8",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 8,
     "title": null,
     "description": "Verify the application has configurable alerting when automated attacks or unusual activity is detected."
   },
@@ -19915,7 +19915,7 @@
     "id_raw": "12.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application will not accept large files that could fill up storage or cause a denial of service attack."
   },
@@ -19925,7 +19925,7 @@
     "id_raw": "12.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that compressed files are checked for \"zip bombs\" - small input files that will decompress into huge files thus exhausting file storage limits."
   },
@@ -19935,7 +19935,7 @@
     "id_raw": "12.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files."
   },
@@ -19945,7 +19945,7 @@
     "id_raw": "12.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content."
   },
@@ -19955,7 +19955,7 @@
     "id_raw": "12.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal."
   },
@@ -19965,7 +19965,7 @@
     "id_raw": "12.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI)."
   },
@@ -19975,7 +19975,7 @@
     "id_raw": "12.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF."
   },
@@ -19985,7 +19985,7 @@
     "id_raw": "12.3.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename."
   },
@@ -19995,7 +19995,7 @@
     "id_raw": "12.3.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection."
   },
@@ -20005,7 +20005,7 @@
     "id_raw": "12.3.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs."
   },
@@ -20015,7 +20015,7 @@
     "id_raw": "12.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation."
   },
@@ -20025,7 +20025,7 @@
     "id_raw": "12.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content."
   },
@@ -20035,7 +20035,7 @@
     "id_raw": "12.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required."
   },
@@ -20045,7 +20045,7 @@
     "id_raw": "12.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content."
   },
@@ -20055,7 +20055,7 @@
     "id_raw": "12.6.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from."
   },
@@ -20065,7 +20065,7 @@
     "id_raw": "13.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks."
   },
@@ -20075,7 +20075,7 @@
     "id_raw": "13.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that access to administration and management functions is limited to authorized administrators."
   },
@@ -20085,7 +20085,7 @@
     "id_raw": "13.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify API URLs do not expose sensitive information, such as the API key, session tokens etc."
   },
@@ -20095,7 +20095,7 @@
     "id_raw": "13.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions."
   },
@@ -20105,7 +20105,7 @@
     "id_raw": "13.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type)."
   },
@@ -20115,7 +20115,7 @@
     "id_raw": "13.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources."
   },
@@ -20125,7 +20125,7 @@
     "id_raw": "13.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that JSON schema validation is in place and verified before accepting input."
   },
@@ -20135,7 +20135,7 @@
     "id_raw": "13.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks."
   },
@@ -20145,7 +20145,7 @@
     "id_raw": "13.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated."
   },
@@ -20155,7 +20155,7 @@
     "id_raw": "13.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON."
   },
@@ -20165,7 +20165,7 @@
     "id_raw": "13.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits."
   },
@@ -20175,7 +20175,7 @@
     "id_raw": "13.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place."
   },
@@ -20185,7 +20185,7 @@
     "id_raw": "13.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service."
   },
@@ -20195,7 +20195,7 @@
     "id_raw": "13.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used."
   },
@@ -20205,7 +20205,7 @@
     "id_raw": "13.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer."
   },
@@ -20215,7 +20215,7 @@
     "id_raw": "14.1.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts."
   },
@@ -20225,7 +20225,7 @@
     "id_raw": "14.1.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found."
   },
@@ -20235,7 +20235,7 @@
     "id_raw": "14.1.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use."
   },
@@ -20245,7 +20245,7 @@
     "id_raw": "14.1.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion."
   },
@@ -20255,7 +20255,7 @@
     "id_raw": "14.1.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering."
   },
@@ -20265,7 +20265,7 @@
     "id_raw": "14.2.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -20275,7 +20275,7 @@
     "id_raw": "14.2.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users."
   },
@@ -20285,7 +20285,7 @@
     "id_raw": "14.2.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset."
   },
@@ -20295,7 +20295,7 @@
     "id_raw": "14.2.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -20305,7 +20305,7 @@
     "id_raw": "14.2.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -20315,7 +20315,7 @@
     "id_raw": "14.2.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"
   },
@@ -20325,7 +20325,7 @@
     "id_raw": "14.3.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures."
   },
@@ -20335,7 +20335,7 @@
     "id_raw": "14.3.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures."
   },
@@ -20345,7 +20345,7 @@
     "id_raw": "14.3.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components."
   },
@@ -20355,7 +20355,7 @@
     "id_raw": "14.4.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1)."
   },
@@ -20365,7 +20365,7 @@
     "id_raw": "14.4.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that all API responses contain Content-Disposition: attachment; filename=\"api.json\" (or other appropriate filename for the content type)."
   },
@@ -20375,7 +20375,7 @@
     "id_raw": "14.4.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."
   },
@@ -20385,7 +20385,7 @@
     "id_raw": "14.4.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that all responses contain X-Content-Type-Options: nosniff."
   },
@@ -20395,7 +20395,7 @@
     "id_raw": "14.4.5",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 5,
     "title": null,
     "description": "Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains."
   },
@@ -20405,7 +20405,7 @@
     "id_raw": "14.4.6",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 6,
     "title": null,
     "description": "Verify that a suitable \"Referrer-Policy\" header is included, such as \"no-referrer\" or \"same-origin\"."
   },
@@ -20415,7 +20415,7 @@
     "id_raw": "14.4.7",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 7,
     "title": null,
     "description": "Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site."
   },
@@ -20425,7 +20425,7 @@
     "id_raw": "14.5.1",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 1,
     "title": null,
     "description": "Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS."
   },
@@ -20435,7 +20435,7 @@
     "id_raw": "14.5.2",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 2,
     "title": null,
     "description": "Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker."
   },
@@ -20445,7 +20445,7 @@
     "id_raw": "14.5.3",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 3,
     "title": null,
     "description": "Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the \"null\" origin."
   },
@@ -20455,8 +20455,26418 @@
     "id_raw": "14.5.4",
     "tier_raw": "Item",
     "tier": 1,
-    "seq": null,
+    "seq": 4,
     "title": null,
     "description": "Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv",
+    "id_raw": "GV",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 1,
+    "title": "Governance",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id",
+    "id_raw": "ID",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 2,
+    "title": "Identify",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr",
+    "id_raw": "PR",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 3,
+    "title": "Protect",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de",
+    "id_raw": "DE",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 4,
+    "title": "Detect",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs",
+    "id_raw": "RS",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 5,
+    "title": "Respond",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc",
+    "id_raw": "RC",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 6,
+    "title": "Recover",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm",
+    "id_raw": "DM",
+    "tier_raw": "Function",
+    "tier": 0,
+    "seq": 7,
+    "title": "Supply chain / dependency management",
+    "description": null
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf",
+    "id_raw": "GV.SF",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 1,
+    "title": "Strategy and Framework",
+    "description": "The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm",
+    "id_raw": "GV.RM",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 2,
+    "title": "Risk Management",
+    "description": "The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl",
+    "id_raw": "GV.PL",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 3,
+    "title": "Policy",
+    "description": "The organization has established a security policy in support of its cyber risk management framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr",
+    "id_raw": "GV.RR",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 4,
+    "title": "Roles and Responsibilities",
+    "description": "The organization has designated appropriate roles and responsibilities, including an individual responsible for cybersecurity for the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp",
+    "id_raw": "GV.SP",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 5,
+    "title": "Security Program",
+    "description": "The organization has a cybersecurity program that is continually measured and improved."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir",
+    "id_raw": "GV.IR",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 6,
+    "title": "Independent Risk Management Function",
+    "description": "The organization has an independent risk management function."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au",
+    "id_raw": "GV.AU",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 7,
+    "title": "Audit",
+    "description": "The organization has an independent audit function to provide for appropriate oversight of the cybersecurity program."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te",
+    "id_raw": "GV.TE",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 8,
+    "title": "Technology",
+    "description": "The organization integrates cyber risk considerations into new technology development, design, implementation, and adoption."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am",
+    "id_raw": "ID.AM",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 9,
+    "title": "Asset Management",
+    "description": "The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra",
+    "id_raw": "ID.RA",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 10,
+    "title": "Risk Assessment",
+    "description": "The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac",
+    "id_raw": "PR.AC",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 11,
+    "title": "Identity Management and Access Control",
+    "description": "Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at",
+    "id_raw": "PR.AT",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 12,
+    "title": "Awareness and Training",
+    "description": "The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds",
+    "id_raw": "PR.DS",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 13,
+    "title": "Data Security",
+    "description": "Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip",
+    "id_raw": "PR.IP",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 14,
+    "title": "Information Protection Processes and Procedures",
+    "description": "Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.\n"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ma",
+    "id_raw": "PR.MA",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 15,
+    "title": "Maintenance",
+    "description": "Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt",
+    "id_raw": "PR.PT",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 16,
+    "title": "Protective Technology",
+    "description": "Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae",
+    "id_raw": "DE.AE",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 17,
+    "title": "Anomalies and Events",
+    "description": "Anomalous activity is detected in a timely manner and the potential impact of events is understood."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm",
+    "id_raw": "DE.CM",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 18,
+    "title": "Security Continuous Monitoring",
+    "description": "The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp",
+    "id_raw": "DE.DP",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 19,
+    "title": "Detection Processes",
+    "description": "Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.rp",
+    "id_raw": "RS.RP",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 20,
+    "title": "Response Planning",
+    "description": "Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co",
+    "id_raw": "RS.CO",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 21,
+    "title": "Communications",
+    "description": "Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an",
+    "id_raw": "RS.AN",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 22,
+    "title": "Analysis",
+    "description": "Analysis is conducted to ensure adequate response and support recovery activities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi",
+    "id_raw": "RS.MI",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 23,
+    "title": "Mitigation",
+    "description": "Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im",
+    "id_raw": "RS.IM",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 24,
+    "title": "Improvements",
+    "description": "Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp",
+    "id_raw": "RC.RP",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 25,
+    "title": "Recovery Planning",
+    "description": "Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.im",
+    "id_raw": "RC.IM",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 26,
+    "title": "Improvements",
+    "description": "Recovery planning and processes are improved by incorporating lessons learned into future activities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co",
+    "id_raw": "RC.CO",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 27,
+    "title": "Communications",
+    "description": "Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id",
+    "id_raw": "DM.ID",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 28,
+    "title": "Internal Dependencies",
+    "description": "The organization manages risks associated with its internal dependencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed",
+    "id_raw": "DM.ED",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 29,
+    "title": "External Dependencies",
+    "description": "The organization manages risks associated with its external dependencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs",
+    "id_raw": "DM.RS",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 30,
+    "title": "Resilience",
+    "description": "The organization is resilient and able to operate while experiencing a cyber attack."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be",
+    "id_raw": "DM.BE",
+    "tier_raw": "Category",
+    "tier": 1,
+    "seq": 31,
+    "title": "Business Environment",
+    "description": "The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1",
+    "id_raw": "GV.SF-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 1,
+    "title": null,
+    "description": "Organization has a cyber risk management strategy and framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-2",
+    "id_raw": "GV.SF-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 2,
+    "title": null,
+    "description": "Cyber risk management strategy and framework is appropriately informed by international, national, and industry standards and guidelines."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-3",
+    "id_raw": "GV.SF-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 3,
+    "title": null,
+    "description": "Cyber risk management strategy and framework address applicable cybersecurity risks."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-4",
+    "id_raw": "GV.SF-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 4,
+    "title": null,
+    "description": "The organization’s determination of cyber risk appetite is informed by its role in critical infrastructure and sector specific risk analysis."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1",
+    "id_raw": "GV.RM-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 5,
+    "title": null,
+    "description": "Cyber risk management processes are established, managed, and agreed to by organizational stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-2",
+    "id_raw": "GV.RM-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 6,
+    "title": null,
+    "description": "Organizational risk tolerance is determined and clearly expressed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-3",
+    "id_raw": "GV.RM-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 7,
+    "title": null,
+    "description": "Cyber risk management framework is integrated into the enterprise risk management framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-1",
+    "id_raw": "GV.PL-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 8,
+    "title": null,
+    "description": "Organizational cybersecurity policy is established and has been approved by appropriate governance bodies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-2",
+    "id_raw": "GV.PL-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 9,
+    "title": null,
+    "description": "Organizational cybersecurity policy addresses appropriate controls, identified through risk assessment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-3",
+    "id_raw": "GV.PL-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 10,
+    "title": null,
+    "description": "Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-1",
+    "id_raw": "GV.RR-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 11,
+    "title": null,
+    "description": "Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-2",
+    "id_raw": "GV.RR-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 12,
+    "title": null,
+    "description": "Organization has appointed a manager responsible for cybersecurity efforts within the organization, including authority, sufficient budget, and access to the executive suite and appropriate governing authority (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-1",
+    "id_raw": "GV.SP-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 13,
+    "title": null,
+    "description": "Organization has a cybersecurity program that implements, monitors and updates its policies, procedures, processes, and controls to continually manage cybersecurity risks to the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-2",
+    "id_raw": "GV.SP-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 14,
+    "title": null,
+    "description": "Cybersecurity performance is measured and regularly reported to senior executives and the Board or an appropriate governing body."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-1",
+    "id_raw": "GV.IR-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 15,
+    "title": null,
+    "description": "An independent risk management function provides assurance that the cybersecurity risk management framework has been implemented according to policy and is consistent with the organization's risk appetite and tolerance."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-2",
+    "id_raw": "GV.IR-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 16,
+    "title": null,
+    "description": "An independent risk management function assesses the appropriateness of the risk management program for the organization's risk appetite and proposes risk mitigation strategies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-3",
+    "id_raw": "GV.IR-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 17,
+    "title": null,
+    "description": "An independent risk management function reports implementation of cyber risk management framework to the appropriate governing authority (e.g., the Board or one of its committees)"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-1",
+    "id_raw": "GV.AU-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 18,
+    "title": null,
+    "description": "An independent audit function assesses compliance with internal controls and applicable laws and regulations.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-2",
+    "id_raw": "GV.AU-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 19,
+    "title": null,
+    "description": "An independent audit function updates its procedures to adjust to the evolving cybersecurity environment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-3",
+    "id_raw": "GV.AU-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 20,
+    "title": null,
+    "description": "An independent audit function identifies, tracks, and reports significant changes in the organization's cyber risk exposure to the appropriate governing authority (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te-1",
+    "id_raw": "GV.TE-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 21,
+    "title": null,
+    "description": "Organization integrates consideration of cyber risks into technology implementations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te-2",
+    "id_raw": "GV.TE-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 22,
+    "title": null,
+    "description": "Organization should use technical security standards, architectures, and tools to ensure security to the maximum extent possible."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-1",
+    "id_raw": "ID.AM-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 23,
+    "title": null,
+    "description": "Physical devices and systems within the organization are inventoried."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-2",
+    "id_raw": "ID.AM-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 24,
+    "title": null,
+    "description": "Software platforms and applications within the organization are inventoried."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-3",
+    "id_raw": "ID.AM-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 25,
+    "title": null,
+    "description": "Organizational communication and data flows are mapped."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-4",
+    "id_raw": "ID.AM-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 26,
+    "title": null,
+    "description": "External information systems are catalogued."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-5",
+    "id_raw": "ID.AM-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 27,
+    "title": null,
+    "description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-6",
+    "id_raw": "ID.AM-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 28,
+    "title": null,
+    "description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-1",
+    "id_raw": "ID.RA-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 29,
+    "title": null,
+    "description": "Asset vulnerabilities are identified and documented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-2",
+    "id_raw": "ID.RA-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 30,
+    "title": null,
+    "description": "Cyber threat intelligence is received from information sharing forums and sources."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-3",
+    "id_raw": "ID.RA-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 31,
+    "title": null,
+    "description": "Cyber threats, both internal and external, are identified and documented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-4",
+    "id_raw": "ID.RA-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 32,
+    "title": null,
+    "description": "Potential business impacts and likelihoods are identified."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5",
+    "id_raw": "ID.RA-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 33,
+    "title": null,
+    "description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-6",
+    "id_raw": "ID.RA-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 34,
+    "title": null,
+    "description": "Risk responses are identified and prioritized."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-1",
+    "id_raw": "PR.AC-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 35,
+    "title": null,
+    "description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-2",
+    "id_raw": "PR.AC-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 36,
+    "title": null,
+    "description": "Physical access to assets is managed and protected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-3",
+    "id_raw": "PR.AC-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 37,
+    "title": null,
+    "description": "Remote access is managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-4",
+    "id_raw": "PR.AC-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 38,
+    "title": null,
+    "description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-5",
+    "id_raw": "PR.AC-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 39,
+    "title": null,
+    "description": "Network integrity is protected, incorporating network segregation where appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-6",
+    "id_raw": "PR.AC-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 40,
+    "title": null,
+    "description": "Identities are proofed and bound to credentials, and asserted in interactions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-7",
+    "id_raw": "PR.AC-7",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 41,
+    "title": null,
+    "description": "Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).\n"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-1",
+    "id_raw": "PR.AT-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 42,
+    "title": null,
+    "description": "All users are informed and trained."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-2",
+    "id_raw": "PR.AT-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 43,
+    "title": null,
+    "description": "Privileged users understand their roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-3",
+    "id_raw": "PR.AT-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 44,
+    "title": null,
+    "description": "Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-4",
+    "id_raw": "PR.AT-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 45,
+    "title": null,
+    "description": "Senior executives understand their roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-5",
+    "id_raw": "PR.AT-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 46,
+    "title": null,
+    "description": "Physical and information security personnel understand roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-1",
+    "id_raw": "PR.DS-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 47,
+    "title": null,
+    "description": "Data-at-rest is protected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-2",
+    "id_raw": "PR.DS-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 48,
+    "title": null,
+    "description": "Data-in-transit is protected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-3",
+    "id_raw": "PR.DS-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 49,
+    "title": null,
+    "description": "Assets are formally managed throughout removal, transfers, and disposition."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-4",
+    "id_raw": "PR.DS-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 50,
+    "title": null,
+    "description": "Adequate capacity to ensure availability is maintained."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-5",
+    "id_raw": "PR.DS-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 51,
+    "title": null,
+    "description": "Protections against data leaks are implemented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-6",
+    "id_raw": "PR.DS-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 52,
+    "title": null,
+    "description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-7",
+    "id_raw": "PR.DS-7",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 53,
+    "title": null,
+    "description": "The development and testing environment(s) are separate from the production environment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-8",
+    "id_raw": "PR.DS-8",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 54,
+    "title": null,
+    "description": "Integrity checking mechanisms are used to verify hardware integrity."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-1",
+    "id_raw": "PR.IP-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 55,
+    "title": null,
+    "description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-2",
+    "id_raw": "PR.IP-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 56,
+    "title": null,
+    "description": "A System Development Life Cycle to manage systems is implemented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-3",
+    "id_raw": "PR.IP-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 57,
+    "title": null,
+    "description": "Configuration change control processes are in place."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-4",
+    "id_raw": "PR.IP-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 58,
+    "title": null,
+    "description": "Backups of information are conducted, maintained, and tested periodically."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-5",
+    "id_raw": "PR.IP-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 59,
+    "title": null,
+    "description": "Policy and regulations regarding the physical operating environment for organizational assets are met."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-6",
+    "id_raw": "PR.IP-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 60,
+    "title": null,
+    "description": "Data is destroyed according to policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-7",
+    "id_raw": "PR.IP-7",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 61,
+    "title": null,
+    "description": "Protection processes are continuously improved."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-8",
+    "id_raw": "PR.IP-8",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 62,
+    "title": null,
+    "description": "Effectiveness of protection technologies is shared with appropriate parties."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-9",
+    "id_raw": "PR.IP-9",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 63,
+    "title": null,
+    "description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-10",
+    "id_raw": "PR.IP-10",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 64,
+    "title": null,
+    "description": "Response and recovery plans are tested."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-11",
+    "id_raw": "PR.IP-11",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 65,
+    "title": null,
+    "description": "Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-12",
+    "id_raw": "PR.IP-12",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 66,
+    "title": null,
+    "description": "A vulnerability management plan is developed and implemented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ma-1",
+    "id_raw": "PR.MA-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 67,
+    "title": null,
+    "description": "Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ma-2",
+    "id_raw": "PR.MA-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 68,
+    "title": null,
+    "description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-1",
+    "id_raw": "PR.PT-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 69,
+    "title": null,
+    "description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-2",
+    "id_raw": "PR.PT-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 70,
+    "title": null,
+    "description": "Removable media is protected and its use restricted according to policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-3",
+    "id_raw": "PR.PT-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 71,
+    "title": null,
+    "description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-4",
+    "id_raw": "PR.PT-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 72,
+    "title": null,
+    "description": "Communications and control networks are protected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-5",
+    "id_raw": "PR.PT-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 73,
+    "title": null,
+    "description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-1",
+    "id_raw": "DE.AE-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 74,
+    "title": null,
+    "description": "A baseline of network operations and expected data flows for users and systems is established and managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-2",
+    "id_raw": "DE.AE-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 75,
+    "title": null,
+    "description": "Detected events are analyzed to understand attack targets and methods."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-3",
+    "id_raw": "DE.AE-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 76,
+    "title": null,
+    "description": "Event data are collected and correlated from multiple sources and sensors."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-4",
+    "id_raw": "DE.AE-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 77,
+    "title": null,
+    "description": "Impact of events is determined."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-5",
+    "id_raw": "DE.AE-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 78,
+    "title": null,
+    "description": "Incident alert thresholds are established."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-1",
+    "id_raw": "DE.CM-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 79,
+    "title": null,
+    "description": "The network is monitored to detect potential cybersecurity events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-2",
+    "id_raw": "DE.CM-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 80,
+    "title": null,
+    "description": "The physical environment is monitored to detect potential cybersecurity events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-3",
+    "id_raw": "DE.CM-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 81,
+    "title": null,
+    "description": "Personnel activity is monitored to detect potential cybersecurity events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-4",
+    "id_raw": "DE.CM-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 82,
+    "title": null,
+    "description": "Malicious code is detected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-5",
+    "id_raw": "DE.CM-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 83,
+    "title": null,
+    "description": "Unauthorized mobile code is detected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-6",
+    "id_raw": "DE.CM-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 84,
+    "title": null,
+    "description": "External service provider activity is monitored to detect potential cybersecurity events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-7",
+    "id_raw": "DE.CM-7",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 85,
+    "title": null,
+    "description": "Monitoring for unauthorized personnel, connections, devices, and software is performed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-8",
+    "id_raw": "DE.CM-8",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 86,
+    "title": null,
+    "description": "Vulnerability scans are performed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-1",
+    "id_raw": "DE.DP-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 87,
+    "title": null,
+    "description": "Roles and responsibilities for detection are well defined to ensure accountability."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-2",
+    "id_raw": "DE.DP-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 88,
+    "title": null,
+    "description": "Detection activities comply with all applicable requirements."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-3",
+    "id_raw": "DE.DP-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 89,
+    "title": null,
+    "description": "Detection processes are tested."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-4",
+    "id_raw": "DE.DP-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 90,
+    "title": null,
+    "description": "Event detection information is communicated to appropriate parties."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-5",
+    "id_raw": "DE.DP-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 91,
+    "title": null,
+    "description": "Detection processes are continuously improved."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.rp-1",
+    "id_raw": "RS.RP-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 92,
+    "title": null,
+    "description": "Response plan is executed during or after an incident."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-1",
+    "id_raw": "RS.CO-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 93,
+    "title": null,
+    "description": "Personnel know their roles and order of operations when a response is needed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-2",
+    "id_raw": "RS.CO-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 94,
+    "title": null,
+    "description": "Incidents are reported consistent with established criteria."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-3",
+    "id_raw": "RS.CO-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 95,
+    "title": null,
+    "description": "Information is shared consistent with response plans."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-4",
+    "id_raw": "RS.CO-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 96,
+    "title": null,
+    "description": "Coordination with stakeholders occurs consistent with response plans."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-5",
+    "id_raw": "RS.CO-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 97,
+    "title": null,
+    "description": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-1",
+    "id_raw": "RS.AN-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 98,
+    "title": null,
+    "description": "Notifications from detection systems are investigated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-2",
+    "id_raw": "RS.AN-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 99,
+    "title": null,
+    "description": "The impact of the incident is understood."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-3",
+    "id_raw": "RS.AN-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 100,
+    "title": null,
+    "description": "Forensics are performed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-4",
+    "id_raw": "RS.AN-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 101,
+    "title": null,
+    "description": "Incidents are categorized consistent with response plans."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-5",
+    "id_raw": "RS.AN-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 102,
+    "title": null,
+    "description": "Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, or security researchers)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-1",
+    "id_raw": "RS.MI-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 103,
+    "title": null,
+    "description": "Incidents are contained."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-2",
+    "id_raw": "RS.MI-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 104,
+    "title": null,
+    "description": "Incidents are mitigated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-3",
+    "id_raw": "RS.MI-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 105,
+    "title": null,
+    "description": "Newly identified vulnerabilities are mitigated or documented as accepted risks."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-1",
+    "id_raw": "RS.IM-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 106,
+    "title": null,
+    "description": "Response plans incorporate lessons learned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-2",
+    "id_raw": "RS.IM-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 107,
+    "title": null,
+    "description": "Response strategies are updated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1",
+    "id_raw": "RC.RP-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 108,
+    "title": null,
+    "description": "Recovery plan is executed during or after a cybersecurity incident."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.im-1",
+    "id_raw": "RC.IM-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 109,
+    "title": null,
+    "description": "Recovery plans incorporate lessons learned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.im-2",
+    "id_raw": "RC.IM-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 110,
+    "title": null,
+    "description": "Recovery strategies are updated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-1",
+    "id_raw": "RC.CO-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 111,
+    "title": null,
+    "description": "Public relations are managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-2",
+    "id_raw": "RC.CO-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 112,
+    "title": null,
+    "description": "Reputation after an event is repaired."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-3",
+    "id_raw": "RC.CO-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 113,
+    "title": null,
+    "description": "Recovery activities are communicated to internal and external stakeholders as well as and executive and management teams."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-1",
+    "id_raw": "DM.ID-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 114,
+    "title": null,
+    "description": "The organization integrates internal dependency management strategy into the overall strategic risk management plan."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-2",
+    "id_raw": "DM.ID-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 115,
+    "title": null,
+    "description": "Roles and responsibilities for internal dependency management are defined and assigned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-1",
+    "id_raw": "DM.ED-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 116,
+    "title": null,
+    "description": "The organization integrates external dependency management strategy into the overall strategic risk management plan."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2",
+    "id_raw": "DM.ED-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 117,
+    "title": null,
+    "description": "Dependency management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-3",
+    "id_raw": "DM.ED-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 118,
+    "title": null,
+    "description": "Roles and responsibilities for external dependency management are defined and assigned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4",
+    "id_raw": "DM.ED-4",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 119,
+    "title": null,
+    "description": "The organization manages cyber risks associated with external dependencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-5",
+    "id_raw": "DM.ED-5",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 120,
+    "title": null,
+    "description": "Functions, activities, products, and services - including interconnections, dependencies, and third parties - are identified and prioritized based on their criticality to the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6",
+    "id_raw": "DM.ED-6",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 121,
+    "title": null,
+    "description": "Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-7",
+    "id_raw": "DM.ED-7",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 122,
+    "title": null,
+    "description": "Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-1",
+    "id_raw": "DM.RS-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 123,
+    "title": null,
+    "description": "Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2",
+    "id_raw": "DM.RS-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 124,
+    "title": null,
+    "description": "Organizational incident response, business continuity, and disaster recovery plans and exercises incorporate its external dependencies and critical business partners."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-1",
+    "id_raw": "DM.BE-1",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 125,
+    "title": null,
+    "description": "The organization’s place in critical infrastructure and its industry sector is identified and communicated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-2",
+    "id_raw": "DM.BE-2",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 126,
+    "title": null,
+    "description": "Dependencies and critical functions for delivery of critical services are established."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-3",
+    "id_raw": "DM.BE-3",
+    "tier_raw": "Subcategory",
+    "tier": 2,
+    "seq": 127,
+    "title": null,
+    "description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1.1",
+    "id_raw": "GV.SF-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 1,
+    "title": null,
+    "description": "The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1.2",
+    "id_raw": "GV.SF-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 2,
+    "title": null,
+    "description": "An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization’s cyber risk management strategy and framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1.3",
+    "id_raw": "GV.SF-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 3,
+    "title": null,
+    "description": "The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1.4",
+    "id_raw": "GV.SF-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 4,
+    "title": null,
+    "description": "The cyber risk management strategy identifies and communicates the organization’s role within the financial services sector as a component of critical infrastructure in the financial services industry."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-1.5",
+    "id_raw": "GV.SF-1.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 5,
+    "title": null,
+    "description": "The cyber risk management strategy and framework establishes and communicates priorities for organizational mission, objectives, and activities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-2.1",
+    "id_raw": "GV.SF-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 6,
+    "title": null,
+    "description": "The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-3.1",
+    "id_raw": "GV.SF-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 7,
+    "title": null,
+    "description": "An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-3.2",
+    "id_raw": "GV.SF-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 8,
+    "title": null,
+    "description": "An appropriate governing authority (e.g., the Board or one of its committees) periodically reviews and evaluates the organization's ability to manage its cyber risks."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-3.3",
+    "id_raw": "GV.SF-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 9,
+    "title": null,
+    "description": "The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sf-4.1",
+    "id_raw": "GV.SF-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 10,
+    "title": null,
+    "description": "The risk appetite is informed by the organization’s role in critical infrastructure."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.1",
+    "id_raw": "GV.RM-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 11,
+    "title": null,
+    "description": "The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.2",
+    "id_raw": "GV.RM-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 12,
+    "title": null,
+    "description": "The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.3",
+    "id_raw": "GV.RM-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 13,
+    "title": null,
+    "description": "As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.4",
+    "id_raw": "GV.RM-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 14,
+    "title": null,
+    "description": "The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.5",
+    "id_raw": "GV.RM-1.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 15,
+    "title": null,
+    "description": "The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-1.6",
+    "id_raw": "GV.RM-1.6",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 16,
+    "title": null,
+    "description": "The cyber risk management program addresses identified cyber risks in one of the following ways:  risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-2.1",
+    "id_raw": "GV.RM-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 17,
+    "title": null,
+    "description": "The organization has established a cyber risk tolerance consistent with its risk appetite, and integrated it into technology or operational risk management, as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-2.2",
+    "id_raw": "GV.RM-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 18,
+    "title": null,
+    "description": "The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-2.3",
+    "id_raw": "GV.RM-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 19,
+    "title": null,
+    "description": "The cyber risk management strategy articulates how the organization would maintain an acceptable level of residual cyber risk set by the appropriate governing authority (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-3.1",
+    "id_raw": "GV.RM-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 20,
+    "title": null,
+    "description": "The cyber risk management framework is integrated into the enterprise risk management framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-3.2",
+    "id_raw": "GV.RM-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 21,
+    "title": null,
+    "description": "The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rm-3.3",
+    "id_raw": "GV.RM-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 22,
+    "title": null,
+    "description": "The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-1.1",
+    "id_raw": "GV.PL-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 23,
+    "title": null,
+    "description": "The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-1.2",
+    "id_raw": "GV.PL-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 24,
+    "title": null,
+    "description": "The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-2.1",
+    "id_raw": "GV.PL-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 25,
+    "title": null,
+    "description": "The cybersecurity policy is supported by the organization's risk management program."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-2.2",
+    "id_raw": "GV.PL-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 26,
+    "title": null,
+    "description": "Cybersecurity processes and procedures are established based on the cybersecurity policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-2.3",
+    "id_raw": "GV.PL-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 27,
+    "title": null,
+    "description": "The cybersecurity policy is periodically reviewed and revised under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-3.1",
+    "id_raw": "GV.PL-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 28,
+    "title": null,
+    "description": "The cybersecurity policy, strategy and framework should take into account the organization's legal and regulatory obligations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-3.2",
+    "id_raw": "GV.PL-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 29,
+    "title": null,
+    "description": "The organization's cybersecurity policies are consistent with its privacy and civil liberty obligations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.pl-3.3",
+    "id_raw": "GV.PL-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 30,
+    "title": null,
+    "description": "The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-1.1",
+    "id_raw": "GV.RR-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 31,
+    "title": null,
+    "description": "The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-2.1",
+    "id_raw": "GV.RR-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 32,
+    "title": null,
+    "description": "The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-2.2",
+    "id_raw": "GV.RR-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 33,
+    "title": null,
+    "description": "The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-2.3",
+    "id_raw": "GV.RR-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 34,
+    "title": null,
+    "description": "The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.rr-2.4",
+    "id_raw": "GV.RR-2.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 35,
+    "title": null,
+    "description": "The organization provides adequate resources to maintain and enhance the cybersecurity situational awareness of senior managers within the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-1.1",
+    "id_raw": "GV.SP-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 36,
+    "title": null,
+    "description": "The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-1.2",
+    "id_raw": "GV.SP-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 37,
+    "title": null,
+    "description": "Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-2.1",
+    "id_raw": "GV.SP-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 38,
+    "title": null,
+    "description": "The organization implements a repeatable process to develop, collect, store, report, and refresh actionable cybersecurity key performance indicators and metrics. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-2.2",
+    "id_raw": "GV.SP-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 39,
+    "title": null,
+    "description": "The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to  measure, monitor, and report actionable indicators to help guide the security program.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.sp-2.3",
+    "id_raw": "GV.SP-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 40,
+    "title": null,
+    "description": "The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-1.1",
+    "id_raw": "GV.IR-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 41,
+    "title": null,
+    "description": "The organization's enterprise-wide cyber risk management framework includes an independent risk management function that provides assurance that the cyber risk management framework is implemented as intended."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-1.2",
+    "id_raw": "GV.IR-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 42,
+    "title": null,
+    "description": "An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-1.3",
+    "id_raw": "GV.IR-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 43,
+    "title": null,
+    "description": "The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-1.4",
+    "id_raw": "GV.IR-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 44,
+    "title": null,
+    "description": "Individuals responsible for independent risk management and oversight are independent of business line management, including senior leadership."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-2.1",
+    "id_raw": "GV.IR-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 45,
+    "title": null,
+    "description": "An independent risk management function assesses the appropriateness of the cyber risk management program according to the organization's risk appetite."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-2.2",
+    "id_raw": "GV.IR-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 46,
+    "title": null,
+    "description": "An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.ir-3.1",
+    "id_raw": "GV.IR-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 47,
+    "title": null,
+    "description": "An independent risk management function reports to the appropriate governing authority (e.g., the Board or one of its committees) and to the appropriate risk management officer within the organization on the implementation of the cyber risk management framework throughout the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-1.1",
+    "id_raw": "GV.AU-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 48,
+    "title": null,
+    "description": "The organization has an independent audit function. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-1.2",
+    "id_raw": "GV.AU-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 49,
+    "title": null,
+    "description": "The organization has an independent audit plan that provides for an evaluation of the organization's compliance with the appropriately approved cyber risk management framework and its cybersecurity policies and processes including how well the organization adapts to the evolving cyber risk environment while remaining within its stated risk appetite and tolerance."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-1.3",
+    "id_raw": "GV.AU-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 50,
+    "title": null,
+    "description": "An independent audit function tests security controls and information security policies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-1.4",
+    "id_raw": "GV.AU-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 51,
+    "title": null,
+    "description": "An independent audit function assesses compliance with applicable laws and regulations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-2.1",
+    "id_raw": "GV.AU-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 52,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-2.2",
+    "id_raw": "GV.AU-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 53,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update its procedures based on changes to the organization's risk appetite and risk tolerance."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-3.1",
+    "id_raw": "GV.AU-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 54,
+    "title": null,
+    "description": "An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-3.2",
+    "id_raw": "GV.AU-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 55,
+    "title": null,
+    "description": "An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.au-3.3",
+    "id_raw": "GV.AU-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 56,
+    "title": null,
+    "description": "An independent audit function reports to the appropriate governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when cyber risk tolerance has been exceeded in any part of the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te-1.1",
+    "id_raw": "GV.TE-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 57,
+    "title": null,
+    "description": "The organization identifies how cybersecurity will support emerging technologies that support business needs (e.g., cloud, mobile, IoT, IIoT, etc.) by integrating cybersecurity considerations into the lifecycle of new technologies from their inception."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te-1.2",
+    "id_raw": "GV.TE-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 58,
+    "title": null,
+    "description": "The organization applies its cyber risk management framework to all technology projects."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:gv.te-2.1",
+    "id_raw": "GV.TE-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 59,
+    "title": null,
+    "description": "The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-1.1",
+    "id_raw": "ID.AM-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 60,
+    "title": null,
+    "description": "The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-2.1",
+    "id_raw": "ID.AM-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 61,
+    "title": null,
+    "description": "The organization maintains a current and complete inventory of software platforms and business applications."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-3.1",
+    "id_raw": "ID.AM-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 62,
+    "title": null,
+    "description": "The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-3.2",
+    "id_raw": "ID.AM-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 63,
+    "title": null,
+    "description": "The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-3.3",
+    "id_raw": "ID.AM-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 64,
+    "title": null,
+    "description": "The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-4.1",
+    "id_raw": "ID.AM-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 65,
+    "title": null,
+    "description": "The organization maintains an inventory of external information systems. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-5.1",
+    "id_raw": "ID.AM-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 66,
+    "title": null,
+    "description": "The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees).  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-5.2",
+    "id_raw": "ID.AM-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 67,
+    "title": null,
+    "description": "The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.am-6.1",
+    "id_raw": "ID.AM-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 68,
+    "title": null,
+    "description": "Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-1.1",
+    "id_raw": "ID.RA-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 69,
+    "title": null,
+    "description": "The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-2.1",
+    "id_raw": "ID.RA-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 70,
+    "title": null,
+    "description": "The organization participates actively (in geopolitical alignment with its business operations) in applicable information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats and early warning indicators relating to cyber threats. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-3.1",
+    "id_raw": "ID.RA-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 71,
+    "title": null,
+    "description": "The organization identifies, documents, and analyzes threats that are internal and external to the firm."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-3.2",
+    "id_raw": "ID.RA-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 72,
+    "title": null,
+    "description": "The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-3.3",
+    "id_raw": "ID.RA-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 73,
+    "title": null,
+    "description": "The organization regularly reviews and updates results of its cyber threat analysis."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-4.1",
+    "id_raw": "ID.RA-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 74,
+    "title": null,
+    "description": "The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.1",
+    "id_raw": "ID.RA-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 75,
+    "title": null,
+    "description": "Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.2",
+    "id_raw": "ID.RA-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 76,
+    "title": null,
+    "description": "The organization considers threat intelligence received from the organization's participants, service and utility providers and other industry organizations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.3",
+    "id_raw": "ID.RA-5.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 77,
+    "title": null,
+    "description": "The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.4",
+    "id_raw": "ID.RA-5.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 78,
+    "title": null,
+    "description": "The organization's business units assess, on an ongoing basis, the cyber risks associated with the activities of the business unit."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.5",
+    "id_raw": "ID.RA-5.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 79,
+    "title": null,
+    "description": "The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-5.6",
+    "id_raw": "ID.RA-5.6",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 80,
+    "title": null,
+    "description": "The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-6.1",
+    "id_raw": "ID.RA-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 81,
+    "title": null,
+    "description": "The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:id.ra-6.2",
+    "id_raw": "ID.RA-6.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 82,
+    "title": null,
+    "description": "Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-1.1",
+    "id_raw": "PR.AC-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 83,
+    "title": null,
+    "description": "Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-1.2",
+    "id_raw": "PR.AC-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 84,
+    "title": null,
+    "description": "User access authorization is limited to individuals who are appropriately trained and monitored."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-1.3",
+    "id_raw": "PR.AC-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 85,
+    "title": null,
+    "description": "Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, revocation of credentials for users who change roles or leave the organization, etc.)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-2.1",
+    "id_raw": "PR.AC-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 86,
+    "title": null,
+    "description": "The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-3.1",
+    "id_raw": "PR.AC-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 87,
+    "title": null,
+    "description": "Remote access is actively managed and restricted to necessary systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-3.2",
+    "id_raw": "PR.AC-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 88,
+    "title": null,
+    "description": "The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-4.1",
+    "id_raw": "PR.AC-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 89,
+    "title": null,
+    "description": "The organization limits access privileges to the minimum necessary."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-4.2",
+    "id_raw": "PR.AC-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 90,
+    "title": null,
+    "description": "The organization institutes strong controls over privileged system access by strictly limiting and closely supervising staff with elevated system access entitlements. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-4.3",
+    "id_raw": "PR.AC-4.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 91,
+    "title": null,
+    "description": "The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-5.1",
+    "id_raw": "PR.AC-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 92,
+    "title": null,
+    "description": "Networks and systems are segmented to maintain appropriate security."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-5.2",
+    "id_raw": "PR.AC-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 93,
+    "title": null,
+    "description": "The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-6.1",
+    "id_raw": "PR.AC-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 94,
+    "title": null,
+    "description": "The organization authenticates identity and validates the authorization level of a user before granting access to its systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-7.1",
+    "id_raw": "PR.AC-7.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 95,
+    "title": null,
+    "description": "The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on:\n(1) The type of data being accessed (e.g., customer PII, public data);\n(2) The risk of the transaction (e.g., internal-to-internal, external-to-internal);\n(3) The organization's level of trust for the accessing agent (e.g., external application, internal user); and\n(4) The potential for harm."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ac-7.2",
+    "id_raw": "PR.AC-7.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 96,
+    "title": null,
+    "description": "Based on the risk level of a given transaction, the organization has defined and implemented authentication requirements, such as including implementing multi-factor, out-of-band authentication for high risk transactions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-1.1",
+    "id_raw": "PR.AT-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 97,
+    "title": null,
+    "description": "All personnel (full-time or part-time; permanent, temporary or contract) receive periodic cybersecurity awareness training, as permitted by law."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-1.2",
+    "id_raw": "PR.AT-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 98,
+    "title": null,
+    "description": "Cybersecurity awareness training includes at a minimum appropriate awareness of and competencies for data protection, detecting and addressing cyber risks, and how to report any unusual activity or incidents.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-1.3",
+    "id_raw": "PR.AT-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 99,
+    "title": null,
+    "description": "Cybersecurity awareness training is updated on a regular basis to reflect risks identified by the organization in its risk assessment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-2.1",
+    "id_raw": "PR.AT-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 100,
+    "title": null,
+    "description": "High-risk groups, such as those with privileged system access or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-2.2",
+    "id_raw": "PR.AT-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 101,
+    "title": null,
+    "description": "Cybersecurity personnel receive training appropriate for their roles and responsibilities in cybersecurity, including situational awareness training sufficient to maintain current knowledge of cyber threats and countermeasures. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-2.3",
+    "id_raw": "PR.AT-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 102,
+    "title": null,
+    "description": "A mechanism is in place to verify that key cybersecurity personnel maintain current knowledge of changing cyber threats and countermeasures. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-3.1",
+    "id_raw": "PR.AT-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 103,
+    "title": null,
+    "description": "The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of their role in cybersecurity, as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-3.2",
+    "id_raw": "PR.AT-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 104,
+    "title": null,
+    "description": "Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-3.3",
+    "id_raw": "PR.AT-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 105,
+    "title": null,
+    "description": "Cybersecurity training covers topics designed to minimize risks to or from interconnected parties."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-4.1",
+    "id_raw": "PR.AT-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 106,
+    "title": null,
+    "description": "The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: \n(1) Evaluate and manage cyber risks;\n(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and\n(3) Lead by example."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-4.2",
+    "id_raw": "PR.AT-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 107,
+    "title": null,
+    "description": "Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.at-5.1",
+    "id_raw": "PR.AT-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 108,
+    "title": null,
+    "description": "The individuals who fulfill the organization’s physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-1.1",
+    "id_raw": "PR.DS-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 109,
+    "title": null,
+    "description": "Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-1.2",
+    "id_raw": "PR.DS-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 110,
+    "title": null,
+    "description": "Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-2.1",
+    "id_raw": "PR.DS-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 111,
+    "title": null,
+    "description": "Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-2.2",
+    "id_raw": "PR.DS-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 112,
+    "title": null,
+    "description": "Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-3.1",
+    "id_raw": "PR.DS-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 113,
+    "title": null,
+    "description": "The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-4.1",
+    "id_raw": "PR.DS-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 114,
+    "title": null,
+    "description": "The organization maintains appropriate system and network availability, consistent with business requirements and risk assessment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-5.1",
+    "id_raw": "PR.DS-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 115,
+    "title": null,
+    "description": "The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-6.1",
+    "id_raw": "PR.DS-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 116,
+    "title": null,
+    "description": "The organization uses integrity checking mechanisms to verify software, firmware and information integrity, as practicable. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-7.1",
+    "id_raw": "PR.DS-7.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 117,
+    "title": null,
+    "description": "The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ds-8.1",
+    "id_raw": "PR.DS-8.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 118,
+    "title": null,
+    "description": "The organization uses integrity checking mechanisms to verify hardware integrity, as practicable."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-1.1",
+    "id_raw": "PR.IP-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 119,
+    "title": null,
+    "description": "The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-1.2",
+    "id_raw": "PR.IP-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 120,
+    "title": null,
+    "description": "The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-1.3",
+    "id_raw": "PR.IP-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 121,
+    "title": null,
+    "description": "The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-2.1",
+    "id_raw": "PR.IP-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 122,
+    "title": null,
+    "description": "The organization implements a process for Secure System Development Lifecycle for in-house software design and development."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-2.2",
+    "id_raw": "PR.IP-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 123,
+    "title": null,
+    "description": "The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-2.3",
+    "id_raw": "PR.IP-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 124,
+    "title": null,
+    "description": "The organization assesses the cyber risks of software prior to deployment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-3.1",
+    "id_raw": "PR.IP-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 125,
+    "title": null,
+    "description": "The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-4.1",
+    "id_raw": "PR.IP-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 126,
+    "title": null,
+    "description": "The organization designs and tests its systems and processes to enable recovery of accurate data (e.g., material financial transactions) sufficient to support normal operations and obligations following a cybersecurity incident. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-4.2",
+    "id_raw": "PR.IP-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 127,
+    "title": null,
+    "description": "The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-4.3",
+    "id_raw": "PR.IP-4.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 128,
+    "title": null,
+    "description": "The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-4.4",
+    "id_raw": "PR.IP-4.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 129,
+    "title": null,
+    "description": "Recovery point objectives to support data integrity efforts are consistent with the organization's resumption time objective for critical operations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-5.1",
+    "id_raw": "PR.IP-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 130,
+    "title": null,
+    "description": "Physical and environmental security policies are implemented and managed. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-6.1",
+    "id_raw": "PR.IP-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 131,
+    "title": null,
+    "description": "Data is maintained, stored, retained and destroyed according to the organization's data retention policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-7.1",
+    "id_raw": "PR.IP-7.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 132,
+    "title": null,
+    "description": "A formal process is in place to improve protection processes by integrating lessons learned and responding to changes in the organization's environment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-8.1",
+    "id_raw": "PR.IP-8.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 133,
+    "title": null,
+    "description": "The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-9.1",
+    "id_raw": "PR.IP-9.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 134,
+    "title": null,
+    "description": "The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-9.2",
+    "id_raw": "PR.IP-9.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 135,
+    "title": null,
+    "description": "The organization defines objectives for resumption of critical operations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-10.1",
+    "id_raw": "PR.IP-10.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 136,
+    "title": null,
+    "description": "The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive) that could affect the organization's ability to service clients."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-10.2",
+    "id_raw": "PR.IP-10.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 137,
+    "title": null,
+    "description": "The organization's testing program validates the effectiveness of its cyber resilience framework on a regular basis."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-10.3",
+    "id_raw": "PR.IP-10.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 138,
+    "title": null,
+    "description": "The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-10.4",
+    "id_raw": "PR.IP-10.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 139,
+    "title": null,
+    "description": "The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-11.1",
+    "id_raw": "PR.IP-11.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 140,
+    "title": null,
+    "description": "The organization conducts background/screening checks on all new employees, as permitted by law."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-11.2",
+    "id_raw": "PR.IP-11.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 141,
+    "title": null,
+    "description": "The organization conducts background/screening checks on all staff at regular intervals throughout their employment, commensurate with staff’s access to critical systems or a change in role, as permitted by law."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-11.3",
+    "id_raw": "PR.IP-11.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 142,
+    "title": null,
+    "description": "The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-12.1",
+    "id_raw": "PR.IP-12.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 143,
+    "title": null,
+    "description": "The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-12.2",
+    "id_raw": "PR.IP-12.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 144,
+    "title": null,
+    "description": "The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-12.3",
+    "id_raw": "PR.IP-12.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 145,
+    "title": null,
+    "description": "The organization has a formal exception management process for vulnerabilities that cannot be mitigated due to business-related exceptions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ip-12.4",
+    "id_raw": "PR.IP-12.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 146,
+    "title": null,
+    "description": "The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ma-1.1",
+    "id_raw": "PR.MA-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 147,
+    "title": null,
+    "description": "Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.ma-2.1",
+    "id_raw": "PR.MA-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 148,
+    "title": null,
+    "description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-1.1",
+    "id_raw": "PR.PT-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 149,
+    "title": null,
+    "description": "The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-1.2",
+    "id_raw": "PR.PT-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 150,
+    "title": null,
+    "description": "The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-2.1",
+    "id_raw": "PR.PT-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 151,
+    "title": null,
+    "description": "The organization's removable media and mobile devices are protected and use is restricted according to policy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-3.1",
+    "id_raw": "PR.PT-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 152,
+    "title": null,
+    "description": "The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-4.1",
+    "id_raw": "PR.PT-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 153,
+    "title": null,
+    "description": "The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:pr.pt-5.1",
+    "id_raw": "PR.PT-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 154,
+    "title": null,
+    "description": "The organization implements mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-1.1",
+    "id_raw": "DE.AE-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 155,
+    "title": null,
+    "description": "The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-2.1",
+    "id_raw": "DE.AE-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 156,
+    "title": null,
+    "description": "The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to:\n(1) Assess and understand the nature, scope and method of the attack;\n(2) Predict and block a similar future attack; and\n(3) Report timely risk metrics."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-3.1",
+    "id_raw": "DE.AE-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 157,
+    "title": null,
+    "description": "The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-3.2",
+    "id_raw": "DE.AE-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 158,
+    "title": null,
+    "description": "The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prevent multifaceted cyber attacks."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-4.1",
+    "id_raw": "DE.AE-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 159,
+    "title": null,
+    "description": "The organization has a documented process in place to analyze the impact of a material cybersecurity incident (including the financial impact) on the organization as well as across the financial sector, as appropriate, per organization's size, scope, and complexity and its role in the financial sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.ae-5.1",
+    "id_raw": "DE.AE-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 160,
+    "title": null,
+    "description": "The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-1.1",
+    "id_raw": "DE.CM-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 161,
+    "title": null,
+    "description": "The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-1.2",
+    "id_raw": "DE.CM-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 162,
+    "title": null,
+    "description": "The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-1.3",
+    "id_raw": "DE.CM-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 163,
+    "title": null,
+    "description": "The organization deploys an intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-1.4",
+    "id_raw": "DE.CM-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 164,
+    "title": null,
+    "description": "The organization implements mechanisms, such as alerting and filtering sudden high volume and suspicious incoming traffic, to prevent (Distributed) Denial of Services (DoS/DDoS) attacks."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-2.1",
+    "id_raw": "DE.CM-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 165,
+    "title": null,
+    "description": "The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-3.1",
+    "id_raw": "DE.CM-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 166,
+    "title": null,
+    "description": "The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-3.2",
+    "id_raw": "DE.CM-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 167,
+    "title": null,
+    "description": "The organization performs logging and reviewing of the systems activities of privileged users, and monitoring for anomalies is implemented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-3.3",
+    "id_raw": "DE.CM-3.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 168,
+    "title": null,
+    "description": "The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-4.1",
+    "id_raw": "DE.CM-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 169,
+    "title": null,
+    "description": "The organization implements and manages appropriate tools to detect and block malware from infecting networks and systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-4.2",
+    "id_raw": "DE.CM-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 170,
+    "title": null,
+    "description": "The organization implements email protection mechanisms to automatically scan, detect, and protect from any attached malware or malicious links present in the email."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-5.1",
+    "id_raw": "DE.CM-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 171,
+    "title": null,
+    "description": "The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-6.1",
+    "id_raw": "DE.CM-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 172,
+    "title": null,
+    "description": "The organization authorizes and monitors all third-party connections."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-6.2",
+    "id_raw": "DE.CM-6.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 173,
+    "title": null,
+    "description": "The organization collaborates with third-party service providers to maintain and improve the security of external connections."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-6.3",
+    "id_raw": "DE.CM-6.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 174,
+    "title": null,
+    "description": "The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-7.1",
+    "id_raw": "DE.CM-7.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 175,
+    "title": null,
+    "description": "The organization implements appropriate controls to prevent use of unsupported and unauthorized software. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-7.2",
+    "id_raw": "DE.CM-7.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 176,
+    "title": null,
+    "description": "The organization has policies, procedures and adequate tools in place to monitor, detect, and block access from/to devices, connections, and data transfers."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-7.3",
+    "id_raw": "DE.CM-7.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 177,
+    "title": null,
+    "description": "The organization sets up automatic and real-time alerts when an unauthorized software, hardware or configuration change occurs."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-7.4",
+    "id_raw": "DE.CM-7.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 178,
+    "title": null,
+    "description": "The organization implements web-filtering tools and technology to block access to inappropriate or malicious websites. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-8.1",
+    "id_raw": "DE.CM-8.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 179,
+    "title": null,
+    "description": "The organization conducts periodic vulnerability scanning, including automated scanning across all environments to identify potential system vulnerabilities, including publicly known vulnerabilities, upgrade opportunities, and new defense layers."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.cm-8.2",
+    "id_raw": "DE.CM-8.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 180,
+    "title": null,
+    "description": "The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-1.1",
+    "id_raw": "DE.DP-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 181,
+    "title": null,
+    "description": "The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-2.1",
+    "id_raw": "DE.DP-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 182,
+    "title": null,
+    "description": "The organization's monitoring and detection processes comply with all applicable requirements."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-3.1",
+    "id_raw": "DE.DP-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 183,
+    "title": null,
+    "description": "The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-4.1",
+    "id_raw": "DE.DP-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 184,
+    "title": null,
+    "description": "The organization has established processes and protocols to communicate, alert and periodically report detected potential cyber attacks and incident information including its corresponding analysis and cyber threat intelligence to internal and external stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-4.2",
+    "id_raw": "DE.DP-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 185,
+    "title": null,
+    "description": "The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:de.dp-5.1",
+    "id_raw": "DE.DP-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 186,
+    "title": null,
+    "description": "The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.rp-1.1",
+    "id_raw": "RS.RP-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 187,
+    "title": null,
+    "description": "The organization's response plans are in place and executed during or after an incident."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-1.1",
+    "id_raw": "RS.CO-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 188,
+    "title": null,
+    "description": "The organization's incident response plan contains clearly defined roles, responsibilities and levels of decision-making authority."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-1.2",
+    "id_raw": "RS.CO-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 189,
+    "title": null,
+    "description": "The organization ensures cyber threat intelligence is made available to appropriate staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-1.3",
+    "id_raw": "RS.CO-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 190,
+    "title": null,
+    "description": "The organization's personnel know their roles and responsibilities and order of operations when a response is needed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-2.1",
+    "id_raw": "RS.CO-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 191,
+    "title": null,
+    "description": "The organization's incident response plan describes how to appropriately document and report cyber events and related incident response activities."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-2.2",
+    "id_raw": "RS.CO-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 192,
+    "title": null,
+    "description": "In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-2.3",
+    "id_raw": "RS.CO-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 193,
+    "title": null,
+    "description": "The organization's incident response program includes effective escalation protocols linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's appropriate governing authority and senior management), and how information provided to the organization will be acted upon."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-2.4",
+    "id_raw": "RS.CO-2.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 194,
+    "title": null,
+    "description": "The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-3.1",
+    "id_raw": "RS.CO-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 195,
+    "title": null,
+    "description": "Information is shared consistent with response plans.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-3.2",
+    "id_raw": "RS.CO-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 196,
+    "title": null,
+    "description": "In the event of a cybersecurity incident, the organization shares information in an appropriate manner that could facilitate the detection, response, resumption and recovery of its own systems and those of other financial sector participants through trusted channels."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-4.1",
+    "id_raw": "RS.CO-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 197,
+    "title": null,
+    "description": "The organization has a plan to coordinate and communicate with internal and external stakeholders during or following a cyber attack as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-5.1",
+    "id_raw": "RS.CO-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 198,
+    "title": null,
+    "description": "The organization actively participates in multilateral information-sharing arrangements to facilitate a sector-wide response to large-scale incidents."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-5.2",
+    "id_raw": "RS.CO-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 199,
+    "title": null,
+    "description": "The organization shares information on its cyber resilience framework bilaterally with trusted external stakeholders to promote understanding of each other’s approach to securing systems that are linked or interfaced."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.co-5.3",
+    "id_raw": "RS.CO-5.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 200,
+    "title": null,
+    "description": "The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-1.1",
+    "id_raw": "RS.AN-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 201,
+    "title": null,
+    "description": "Tools and processes are in place to ensure timely detection, alert, and activation of the incident response program."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-2.1",
+    "id_raw": "RS.AN-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 202,
+    "title": null,
+    "description": "The organization uses cyber-attack scenarios to determine potential impact to critical business processes."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-2.2",
+    "id_raw": "RS.AN-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 203,
+    "title": null,
+    "description": "The organization performs a thorough investigation to determine the nature of a cyber event, its extent, and the damage inflicted."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-3.1",
+    "id_raw": "RS.AN-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 204,
+    "title": null,
+    "description": "The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-4.1",
+    "id_raw": "RS.AN-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 205,
+    "title": null,
+    "description": "The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems to the enterprise."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-5.1",
+    "id_raw": "RS.AN-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 206,
+    "title": null,
+    "description": "The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from:\n(1) Public sources (e.g., security researchers);\n(2) Vulnerability sharing forums (e.g., FS-ISAC); and\n(3) Third-parties (e.g., cloud vendors);\n(4) Internal sources (e.g., development teams)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-5.2",
+    "id_raw": "RS.AN-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 207,
+    "title": null,
+    "description": "The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on:\n(1) Determining its validity;\n(2) Aassessing its scope (e.g., affected assets);\n(3) Determining it's severity and impact;\n(4) Identifying affected stakeholders or customers; and\n(5) Analyzing options to respond."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.an-5.3",
+    "id_raw": "RS.AN-5.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 208,
+    "title": null,
+    "description": "The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-1.1",
+    "id_raw": "RS.MI-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 209,
+    "title": null,
+    "description": "The organization contains cybersecurity incidents in a timely manner.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-1.2",
+    "id_raw": "RS.MI-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 210,
+    "title": null,
+    "description": "The organization's procedures include containment strategies and notifying potentially impacted third-parties, as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-2.1",
+    "id_raw": "RS.MI-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 211,
+    "title": null,
+    "description": "The organization mitigates cybersecurity incidents in a timely manner.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-3.1",
+    "id_raw": "RS.MI-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 212,
+    "title": null,
+    "description": "The organization's incident response plan identifies requirements for the remediation of any identified weaknesses in systems and associated controls."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.mi-3.2",
+    "id_raw": "RS.MI-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 213,
+    "title": null,
+    "description": "Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-1.1",
+    "id_raw": "RS.IM-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 214,
+    "title": null,
+    "description": "The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-1.2",
+    "id_raw": "RS.IM-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 215,
+    "title": null,
+    "description": "The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-1.3",
+    "id_raw": "RS.IM-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 216,
+    "title": null,
+    "description": "The organization's cyber resilience and incident response programs have processes in place to incorporate lessons learned from cyber events that have occurred within and outside the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rs.im-2.1",
+    "id_raw": "RS.IM-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 217,
+    "title": null,
+    "description": "The organization periodically reviews response strategy and exercises and updates them as necessary, based on:\n(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);\n(2) Current cyber threat intelligence (both internal and external sources);\n(3) Recent and wide-scale cyber attack scenarios;\n(4) Operationally and technically plausible future cyber attacks; and\n(5) New technological developments."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.1",
+    "id_raw": "RC.RP-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 218,
+    "title": null,
+    "description": "The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.2",
+    "id_raw": "RC.RP-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 219,
+    "title": null,
+    "description": "Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.3",
+    "id_raw": "RC.RP-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 220,
+    "title": null,
+    "description": "The recovery plan includes a minimum recovery time for the sector critical systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.4",
+    "id_raw": "RC.RP-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 221,
+    "title": null,
+    "description": "The recovery plan includes recovery of clearing and settlement activities after a wide-scale disruption with the overall goal of completing material pending transactions on the scheduled settlement date."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.5",
+    "id_raw": "RC.RP-1.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 222,
+    "title": null,
+    "description": "The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.rp-1.6",
+    "id_raw": "RC.RP-1.6",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 223,
+    "title": null,
+    "description": "The recovery plan includes plans to come back for both traditional and highly available (e.g., cloud) infrastructure."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.im-1.1",
+    "id_raw": "RC.IM-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 224,
+    "title": null,
+    "description": "The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from:\n(1) cybersecurity incidents that have occurred within the organization;\n(2) Cybersecurity assessments and testing performed internally; and\n(3) Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.im-2.1",
+    "id_raw": "RC.IM-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 225,
+    "title": null,
+    "description": "The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on: \n(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);\n(2) Current cyber threat intelligence (both internal and external sources);\n(3) Recent and wide-scale cyber attack scenarios;\n(4) Operationally and technically plausible future cyber attacks; and\n(5) New technological developments."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-1.1",
+    "id_raw": "RC.CO-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 226,
+    "title": null,
+    "description": "The organization's governing body (e.g., the Board or one of its committees) ensures that a communication plan exists to notify internal and external stakeholders about an incident, as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-1.2",
+    "id_raw": "RC.CO-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 227,
+    "title": null,
+    "description": "The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-2.1",
+    "id_raw": "RC.CO-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 228,
+    "title": null,
+    "description": "Actionable and effective mitigation techniques are taken and communicated appropriately to restore and improve the organization's reputation after an incident."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:rc.co-3.1",
+    "id_raw": "RC.CO-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 229,
+    "title": null,
+    "description": "The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the appropriate governing body (e.g., the Board or one of its committees), senior management and relevant internal stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-1.1",
+    "id_raw": "DM.ID-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 230,
+    "title": null,
+    "description": "The organization has integrated its internal dependency management strategy into the overall strategic risk management plan."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-1.2",
+    "id_raw": "DM.ID-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 231,
+    "title": null,
+    "description": "The organization monitors the effectiveness of its internal dependency management strategy."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-1.3",
+    "id_raw": "DM.ID-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 232,
+    "title": null,
+    "description": "The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-1.4",
+    "id_raw": "DM.ID-1.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 233,
+    "title": null,
+    "description": "The organization has established and applies appropriate controls to address the inherent risk of internal dependencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.id-2.1",
+    "id_raw": "DM.ID-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 234,
+    "title": null,
+    "description": "Roles and responsibilities for internal dependency management are defined and assigned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-1.1",
+    "id_raw": "DM.ED-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 235,
+    "title": null,
+    "description": "The organization has integrated its external dependency management strategy into the overall cyber risk management plan."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-1.2",
+    "id_raw": "DM.ED-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 236,
+    "title": null,
+    "description": "The organization monitors the effectiveness of its external dependency management strategy to reduce cyber risks associated with external dependencies."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-1.3",
+    "id_raw": "DM.ED-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 237,
+    "title": null,
+    "description": "The organization ensures appropriate oversight and compliance with the external dependency strategy implementation."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2.1",
+    "id_raw": "DM.ED-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 238,
+    "title": null,
+    "description": "The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2.2",
+    "id_raw": "DM.ED-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 239,
+    "title": null,
+    "description": "The organization's dependency management policies, plans, and procedures are regularly updated."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2.3",
+    "id_raw": "DM.ED-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 240,
+    "title": null,
+    "description": "The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2.4",
+    "id_raw": "DM.ED-2.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 241,
+    "title": null,
+    "description": "Dependency management processes may allow the organization to the adopt  security program(s) of its affiliate(s) as long as such program provides an appropriate level of control and assurance."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-2.5",
+    "id_raw": "DM.ED-2.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 242,
+    "title": null,
+    "description": "The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-3.1",
+    "id_raw": "DM.ED-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 243,
+    "title": null,
+    "description": "Roles and responsibilities for external dependency management are defined and assigned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-3.2",
+    "id_raw": "DM.ED-3.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 244,
+    "title": null,
+    "description": "Responsibilities for ongoing independent oversight (external) of third-party access are defined and assigned."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4.1",
+    "id_raw": "DM.ED-4.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 245,
+    "title": null,
+    "description": "The organization ensures that cyber risks associated with external dependencies are consistent with cyber risk appetite approved by an appropriate governing body (e.g., the Board or one of its committees)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4.2",
+    "id_raw": "DM.ED-4.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 246,
+    "title": null,
+    "description": "The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4.3",
+    "id_raw": "DM.ED-4.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 247,
+    "title": null,
+    "description": "The organization conducts a risk assessment to define appropriate controls to address the cyber risk presented by each external partner, implements these controls, and monitors their status throughout the lifecycle of partner relationships."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4.4",
+    "id_raw": "DM.ED-4.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 248,
+    "title": null,
+    "description": "The organization has a documented third-party termination/exit strategy to include procedures for timely removal of the third-party access when no longer required."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-4.5",
+    "id_raw": "DM.ED-4.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 249,
+    "title": null,
+    "description": "The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-5.1",
+    "id_raw": "DM.ED-5.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 250,
+    "title": null,
+    "description": "The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-5.2",
+    "id_raw": "DM.ED-5.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 251,
+    "title": null,
+    "description": "The organization maintains a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-5.3",
+    "id_raw": "DM.ED-5.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 252,
+    "title": null,
+    "description": "The organization has prioritized functions, activities, products, and services provided by external dependencies based on criticality."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-5.4",
+    "id_raw": "DM.ED-5.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 253,
+    "title": null,
+    "description": "The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.1",
+    "id_raw": "DM.ED-6.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 254,
+    "title": null,
+    "description": "The organization has documented minimum cybersecurity requirements for critical third-parties that, at a minimum, meet cybersecurity practices of the organization."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.2",
+    "id_raw": "DM.ED-6.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 255,
+    "title": null,
+    "description": "The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.3",
+    "id_raw": "DM.ED-6.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 256,
+    "title": null,
+    "description": "Minimum cybersecurity requirements for third-parties include how the organization will monitor security of its external dependencies to ensure that requirements are continually satisfied."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.4",
+    "id_raw": "DM.ED-6.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 257,
+    "title": null,
+    "description": "Minimum cybersecurity requirements for third-parties include consideration of whether the third-party is responsible for the security of the organization's confidential data and of geographic limits on where data can be stored and transmitted."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.5",
+    "id_raw": "DM.ED-6.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 258,
+    "title": null,
+    "description": "Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including:\n1) Joint maintenance of contingency plans;\n2) Responsibilities for responding to cybersecurity incident; \n3) Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and\n4) Incorporating potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.6",
+    "id_raw": "DM.ED-6.6",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 259,
+    "title": null,
+    "description": "Minimum cybersecurity requirements for third-parties identify conditions of and the recourse available to the organization should the third-party fail to meet their cybersecurity requirements. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-6.7",
+    "id_raw": "DM.ED-6.7",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 260,
+    "title": null,
+    "description": "Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, including return or destruction of data during cloud or virtualization use and upon relationship termination."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-7.1",
+    "id_raw": "DM.ED-7.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 261,
+    "title": null,
+    "description": "The organization has a formal program for third-party due diligence and monitoring."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-7.2",
+    "id_raw": "DM.ED-7.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 262,
+    "title": null,
+    "description": "The organization conducts regular third-party reviews for critical vendors to validate that appropriate security controls have been implemented."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-7.3",
+    "id_raw": "DM.ED-7.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 263,
+    "title": null,
+    "description": "A process is in place to confirm that the organization's third-party service providers conduct due diligence of their own third-parties (e.g., subcontractors)."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.ed-7.4",
+    "id_raw": "DM.ED-7.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 264,
+    "title": null,
+    "description": "A process is in place to confirm that the organization's third-party service providers conduct periodic resiliency testing or justify why it is not needed."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-1.1",
+    "id_raw": "DM.RS-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 265,
+    "title": null,
+    "description": "The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-1.2",
+    "id_raw": "DM.RS-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 266,
+    "title": null,
+    "description": "The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-1.3",
+    "id_raw": "DM.RS-1.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 267,
+    "title": null,
+    "description": "The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data).  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2.1",
+    "id_raw": "DM.RS-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 268,
+    "title": null,
+    "description": "The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2.2",
+    "id_raw": "DM.RS-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 269,
+    "title": null,
+    "description": "The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on multiple elements of interconnected critical infrastructure, such as energy and telecommunications. "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2.3",
+    "id_raw": "DM.RS-2.3",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 270,
+    "title": null,
+    "description": "The organization designs and tests its cyber resilience plans, and exercises to support financial sector's sector-wide resilience and address external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2.4",
+    "id_raw": "DM.RS-2.4",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 271,
+    "title": null,
+    "description": "The organization periodically identifies and tests alternative solutions in case an external partner fails to perform as expected.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.rs-2.5",
+    "id_raw": "DM.RS-2.5",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 272,
+    "title": null,
+    "description": "When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-1.1",
+    "id_raw": "DM.BE-1.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 273,
+    "title": null,
+    "description": "The cyber risk strategy identifies and communicates the organization's role as it relates to other critical infrastructures and as a component of the financial services sector.  "
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-1.2",
+    "id_raw": "DM.BE-1.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 274,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-2.1",
+    "id_raw": "DM.BE-2.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 275,
+    "title": null,
+    "description": "The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-2.2",
+    "id_raw": "DM.BE-2.2",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 276,
+    "title": null,
+    "description": "The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "id": "fsscc_profile_v1.0:dm.be-3.1",
+    "id_raw": "DM.BE-3.1",
+    "tier_raw": "Statement",
+    "tier": 3,
+    "seq": 277,
+    "title": null,
+    "description": "Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1",
+    "id_raw": "D1",
+    "tier_raw": "Domain",
+    "tier": 0,
+    "seq": 1,
+    "title": "Cyber Risk Management & Oversight",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2",
+    "id_raw": "D2",
+    "tier_raw": "Domain",
+    "tier": 0,
+    "seq": 2,
+    "title": "Threat Intelligence & Collaboration",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3",
+    "id_raw": "D3",
+    "tier_raw": "Domain",
+    "tier": 0,
+    "seq": 3,
+    "title": "Cybersecurity Controls",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4",
+    "id_raw": "D4",
+    "tier_raw": "Domain",
+    "tier": 0,
+    "seq": 4,
+    "title": "External Dependency Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5",
+    "id_raw": "D5",
+    "tier_raw": "Domain",
+    "tier": 0,
+    "seq": 5,
+    "title": "Cyber Incident Management and Resilience",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g",
+    "id_raw": "D1.G",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 1,
+    "title": "Governance",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm",
+    "id_raw": "D1.RM",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 2,
+    "title": "Risk Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r",
+    "id_raw": "D1.R",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 3,
+    "title": "Resources",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc",
+    "id_raw": "D1.TC",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 4,
+    "title": "Training & Culture",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti",
+    "id_raw": "D2.TI",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 5,
+    "title": "Threat Intelligence",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma",
+    "id_raw": "D2.MA",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 6,
+    "title": "Monitoring & Analyzing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is",
+    "id_raw": "D2.IS",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 7,
+    "title": "Information Sharing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc",
+    "id_raw": "D3.PC",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 8,
+    "title": "Preventative Controls",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc",
+    "id_raw": "D3.DC",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 9,
+    "title": "Detective Controls",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc",
+    "id_raw": "D3.CC",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 10,
+    "title": "Corrective Controls",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c",
+    "id_raw": "D4.C",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 11,
+    "title": "Connections",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm",
+    "id_raw": "D4.RM",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 12,
+    "title": "Relationship Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir",
+    "id_raw": "D5.IR",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 13,
+    "title": "Incident Resilience Planning and Strategy",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr",
+    "id_raw": "D5.DR",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 14,
+    "title": "Detection, Response, and Mitigation",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er",
+    "id_raw": "D5.ER",
+    "tier_raw": "Factor",
+    "tier": 1,
+    "seq": 15,
+    "title": "Escalation and Reporting",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov",
+    "id_raw": "D1.G.Ov",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 1,
+    "title": "Oversight",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp",
+    "id_raw": "D1.G.SP",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 2,
+    "title": "Strategy / Policies",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it",
+    "id_raw": "D1.G.IT",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 3,
+    "title": "IT Asset Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "id_raw": "D1.RM.RMP",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 4,
+    "title": "Risk Management Program",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra",
+    "id_raw": "D1.RM.RA",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 5,
+    "title": "Risk Assessment",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au",
+    "id_raw": "D1.RM.Au",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 6,
+    "title": "Audit",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st",
+    "id_raw": "D1.R.St",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 7,
+    "title": "Staffing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr",
+    "id_raw": "D1.TC.Tr",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 8,
+    "title": "Training",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu",
+    "id_raw": "D1.TC.Cu",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 9,
+    "title": "Culture",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti",
+    "id_raw": "D2.TI.Ti",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 10,
+    "title": "Threat Intelligence and Information",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma",
+    "id_raw": "D2.MA.Ma",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 11,
+    "title": "Monitoring and Analyzing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is",
+    "id_raw": "D2.IS.Is",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 12,
+    "title": "Information Sharing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im",
+    "id_raw": "D3.PC.Im",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 13,
+    "title": "Infrastructure Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am",
+    "id_raw": "D3.PC.Am",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 14,
+    "title": "Access and Data Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de",
+    "id_raw": "D3.PC.De",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 15,
+    "title": "Device / End-Point Security",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se",
+    "id_raw": "D3.PC.Se",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 16,
+    "title": "Secure Coding",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th",
+    "id_raw": "D3.DC.Th",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 17,
+    "title": "Threat and Vulnerability Detection",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an",
+    "id_raw": "D3.DC.An",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 18,
+    "title": "Anomalous Activity Detection",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev",
+    "id_raw": "D3.DC.Ev",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 19,
+    "title": "Event Detection",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa",
+    "id_raw": "D3.CC.Pa",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 20,
+    "title": "Patch Management",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re",
+    "id_raw": "D3.CC.Re",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 21,
+    "title": "Remediation",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co",
+    "id_raw": "D4.C.Co",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 22,
+    "title": "Connections",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd",
+    "id_raw": "D4.RM.Dd",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 23,
+    "title": "Due Diligence",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co",
+    "id_raw": "D4.RM.Co",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 24,
+    "title": "Contracts",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om",
+    "id_raw": "D4.RM.Om",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 25,
+    "title": "Ongoing Monitoring",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl",
+    "id_raw": "D5.IR.Pl",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 26,
+    "title": "Planning",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te",
+    "id_raw": "D5.IR.Te",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 27,
+    "title": "Testing",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de",
+    "id_raw": "D5.DR.De",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 28,
+    "title": "Detection",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re",
+    "id_raw": "D5.DR.Re",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 29,
+    "title": "Response and Mitigation",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es",
+    "id_raw": "D5.ER.Es",
+    "tier_raw": "Component",
+    "tier": 2,
+    "seq": 30,
+    "title": "Escalation and Reporting",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "id_raw": "D1.G.Ov.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 1,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "id_raw": "D1.G.Ov.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 2,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "id_raw": "D1.G.Ov.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 3,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "id_raw": "D1.G.Ov.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 4,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.inn",
+    "id_raw": "D1.G.Ov.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 5,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "id_raw": "D1.G.SP.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 6,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.e",
+    "id_raw": "D1.G.SP.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 7,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "id_raw": "D1.G.SP.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 8,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "id_raw": "D1.G.SP.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 9,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.inn",
+    "id_raw": "D1.G.SP.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 10,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.b",
+    "id_raw": "D1.G.IT.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 11,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.e",
+    "id_raw": "D1.G.IT.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 12,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.int",
+    "id_raw": "D1.G.IT.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 13,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.a",
+    "id_raw": "D1.G.IT.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 14,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.inn",
+    "id_raw": "D1.G.IT.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 15,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.b",
+    "id_raw": "D1.RM.RMP.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 16,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.e",
+    "id_raw": "D1.RM.RMP.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 17,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "id_raw": "D1.RM.RMP.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 18,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "id_raw": "D1.RM.RMP.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 19,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.inn",
+    "id_raw": "D1.RM.RMP.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 20,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.b",
+    "id_raw": "D1.RM.RA.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 21,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.e",
+    "id_raw": "D1.RM.RA.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 22,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.int",
+    "id_raw": "D1.RM.RA.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 23,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.a",
+    "id_raw": "D1.RM.RA.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 24,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.inn",
+    "id_raw": "D1.RM.RA.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 25,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "id_raw": "D1.RM.Au.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 26,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "id_raw": "D1.RM.Au.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 27,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "id_raw": "D1.RM.Au.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 28,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.a",
+    "id_raw": "D1.RM.Au.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 29,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.inn",
+    "id_raw": "D1.RM.Au.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 30,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.b",
+    "id_raw": "D1.R.St.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 31,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.e",
+    "id_raw": "D1.R.St.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 32,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.int",
+    "id_raw": "D1.R.St.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 33,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.a",
+    "id_raw": "D1.R.St.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 34,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.inn",
+    "id_raw": "D1.R.St.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 35,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "id_raw": "D1.TC.Tr.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 36,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "id_raw": "D1.TC.Tr.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 37,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "id_raw": "D1.TC.Tr.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 38,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.a",
+    "id_raw": "D1.TC.Tr.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 39,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.inn",
+    "id_raw": "D1.TC.Tr.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 40,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.b",
+    "id_raw": "D1.TC.Cu.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 41,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.e",
+    "id_raw": "D1.TC.Cu.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 42,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.int",
+    "id_raw": "D1.TC.Cu.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 43,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.a",
+    "id_raw": "D1.TC.Cu.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 44,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.inn",
+    "id_raw": "D1.TC.Cu.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 45,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.b",
+    "id_raw": "D2.TI.Ti.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 46,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.e",
+    "id_raw": "D2.TI.Ti.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 47,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.int",
+    "id_raw": "D2.TI.Ti.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 48,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.a",
+    "id_raw": "D2.TI.Ti.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 49,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.inn",
+    "id_raw": "D2.TI.Ti.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 50,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.b",
+    "id_raw": "D2.MA.Ma.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 51,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "id_raw": "D2.MA.Ma.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 52,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "id_raw": "D2.MA.Ma.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 53,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "id_raw": "D2.MA.Ma.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 54,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.inn",
+    "id_raw": "D2.MA.Ma.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 55,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.b",
+    "id_raw": "D2.IS.Is.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 56,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.e",
+    "id_raw": "D2.IS.Is.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 57,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.int",
+    "id_raw": "D2.IS.Is.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 58,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.a",
+    "id_raw": "D2.IS.Is.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 59,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.inn",
+    "id_raw": "D2.IS.Is.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 60,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "id_raw": "D3.PC.Im.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 61,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "id_raw": "D3.PC.Im.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 62,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "id_raw": "D3.PC.Im.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 63,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.a",
+    "id_raw": "D3.PC.Im.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 64,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "id_raw": "D3.PC.Im.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 65,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "id_raw": "D3.PC.Am.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 66,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "id_raw": "D3.PC.Am.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 67,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "id_raw": "D3.PC.Am.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 68,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.a",
+    "id_raw": "D3.PC.Am.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 69,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "id_raw": "D3.PC.Am.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 70,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.b",
+    "id_raw": "D3.PC.De.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 71,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "id_raw": "D3.PC.De.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 72,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.int",
+    "id_raw": "D3.PC.De.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 73,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.a",
+    "id_raw": "D3.PC.De.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 74,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.inn",
+    "id_raw": "D3.PC.De.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 75,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "id_raw": "D3.PC.Se.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 76,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.e",
+    "id_raw": "D3.PC.Se.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 77,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "id_raw": "D3.PC.Se.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 78,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.a",
+    "id_raw": "D3.PC.Se.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 79,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.inn",
+    "id_raw": "D3.PC.Se.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 80,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "id_raw": "D3.DC.Th.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 81,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "id_raw": "D3.DC.Th.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 82,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.int",
+    "id_raw": "D3.DC.Th.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 83,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.a",
+    "id_raw": "D3.DC.Th.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 84,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.inn",
+    "id_raw": "D3.DC.Th.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 85,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "id_raw": "D3.DC.An.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 86,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "id_raw": "D3.DC.An.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 87,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "id_raw": "D3.DC.An.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 88,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "id_raw": "D3.DC.An.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 89,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.inn",
+    "id_raw": "D3.DC.An.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 90,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "id_raw": "D3.DC.Ev.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 91,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.e",
+    "id_raw": "D3.DC.Ev.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 92,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.int",
+    "id_raw": "D3.DC.Ev.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 93,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "id_raw": "D3.DC.Ev.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 94,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.inn",
+    "id_raw": "D3.DC.Ev.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 95,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.b",
+    "id_raw": "D3.CC.Pa.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 96,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "id_raw": "D3.CC.Pa.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 97,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.int",
+    "id_raw": "D3.CC.Pa.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 98,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.a",
+    "id_raw": "D3.CC.Pa.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 99,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.inn",
+    "id_raw": "D3.CC.Pa.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 100,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.b",
+    "id_raw": "D3.CC.Re.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 101,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.e",
+    "id_raw": "D3.CC.Re.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 102,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "id_raw": "D3.CC.Re.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 103,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.a",
+    "id_raw": "D3.CC.Re.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 104,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.inn",
+    "id_raw": "D3.CC.Re.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 105,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.b",
+    "id_raw": "D4.C.Co.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 106,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.e",
+    "id_raw": "D4.C.Co.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 107,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.int",
+    "id_raw": "D4.C.Co.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 108,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.a",
+    "id_raw": "D4.C.Co.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 109,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.inn",
+    "id_raw": "D4.C.Co.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 110,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.b",
+    "id_raw": "D4.RM.Dd.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 111,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.e",
+    "id_raw": "D4.RM.Dd.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 112,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.int",
+    "id_raw": "D4.RM.Dd.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 113,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.a",
+    "id_raw": "D4.RM.Dd.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 114,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.inn",
+    "id_raw": "D4.RM.Dd.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 115,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "id_raw": "D4.RM.Co.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 116,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.e",
+    "id_raw": "D4.RM.Co.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 117,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.int",
+    "id_raw": "D4.RM.Co.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 118,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.a",
+    "id_raw": "D4.RM.Co.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 119,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.inn",
+    "id_raw": "D4.RM.Co.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 120,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.b",
+    "id_raw": "D4.RM.Om.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 121,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "id_raw": "D4.RM.Om.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 122,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.int",
+    "id_raw": "D4.RM.Om.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 123,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.a",
+    "id_raw": "D4.RM.Om.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 124,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.inn",
+    "id_raw": "D4.RM.Om.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 125,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "id_raw": "D5.IR.Pl.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 126,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "id_raw": "D5.IR.Pl.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 127,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "id_raw": "D5.IR.Pl.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 128,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.a",
+    "id_raw": "D5.IR.Pl.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 129,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.inn",
+    "id_raw": "D5.IR.Pl.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 130,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.b",
+    "id_raw": "D5.IR.Te.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 131,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.e",
+    "id_raw": "D5.IR.Te.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 132,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "id_raw": "D5.IR.Te.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 133,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "id_raw": "D5.IR.Te.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 134,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "id_raw": "D5.IR.Te.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 135,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.b",
+    "id_raw": "D5.DR.De.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 136,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.e",
+    "id_raw": "D5.DR.De.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 137,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "id_raw": "D5.DR.De.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 138,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.a",
+    "id_raw": "D5.DR.De.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 139,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.inn",
+    "id_raw": "D5.DR.De.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 140,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.b",
+    "id_raw": "D5.DR.Re.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 141,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "id_raw": "D5.DR.Re.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 142,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "id_raw": "D5.DR.Re.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 143,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.a",
+    "id_raw": "D5.DR.Re.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 144,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.inn",
+    "id_raw": "D5.DR.Re.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 145,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.b",
+    "id_raw": "D5.ER.Es.B",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 146,
+    "title": "Baseline",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.e",
+    "id_raw": "D5.ER.Es.E",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 147,
+    "title": "Evolving",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.int",
+    "id_raw": "D5.ER.Es.Int",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 148,
+    "title": "Intermediate",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.a",
+    "id_raw": "D5.ER.Es.A",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 149,
+    "title": "Advanced",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.inn",
+    "id_raw": "D5.ER.Es.Inn",
+    "tier_raw": "Maturity Level",
+    "tier": 3,
+    "seq": 150,
+    "title": "Innovative",
+    "description": null
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b.1",
+    "id_raw": "D1.G.Ov.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 1,
+    "title": null,
+    "description": "Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b.2",
+    "id_raw": "D1.G.Ov.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 2,
+    "title": null,
+    "description": "Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. (FFIEC Information Security Booklet, page 6)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b.3",
+    "id_raw": "D1.G.Ov.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 3,
+    "title": null,
+    "description": "Management provides a written report on the overall status of the information security and business continuity programs to the board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b.4",
+    "id_raw": "D1.G.Ov.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 4,
+    "title": null,
+    "description": "The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.b.5",
+    "id_raw": "D1.G.Ov.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 5,
+    "title": null,
+    "description": "Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC Business Continuity Planning Booklet, page J-12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.e.1",
+    "id_raw": "D1.G.Ov.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 6,
+    "title": null,
+    "description": "At least annually, the board or an appropriate board committee reviews\nand approves the institution’s cybersecurity program."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.e.2",
+    "id_raw": "D1.G.Ov.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 7,
+    "title": null,
+    "description": "Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.e.3",
+    "id_raw": "D1.G.Ov.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 8,
+    "title": null,
+    "description": "Cybersecurity tools and staff are requested through the budget process."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.e.4",
+    "id_raw": "D1.G.Ov.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 9,
+    "title": null,
+    "description": "There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the budgeting process."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.1",
+    "id_raw": "D1.G.Ov.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 10,
+    "title": null,
+    "description": "The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.2",
+    "id_raw": "D1.G.Ov.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 11,
+    "title": null,
+    "description": "The standard board meeting package includes reports and metrics that go beyond events and incidents to address threat intelligence trends and the institution’s security posture."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.3",
+    "id_raw": "D1.G.Ov.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 12,
+    "title": null,
+    "description": "The institution has a cyber risk appetite statement approved by the board or an appropriate board committee."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.4",
+    "id_raw": "D1.G.Ov.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 13,
+    "title": null,
+    "description": "Cyber risks that exceed the risk appetite are escalated to management. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.5",
+    "id_raw": "D1.G.Ov.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 14,
+    "title": null,
+    "description": "The board or an appropriate board committee ensures management’s annual cybersecurity self-assessment evaluates the institution’s ability to meet its cyber risk management standards."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.6",
+    "id_raw": "D1.G.Ov.Int.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 15,
+    "title": null,
+    "description": "The board or an appropriate board committee reviews and approves management’s prioritization and resource allocation decisions based on the results of the cyber assessments."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.7",
+    "id_raw": "D1.G.Ov.Int.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 16,
+    "title": null,
+    "description": "The board or an appropriate board committee ensures management takes appropriate actions to address changing cyber risks or significant cybersecurity issues."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.int.8",
+    "id_raw": "D1.G.Ov.Int.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 17,
+    "title": null,
+    "description": "The budget process for requesting additional cybersecurity staff and tools is integrated into business units’ budget processes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.1",
+    "id_raw": "D1.G.Ov.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 18,
+    "title": null,
+    "description": "The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.2",
+    "id_raw": "D1.G.Ov.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 19,
+    "title": null,
+    "description": "Management has a formal process to continuously improve cybersecurity oversight."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.3",
+    "id_raw": "D1.G.Ov.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 20,
+    "title": null,
+    "description": "The budget process for requesting additional cybersecurity staff and tools maps current resources and tools to the cybersecurity strategy."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.4",
+    "id_raw": "D1.G.Ov.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 21,
+    "title": null,
+    "description": "Management and the board or an appropriate board committee hold business units accountable for effectively managing all cyber risks associated with their activities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.5",
+    "id_raw": "D1.G.Ov.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 22,
+    "title": null,
+    "description": "Management identifies root cause(s) when cyber attacks result in material loss."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.a.6",
+    "id_raw": "D1.G.Ov.A.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 23,
+    "title": null,
+    "description": "The board or an appropriate board committee ensures that management’s actions consider the cyber risks that the institution poses to the financial sector."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.inn.1",
+    "id_raw": "D1.G.Ov.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 24,
+    "title": null,
+    "description": "The board or an appropriate board committee discusses ways for management to develop cybersecurity improvements that may be adopted sector-wide."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.ov.inn.2",
+    "id_raw": "D1.G.Ov.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 25,
+    "title": null,
+    "description": "The board or an appropriate board committee verifies that management’s actions consider the cyber risks that the institution poses to other critical infrastructures (e.g., telecommunications, energy)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.1",
+    "id_raw": "D1.G.SP.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 26,
+    "title": null,
+    "description": "The institution has an information security strategy that integrates technology, policies, procedures, and training to mitigate risk. (FFIEC Information Security Booklet, page 3)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.2",
+    "id_raw": "D1.G.SP.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 27,
+    "title": null,
+    "description": "The institution has policies commensurate with its risk and complexity that address the concepts of information technology risk management. (FFIEC Information Security Booklet, page, 16)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.3",
+    "id_raw": "D1.G.SP.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 28,
+    "title": null,
+    "description": "The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.4",
+    "id_raw": "D1.G.SP.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 29,
+    "title": null,
+    "description": "The institution has board-approved policies commensurate with its risk and complexity that address information security. (FFIEC Information Security Booklet, page 16)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.5",
+    "id_raw": "D1.G.SP.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 30,
+    "title": null,
+    "description": "The institution has policies commensurate with its risk and complexity that address the concepts of external dependency or third-party management. (FFIEC Outsourcing Booklet, page 2)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.6",
+    "id_raw": "D1.G.SP.B.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 31,
+    "title": null,
+    "description": "The institution has policies commensurate with its risk and complexity that address the concepts of incident response and resilience. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.b.7",
+    "id_raw": "D1.G.SP.B.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 32,
+    "title": null,
+    "description": "All elements of the information security program are coordinated enterprise-wide. (FFIEC Information Security Booklet, page 7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.e.1",
+    "id_raw": "D1.G.SP.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 33,
+    "title": null,
+    "description": "The institution augmented its information security strategy to incorporate cybersecurity and resilience."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.e.2",
+    "id_raw": "D1.G.SP.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 34,
+    "title": null,
+    "description": "The institution has a formal cybersecurity program that is based on technology and security industry standards or benchmarks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.e.3",
+    "id_raw": "D1.G.SP.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 35,
+    "title": null,
+    "description": "A formal process is in place to update policies as the institution’s inherent risk profile changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int.1",
+    "id_raw": "D1.G.SP.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 36,
+    "title": null,
+    "description": "The institution has a comprehensive set of policies commensurate with its risk and complexity that address the concepts of threat intelligence."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int.2",
+    "id_raw": "D1.G.SP.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 37,
+    "title": null,
+    "description": "Management periodically reviews the cybersecurity strategy to address evolving cyber threats and changes to the institution’s inherent risk profile."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int.3",
+    "id_raw": "D1.G.SP.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 38,
+    "title": null,
+    "description": "The cybersecurity strategy is incorporated into, or conceptually fits within, the institution’s enterprise-wide risk management strategy. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int.4",
+    "id_raw": "D1.G.SP.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 39,
+    "title": null,
+    "description": "Management links strategic cybersecurity objectives to tactical goals."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.int.5",
+    "id_raw": "D1.G.SP.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 40,
+    "title": null,
+    "description": "A formal process is in place to cross-reference and simultaneously update all policies related to cyber risks across business lines."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a.1",
+    "id_raw": "D1.G.SP.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 41,
+    "title": null,
+    "description": "The cybersecurity strategy outlines the institution’s future state of\ncybersecurity with short-term and long-term perspectives."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a.2",
+    "id_raw": "D1.G.SP.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 42,
+    "title": null,
+    "description": "Industry-recognized cybersecurity standards are used as sources during the analysis of cybersecurity program gaps."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a.3",
+    "id_raw": "D1.G.SP.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 43,
+    "title": null,
+    "description": "The cybersecurity strategy identifies and communicates the institution’s role as a component of critical infrastructure in the financial services industry."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a.4",
+    "id_raw": "D1.G.SP.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 44,
+    "title": null,
+    "description": "The risk appetite is informed by the institution’s role in critical infrastructure."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.a.5",
+    "id_raw": "D1.G.SP.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 45,
+    "title": null,
+    "description": "Management is continuously improving the existing cybersecurity program to adapt as the desired cybersecurity target state changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.sp.inn.1",
+    "id_raw": "D1.G.SP.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 46,
+    "title": null,
+    "description": "The cybersecurity strategy identifies and communicates the institution's role as it relates to other critical infrastructures."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.b.1",
+    "id_raw": "D1.G.IT.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 47,
+    "title": null,
+    "description": "An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. (FFIEC Information Security Booklet, page 9)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.b.2",
+    "id_raw": "D1.G.IT.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 48,
+    "title": null,
+    "description": "Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value. (FFIEC Information Security Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.b.3",
+    "id_raw": "D1.G.IT.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 49,
+    "title": null,
+    "description": "Management assigns accountability for maintaining an inventory of organizational assets. (FFIEC Information Security Booklet, page 9)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.b.4",
+    "id_raw": "D1.G.IT.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 50,
+    "title": null,
+    "description": "A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools. (FFIEC Information Security Booklet, page 56)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.e.1",
+    "id_raw": "D1.G.IT.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 51,
+    "title": null,
+    "description": "The asset inventory, including identification of critical assets, is updated at least annually to address new, relocated, re-purposed, and sunset assets."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.e.2",
+    "id_raw": "D1.G.IT.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 52,
+    "title": null,
+    "description": "The institution has a documented asset life-cycle process that considers whether assets to be acquired have appropriate security safeguards."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.e.3",
+    "id_raw": "D1.G.IT.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 53,
+    "title": null,
+    "description": "The institution proactively manages system EOL (e.g., replacement) to limit security risks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.e.4",
+    "id_raw": "D1.G.IT.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 54,
+    "title": null,
+    "description": "Changes are formally approved by an individual or committee with appropriate authority and with separation of duties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.int.1",
+    "id_raw": "D1.G.IT.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 55,
+    "title": null,
+    "description": "Baseline configurations cannot be altered without a formal change request, documented approval, and an assessment of security implications."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.int.2",
+    "id_raw": "D1.G.IT.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 56,
+    "title": null,
+    "description": "A formal IT change management process requires cybersecurity risk to be evaluated during the analysis, approval, testing, and reporting of changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.a.1",
+    "id_raw": "D1.G.IT.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 57,
+    "title": null,
+    "description": "Supply chain risk is reviewed before the acquisition of mission-critical information systems including system components."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.a.2",
+    "id_raw": "D1.G.IT.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 58,
+    "title": null,
+    "description": "Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.a.3",
+    "id_raw": "D1.G.IT.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 59,
+    "title": null,
+    "description": "Automated processes are in place to detect and block unauthorized changes to software and hardware."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.a.4",
+    "id_raw": "D1.G.IT.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 60,
+    "title": null,
+    "description": "The change management system uses thresholds to determine when a risk assessment of the impact of the change is required."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.inn.1",
+    "id_raw": "D1.G.IT.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 61,
+    "title": null,
+    "description": "A formal change management function governs decentralized or highly distributed change requests and identifies and measures security risks that may cause increased exposure to cyber attack."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.g.it.inn.2",
+    "id_raw": "D1.G.IT.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 62,
+    "title": null,
+    "description": "Comprehensive automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.b.1",
+    "id_raw": "D1.RM.RMP.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 63,
+    "title": null,
+    "description": "An information security and business continuity risk management function(s) exists within the institution. (FFIEC Information Security Booklet, page 68)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.e.1",
+    "id_raw": "D1.RM.RMP.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 64,
+    "title": null,
+    "description": "The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.e.2",
+    "id_raw": "D1.RM.RMP.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 65,
+    "title": null,
+    "description": "Management reviews and uses the results of audits to improve existing cybersecurity policies, procedures, and controls."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.e.3",
+    "id_raw": "D1.RM.RMP.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 66,
+    "title": null,
+    "description": "Management monitors moderate and high residual risk issues from the cybersecurity risk assessment until items are addressed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int.1",
+    "id_raw": "D1.RM.RMP.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 67,
+    "title": null,
+    "description": "The cybersecurity function has a clear reporting line that does not present a conflict of interest."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int.2",
+    "id_raw": "D1.RM.RMP.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 68,
+    "title": null,
+    "description": "The risk management program specifically addresses cyber risks beyond the boundaries of the technological impacts (e.g., financial, strategic, regulatory, compliance)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int.3",
+    "id_raw": "D1.RM.RMP.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 69,
+    "title": null,
+    "description": "Benchmarks or target performance metrics have been established for showing improvements or regressions of the security posture over time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int.4",
+    "id_raw": "D1.RM.RMP.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 70,
+    "title": null,
+    "description": "Management uses the results of independent audits and reviews to improve cybersecurity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.int.5",
+    "id_raw": "D1.RM.RMP.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 71,
+    "title": null,
+    "description": "There is a process to analyze and assign potential losses and related expenses, by cost center, associated with cybersecurity incidents."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a.1",
+    "id_raw": "D1.RM.RMP.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 72,
+    "title": null,
+    "description": "Cybersecurity metrics are used to facilitate strategic decision-making and funding in areas of need."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a.2",
+    "id_raw": "D1.RM.RMP.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 73,
+    "title": null,
+    "description": "Independent risk management sets and monitors cyber-related risk limits for business units."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a.3",
+    "id_raw": "D1.RM.RMP.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 74,
+    "title": null,
+    "description": "Independent risk management staff escalates to management and the board or an appropriate board committee significant discrepancies from business unit’s assessments of cyber-related risk."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a.4",
+    "id_raw": "D1.RM.RMP.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 75,
+    "title": null,
+    "description": "A process is in place to analyze the financial impact cyber incidents have on the institution’s capital."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.a.5",
+    "id_raw": "D1.RM.RMP.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 76,
+    "title": null,
+    "description": "The cyber risk data aggregation and real-time reporting capabilities support the institution’s ongoing reporting needs, particularly during cyber incidents."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.inn.1",
+    "id_raw": "D1.RM.RMP.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 77,
+    "title": null,
+    "description": "The risk management function identifies and analyzes commonalities in cyber events that occur both at the institution and across other sectors to enable more predictive risk management."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.rmp.inn.2",
+    "id_raw": "D1.RM.RMP.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 78,
+    "title": null,
+    "description": "A process is in place to analyze the financial impact that a cyber incident at the institution may have across the financial sector."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.b.1",
+    "id_raw": "D1.RM.RA.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 79,
+    "title": null,
+    "description": "A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. (FFIEC Information Security Booklet, page 8)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.b.2",
+    "id_raw": "D1.RM.RA.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 80,
+    "title": null,
+    "description": "The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls. (FFIEC Information Security Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.b.3",
+    "id_raw": "D1.RM.RA.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 81,
+    "title": null,
+    "description": "The risk assessment is updated to address new technologies, products, services, and connections before deployment. (FFIEC Information Security Booklet, page 13)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.e.1",
+    "id_raw": "D1.RM.RA.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 82,
+    "title": null,
+    "description": "Risk assessments are used to identify the cybersecurity risks stemming from new products, services, or relationships."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.e.2",
+    "id_raw": "D1.RM.RA.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 83,
+    "title": null,
+    "description": "The focus of the risk assessment has expanded beyond customer information to address all information assets."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.e.3",
+    "id_raw": "D1.RM.RA.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 84,
+    "title": null,
+    "description": "The risk assessment considers the risk of using EOL software and hardware components."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.int.1",
+    "id_raw": "D1.RM.RA.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 85,
+    "title": null,
+    "description": "The risk assessment is adjusted to consider widely known risks or risk management practices."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.a.1",
+    "id_raw": "D1.RM.RA.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 86,
+    "title": null,
+    "description": "An enterprise-wide risk management function incorporates cyber threat analysis and specific risk exposure as part of the enterprise risk assessment."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.inn.1",
+    "id_raw": "D1.RM.RA.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 87,
+    "title": null,
+    "description": "The risk assessment is updated in real time as changes to the risk profile occur, new applicable standards are released or updated, and new exposures are anticipated."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.inn.2",
+    "id_raw": "D1.RM.RA.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 88,
+    "title": null,
+    "description": "The institution uses information from risk assessments to predict threats and drive real-time responses."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.ra.inn.3",
+    "id_raw": "D1.RM.RA.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 89,
+    "title": null,
+    "description": "Advanced or automated analytics offer predictive information and real- time risk metrics."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.b.1",
+    "id_raw": "D1.RM.Au.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 90,
+    "title": null,
+    "description": "Independent audit or review evaluates policies, procedures, and controls across the institution for significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, and information systems. (FFIEC Audit Booklet, page 4)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.b.2",
+    "id_raw": "D1.RM.Au.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 91,
+    "title": null,
+    "description": "The independent audit function validates controls related to the storage or transmission of confidential data. (FFIEC Audit Booklet, page 1)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.b.3",
+    "id_raw": "D1.RM.Au.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 92,
+    "title": null,
+    "description": "Logging practices are independently reviewed periodically to ensure appropriate log management (e.g., access controls, retention, and maintenance). (FFIEC Operations Booklet, page 29)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.b.4",
+    "id_raw": "D1.RM.Au.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 93,
+    "title": null,
+    "description": "Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. (FFIEC Information Security Booklet, page 6)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e.1",
+    "id_raw": "D1.RM.Au.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 94,
+    "title": null,
+    "description": "The independent audit function validates that the risk management\nfunction is commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e.2",
+    "id_raw": "D1.RM.Au.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 95,
+    "title": null,
+    "description": "The independent audit function validates that the institution’s threat information sharing is commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e.3",
+    "id_raw": "D1.RM.Au.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 96,
+    "title": null,
+    "description": "The independent audit function validates that the institution’s cybersecurity controls function is commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e.4",
+    "id_raw": "D1.RM.Au.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 97,
+    "title": null,
+    "description": "The independent audit function validates that the institution’s third-party relationship management is commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.e.5",
+    "id_raw": "D1.RM.Au.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 98,
+    "title": null,
+    "description": "The independent audit function validates that the institution’s incident response program and resilience are commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.int.1",
+    "id_raw": "D1.RM.Au.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 99,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update\nits procedures based on changes to the institution’s inherent risk profile."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.int.2",
+    "id_raw": "D1.RM.Au.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 100,
+    "title": null,
+    "description": "The independent audit function validates that the institution’s threat intelligence and collaboration are commensurate with the institution’s risk and complexity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.int.3",
+    "id_raw": "D1.RM.Au.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 101,
+    "title": null,
+    "description": "The independent audit function regularly reviews management’s cyber risk appetite statement."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.int.4",
+    "id_raw": "D1.RM.Au.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 102,
+    "title": null,
+    "description": "Independent audits or reviews are used to identify gaps in existing security capabilities and expertise."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.a.1",
+    "id_raw": "D1.RM.Au.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 103,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.a.2",
+    "id_raw": "D1.RM.Au.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 104,
+    "title": null,
+    "description": "The independent audit function regularly reviews the institution’s cyber risk appetite statement in comparison to assessment results and incorporates gaps into the audit strategy."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.a.3",
+    "id_raw": "D1.RM.Au.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 105,
+    "title": null,
+    "description": "Independent audits or reviews are used to identify cybersecurity weaknesses, root causes, and the potential impact to business units."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.inn.1",
+    "id_raw": "D1.RM.Au.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 106,
+    "title": null,
+    "description": "A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.rm.au.inn.2",
+    "id_raw": "D1.RM.Au.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 107,
+    "title": null,
+    "description": "The independent audit function uses sophisticated data mining tools to perform continuous monitoring of cybersecurity processes or controls."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.b.1",
+    "id_raw": "D1.R.St.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 108,
+    "title": null,
+    "description": "Information security roles and responsibilities have been identified.\n(FFIEC Information Security Booklet, page 7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.b.2",
+    "id_raw": "D1.R.St.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 109,
+    "title": null,
+    "description": "Processes are in place to identify additional expertise needed to improve information security defenses. (FFIEC Information Security Work Program, Objective I: 2-8)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.e.1",
+    "id_raw": "D1.R.St.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 110,
+    "title": null,
+    "description": "A formal process is used to identify cybersecurity tools and expertise that may be needed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.e.2",
+    "id_raw": "D1.R.St.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 111,
+    "title": null,
+    "description": "Management with appropriate knowledge and experience leads the institution's cybersecurity efforts."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.e.3",
+    "id_raw": "D1.R.St.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 112,
+    "title": null,
+    "description": "Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.e.4",
+    "id_raw": "D1.R.St.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 113,
+    "title": null,
+    "description": "Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.int.1",
+    "id_raw": "D1.R.St.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 114,
+    "title": null,
+    "description": "The institution has a program for talent recruitment, retention, and succession planning for the cybersecurity and resilience staffs."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.a.1",
+    "id_raw": "D1.R.St.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 115,
+    "title": null,
+    "description": "The institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.a.2",
+    "id_raw": "D1.R.St.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 116,
+    "title": null,
+    "description": "Dedicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.r.st.inn.1",
+    "id_raw": "D1.R.St.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 117,
+    "title": null,
+    "description": "The institution actively partners with industry associations and academia to inform curricula based on future cybersecurity staffing needs of the industry."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.b.1",
+    "id_raw": "D1.TC.Tr.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 118,
+    "title": null,
+    "description": "Annual information security training is provided. (FFIEC Information\nSecurity Booklet, page 66)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.b.2",
+    "id_raw": "D1.TC.Tr.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 119,
+    "title": null,
+    "description": "Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues. (FFIEC Information Security Booklet, page 66)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.b.3",
+    "id_raw": "D1.TC.Tr.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 120,
+    "title": null,
+    "description": "Situational awareness materials are made available to employees when prompted by highly visible cyber events or by regulatory alerts. \n(FFIEC Information Security Booklet, page 7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.b.4",
+    "id_raw": "D1.TC.Tr.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 121,
+    "title": null,
+    "description": "Customer awareness materials are readily available (e.g., DHS’ Cybersecurity Awareness Month materials). (FFIEC E-Banking Work Program, Objective 6-3)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e.1",
+    "id_raw": "D1.TC.Tr.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 122,
+    "title": null,
+    "description": "The institution has a program for continuing cybersecurity training and skill development for cybersecurity staff."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e.2",
+    "id_raw": "D1.TC.Tr.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 123,
+    "title": null,
+    "description": "Management is provided cybersecurity training relevant to their job responsibilities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e.3",
+    "id_raw": "D1.TC.Tr.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 124,
+    "title": null,
+    "description": "Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of responsibility."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e.4",
+    "id_raw": "D1.TC.Tr.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 125,
+    "title": null,
+    "description": "Business units are provided cybersecurity training relevant to their particular business risks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.e.5",
+    "id_raw": "D1.TC.Tr.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 126,
+    "title": null,
+    "description": "The institution validates the effectiveness of training (e.g., social engineering or phishing tests)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.int.1",
+    "id_raw": "D1.TC.Tr.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 127,
+    "title": null,
+    "description": "Management incorporates lessons learned from social engineering and phishing exercises to improve the employee awareness programs."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.int.2",
+    "id_raw": "D1.TC.Tr.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 128,
+    "title": null,
+    "description": "Cybersecurity awareness information is provided to retail customers and commercial clients at least annually."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.int.3",
+    "id_raw": "D1.TC.Tr.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 129,
+    "title": null,
+    "description": "Business units are provided cybersecurity training relevant to their particular business risks, over and above what is required of the institution as a whole."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.int.4",
+    "id_raw": "D1.TC.Tr.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 130,
+    "title": null,
+    "description": "The institution routinely updates its training to security staff to adapt to new threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.a.1",
+    "id_raw": "D1.TC.Tr.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 131,
+    "title": null,
+    "description": "Independent directors are provided with cybersecurity training that addresses how complex products, services, and lines of business affect the institution's cyber risk."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.tr.inn.1",
+    "id_raw": "D1.TC.Tr.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 132,
+    "title": null,
+    "description": "Key performance indicators are used to determine whether training and awareness programs positively influence behavior."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.b.1",
+    "id_raw": "D1.TC.Cu.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 133,
+    "title": null,
+    "description": "Management holds employees accountable for complying with the information security program. (FFIEC Information Security Booklet, page\n7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.e.1",
+    "id_raw": "D1.TC.Cu.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 134,
+    "title": null,
+    "description": "The institution has formal standards of conduct that hold all employees accountable for complying with cybersecurity policies and procedures."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.e.2",
+    "id_raw": "D1.TC.Cu.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 135,
+    "title": null,
+    "description": "Cyber risks are actively discussed at business unit meetings. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.e.3",
+    "id_raw": "D1.TC.Cu.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 136,
+    "title": null,
+    "description": "Employees have a clear understanding of how to identify and escalate potential cybersecurity issues."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.int.1",
+    "id_raw": "D1.TC.Cu.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 137,
+    "title": null,
+    "description": "Management ensures performance plans are tied to compliance with cybersecurity policies and standards in order to hold employees accountable."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.int.2",
+    "id_raw": "D1.TC.Cu.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 138,
+    "title": null,
+    "description": "The risk culture requires formal consideration of cyber risks in all business decisions."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.int.3",
+    "id_raw": "D1.TC.Cu.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 139,
+    "title": null,
+    "description": "Cyber risk reporting is presented and discussed at the independent risk management meetings."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.a.1",
+    "id_raw": "D1.TC.Cu.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 140,
+    "title": null,
+    "description": "Management ensures continuous improvement of cyber risk cultural awareness."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d1.tc.cu.inn.1",
+    "id_raw": "D1.TC.Cu.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 141,
+    "title": null,
+    "description": "The institution leads efforts to promote cybersecurity culture across the sector and to other sectors that they depend upon."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.b.1",
+    "id_raw": "D2.TI.Ti.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 142,
+    "title": null,
+    "description": "The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E- Banking Work Program, page 28)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.b.2",
+    "id_raw": "D2.TI.Ti.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 143,
+    "title": null,
+    "description": "Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.b.3",
+    "id_raw": "D2.TI.Ti.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 144,
+    "title": null,
+    "description": "Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.e.1",
+    "id_raw": "D2.TI.Ti.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 145,
+    "title": null,
+    "description": "Threat information received by the institution includes analysis of tactics, patterns, and risk mitigation recommendations."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.int.1",
+    "id_raw": "D2.TI.Ti.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 146,
+    "title": null,
+    "description": "A formal threat intelligence program is implemented and includes subscription to threat feeds from external providers and internal sources."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.int.2",
+    "id_raw": "D2.TI.Ti.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 147,
+    "title": null,
+    "description": "Protocols are implemented for collecting information from industry peers and government."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.int.3",
+    "id_raw": "D2.TI.Ti.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 148,
+    "title": null,
+    "description": "A read-only, central repository of cyber threat intelligence is maintained."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.a.1",
+    "id_raw": "D2.TI.Ti.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 149,
+    "title": null,
+    "description": "A cyber intelligence model is used for gathering threat information."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.a.2",
+    "id_raw": "D2.TI.Ti.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 150,
+    "title": null,
+    "description": "Threat intelligence is automatically received from multiple sources in real time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.a.3",
+    "id_raw": "D2.TI.Ti.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 151,
+    "title": null,
+    "description": "The institution’s threat intelligence includes information related to geopolitical events that could increase cybersecurity threat levels."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.inn.1",
+    "id_raw": "D2.TI.Ti.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 152,
+    "title": null,
+    "description": "A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ti.ti.inn.2",
+    "id_raw": "D2.TI.Ti.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 153,
+    "title": null,
+    "description": "The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.b.1",
+    "id_raw": "D2.MA.Ma.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 154,
+    "title": null,
+    "description": "Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.b.2",
+    "id_raw": "D2.MA.Ma.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 155,
+    "title": null,
+    "description": "Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.e.1",
+    "id_raw": "D2.MA.Ma.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 156,
+    "title": null,
+    "description": "A process is implemented to monitor threat information to discover emerging threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.e.2",
+    "id_raw": "D2.MA.Ma.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 157,
+    "title": null,
+    "description": "The threat information and analysis process is assigned to a specific group or individual."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.e.3",
+    "id_raw": "D2.MA.Ma.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 158,
+    "title": null,
+    "description": "Security processes and technology are centralized and coordinated in a Security Operations Center (SOC) or equivalent."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.e.4",
+    "id_raw": "D2.MA.Ma.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 159,
+    "title": null,
+    "description": "Monitoring systems operate continuously with adequate support for efficient incident handling."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.int.1",
+    "id_raw": "D2.MA.Ma.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 160,
+    "title": null,
+    "description": "A threat intelligence team is in place that evaluates threat intelligence from multiple sources for credibility, relevance, and exposure."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.int.2",
+    "id_raw": "D2.MA.Ma.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 161,
+    "title": null,
+    "description": "A profile is created for each threat that identifies the likely intent, capability, and target of the threat."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.int.3",
+    "id_raw": "D2.MA.Ma.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 162,
+    "title": null,
+    "description": "Threat information sources that address all components of the threat profile are prioritized and monitored."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.int.4",
+    "id_raw": "D2.MA.Ma.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 163,
+    "title": null,
+    "description": "Threat intelligence is analyzed to develop cyber threat summaries including risks to the institution and specific actions for the institution to consider."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a.1",
+    "id_raw": "D2.MA.Ma.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 164,
+    "title": null,
+    "description": "A dedicated cyber threat identification and analysis committee or team exists to centralize and coordinate initiatives and communications."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a.2",
+    "id_raw": "D2.MA.Ma.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 165,
+    "title": null,
+    "description": "Formal processes have been defined to resolve potential conflicts in information received from sharing and analysis centers or other sources."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a.3",
+    "id_raw": "D2.MA.Ma.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 166,
+    "title": null,
+    "description": "Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a.4",
+    "id_raw": "D2.MA.Ma.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 167,
+    "title": null,
+    "description": "Threat intelligence is viewed within the context of the institution's risk profile and risk appetite to prioritize mitigating actions in anticipation of threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.a.5",
+    "id_raw": "D2.MA.Ma.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 168,
+    "title": null,
+    "description": "Threat intelligence is used to update architecture and configuration standards."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.inn.1",
+    "id_raw": "D2.MA.Ma.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 169,
+    "title": null,
+    "description": "The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.inn.2",
+    "id_raw": "D2.MA.Ma.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 170,
+    "title": null,
+    "description": "Highest risk scenarios are used to predict threats against specific business targets."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.ma.ma.inn.3",
+    "id_raw": "D2.MA.Ma.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 171,
+    "title": null,
+    "description": "IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.b.1",
+    "id_raw": "D2.IS.Is.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 172,
+    "title": null,
+    "description": "Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.b.2",
+    "id_raw": "D2.IS.Is.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 173,
+    "title": null,
+    "description": "Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Work Program, Objective I: 5-1)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.b.3",
+    "id_raw": "D2.IS.Is.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 174,
+    "title": null,
+    "description": "Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.e.1",
+    "id_raw": "D2.IS.Is.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 175,
+    "title": null,
+    "description": "A formal and secure process is in place to share threat and vulnerability information with other entities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.e.2",
+    "id_raw": "D2.IS.Is.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 176,
+    "title": null,
+    "description": "A representative from the institution participates in law enforcement or information-sharing organization meetings."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.int.1",
+    "id_raw": "D2.IS.Is.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 177,
+    "title": null,
+    "description": "A formal protocol is in place for sharing threat, vulnerability, and incident information to employees based on their specific job function."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.int.2",
+    "id_raw": "D2.IS.Is.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 178,
+    "title": null,
+    "description": "Information-sharing agreements are used as needed or required to facilitate sharing threat information with other financial sector organizations or third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.int.3",
+    "id_raw": "D2.IS.Is.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 179,
+    "title": null,
+    "description": "Information is shared proactively with the industry, law enforcement, regulators, and information-sharing forums."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.int.4",
+    "id_raw": "D2.IS.Is.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 180,
+    "title": null,
+    "description": "A process is in place to communicate and collaborate with the public sector regarding cyber threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.a.1",
+    "id_raw": "D2.IS.Is.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 181,
+    "title": null,
+    "description": "Management communicates threat intelligence with business risk context and specific risk management recommendations to the business units."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.a.2",
+    "id_raw": "D2.IS.Is.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 182,
+    "title": null,
+    "description": "Relationships exist with employees of peer institutions for sharing cyber threat intelligence."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.a.3",
+    "id_raw": "D2.IS.Is.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 183,
+    "title": null,
+    "description": "A network of trust relationships (formal and/or informal) has been established to evaluate information about cyber threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.inn.1",
+    "id_raw": "D2.IS.Is.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 184,
+    "title": null,
+    "description": "A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.inn.2",
+    "id_raw": "D2.IS.Is.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 185,
+    "title": null,
+    "description": "A system automatically informs management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d2.is.is.inn.3",
+    "id_raw": "D2.IS.Is.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 186,
+    "title": null,
+    "description": "The institution is leading efforts to create new sector-wide information- sharing channels to address gaps in external-facing information-sharing mechanisms."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.1",
+    "id_raw": "D3.PC.Im.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 187,
+    "title": null,
+    "description": "Network perimeter defense tools (e.g., border router and firewall) are used. (FFIEC Information Security Booklet, page 33)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.2",
+    "id_raw": "D3.PC.Im.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 188,
+    "title": null,
+    "description": "Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. (FFIEC Information Security Booklet, page 46)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.3",
+    "id_raw": "D3.PC.Im.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 189,
+    "title": null,
+    "description": "All ports are monitored. (FFIEC Information Security Booklet, page 50)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.4",
+    "id_raw": "D3.PC.Im.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 190,
+    "title": null,
+    "description": "Up to date antivirus and anti-malware tools are used. (FFIEC Information Security Booklet, page 78)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.5",
+    "id_raw": "D3.PC.Im.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 191,
+    "title": null,
+    "description": "Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. (FFIEC Information Security Booklet, page 56)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.6",
+    "id_raw": "D3.PC.Im.B.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 192,
+    "title": null,
+    "description": "Ports, functions, protocols and services are prohibited if no longer needed for business purposes. (FFIEC Information Security Booklet, page 50)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.7",
+    "id_raw": "D3.PC.Im.B.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 193,
+    "title": null,
+    "description": "Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. (FFIEC Information Security Booklet, page 56)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.8",
+    "id_raw": "D3.PC.Im.B.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 194,
+    "title": null,
+    "description": "Programs that can override system, object, network, virtual machine, and application controls are restricted. (FFIEC Information Security Booklet, page 41)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.9",
+    "id_raw": "D3.PC.Im.B.9",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 195,
+    "title": null,
+    "description": "System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. (FFIEC Information Security Booklet, page 23)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.b.10",
+    "id_raw": "D3.PC.Im.B.10",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 196,
+    "title": null,
+    "description": "Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) (FFIEC Information Security Booklet, page 40)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.1",
+    "id_raw": "D3.PC.Im.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 197,
+    "title": null,
+    "description": "There is a firewall at each Internet connection and between any\nDemilitarized Zone (DMZ) and internal network(s)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.2",
+    "id_raw": "D3.PC.Im.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 198,
+    "title": null,
+    "description": "Antivirus and intrusion detection/prevention systems (IDS/IPS) detect and block actual and attempted attacks or intrusions."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.3",
+    "id_raw": "D3.PC.Im.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 199,
+    "title": null,
+    "description": "Technical controls prevent unauthorized devices, including rogue wireless access devices and removable media, from connecting to the internal network(s)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.4",
+    "id_raw": "D3.PC.Im.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 200,
+    "title": null,
+    "description": "A risk-based solution is in place at the institution or Internet hosting provider to mitigate disruptive cyber attacks (e.g., DDoS attacks)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.5",
+    "id_raw": "D3.PC.Im.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 201,
+    "title": null,
+    "description": "Guest wireless networks are fully segregated from the internal network(s). (*N/A if there are no wireless networks.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.6",
+    "id_raw": "D3.PC.Im.E.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 202,
+    "title": null,
+    "description": "Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.7",
+    "id_raw": "D3.PC.Im.E.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 203,
+    "title": null,
+    "description": "Critical systems supported by legacy technologies are regularly reviewed to identify for potential vulnerabilities, upgrade opportunities, or new defense layers."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.e.8",
+    "id_raw": "D3.PC.Im.E.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 204,
+    "title": null,
+    "description": "Controls for unsupported systems are implemented and tested."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.1",
+    "id_raw": "D3.PC.Im.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 205,
+    "title": null,
+    "description": "The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.2",
+    "id_raw": "D3.PC.Im.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 206,
+    "title": null,
+    "description": "Security controls are used for remote access to all administrative consoles, including restricted virtual systems."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.3",
+    "id_raw": "D3.PC.Im.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 207,
+    "title": null,
+    "description": "Wireless network environments have perimeter firewalls that are implemented and configured to restrict unauthorized traffic. (*N/A if there are no wireless networks.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.4",
+    "id_raw": "D3.PC.Im.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 208,
+    "title": null,
+    "description": "Wireless networks use strong encryption with encryption keys that are changed frequently. (*N/A if there are no wireless networks.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.5",
+    "id_raw": "D3.PC.Im.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 209,
+    "title": null,
+    "description": "The broadcast range of the wireless network(s) is confined to institution- controlled boundaries. (*N/A if there are no wireless networks.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.int.6",
+    "id_raw": "D3.PC.Im.Int.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 210,
+    "title": null,
+    "description": "Technical measures are in place to prevent the execution of unauthorized code on institution owned or managed devices, network infrastructure, and systems components."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.a.1",
+    "id_raw": "D3.PC.Im.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 211,
+    "title": null,
+    "description": "Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted zones."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.a.2",
+    "id_raw": "D3.PC.Im.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 212,
+    "title": null,
+    "description": "Only one primary function is permitted per server to prevent functions that require different security levels from co-existing on the same server."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.a.3",
+    "id_raw": "D3.PC.Im.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 213,
+    "title": null,
+    "description": "Anti-spoofing measures are in place to detect and block forged source IP addresses from entering the network."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.inn.1",
+    "id_raw": "D3.PC.Im.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 214,
+    "title": null,
+    "description": "The institution risk scores all of its infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.inn.2",
+    "id_raw": "D3.PC.Im.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 215,
+    "title": null,
+    "description": "Automated controls are put in place based on risk scores to infrastructure assets, including automatically disconnecting affected assets."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.inn.3",
+    "id_raw": "D3.PC.Im.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 216,
+    "title": null,
+    "description": "The institution proactively seeks to identify control gaps that may be used as part of a zero-day attack."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.im.inn.4",
+    "id_raw": "D3.PC.Im.Inn.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 217,
+    "title": null,
+    "description": "Public-facing servers are routinely rotated and restored to a known clean\nstate to limit the window of time a system is exposed to potential threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.1",
+    "id_raw": "D3.PC.Am.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 218,
+    "title": null,
+    "description": "Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. (FFIEC Information Security Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.2",
+    "id_raw": "D3.PC.Am.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 219,
+    "title": null,
+    "description": "Employee access to systems and confidential data provides for separation of duties. (FFIEC Information Security Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.3",
+    "id_raw": "D3.PC.Am.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 220,
+    "title": null,
+    "description": "Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). (FFIEC Information Security Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.4",
+    "id_raw": "D3.PC.Am.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 221,
+    "title": null,
+    "description": "User access reviews are performed periodically for all systems and applications based on the risk to the application or system. (FFIEC Information Security Booklet, page 18)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.5",
+    "id_raw": "D3.PC.Am.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 222,
+    "title": null,
+    "description": "Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. (FFIEC Information Security Booklet, page 18)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.6",
+    "id_raw": "D3.PC.Am.B.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 223,
+    "title": null,
+    "description": "Identification and authentication are required and managed for access to systems, applications, and hardware. (FFIEC Information Security Booklet, page 21)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.7",
+    "id_raw": "D3.PC.Am.B.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 224,
+    "title": null,
+    "description": "Access controls include password complexity and limits to password attempts and reuse. (FFIEC Information Security Booklet, page 66)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.8",
+    "id_raw": "D3.PC.Am.B.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 225,
+    "title": null,
+    "description": "All default passwords and unnecessary default accounts are changed before system implementation. (FFIEC Information Security Booklet, page 61)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.9",
+    "id_raw": "D3.PC.Am.B.9",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 226,
+    "title": null,
+    "description": "Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. (FFIEC Information Security Booklet, page 21)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.10",
+    "id_raw": "D3.PC.Am.B.10",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 227,
+    "title": null,
+    "description": "Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) (FFIEC Information Security Booklet, page 64)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.11",
+    "id_raw": "D3.PC.Am.B.11",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 228,
+    "title": null,
+    "description": "Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. (FFIEC Information Security Booklet, page 47)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.12",
+    "id_raw": "D3.PC.Am.B.12",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 229,
+    "title": null,
+    "description": "All passwords are encrypted in storage and in transit. (FFIEC Information Security Booklet, page 21)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.13",
+    "id_raw": "D3.PC.Am.B.13",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 230,
+    "title": null,
+    "description": "Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). (FFIEC Information Security Booklet, page 51)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.14",
+    "id_raw": "D3.PC.Am.B.14",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 231,
+    "title": null,
+    "description": "Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (FFIEC Information Security Booklet, page 51)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.15",
+    "id_raw": "D3.PC.Am.B.15",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 232,
+    "title": null,
+    "description": "Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (FFIEC Information Security Booklet, page 45)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.16",
+    "id_raw": "D3.PC.Am.B.16",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 233,
+    "title": null,
+    "description": "Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. (FFIEC Information Security Booklet, page 25)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.17",
+    "id_raw": "D3.PC.Am.B.17",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 234,
+    "title": null,
+    "description": "Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. (FFIEC Information Security Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.b.18",
+    "id_raw": "D3.PC.Am.B.18",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 235,
+    "title": null,
+    "description": "Data is disposed of or destroyed according to documented requirements and within expected time frames. (FFIEC Information Security Booklet, page 66)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e.1",
+    "id_raw": "D3.PC.Am.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 236,
+    "title": null,
+    "description": "Changes to user access permissions trigger automated notices to appropriate personnel."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e.2",
+    "id_raw": "D3.PC.Am.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 237,
+    "title": null,
+    "description": "Administrators have two accounts: one for administrative use and one for general purpose, non-administrative tasks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e.3",
+    "id_raw": "D3.PC.Am.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 238,
+    "title": null,
+    "description": "Use of customer data in non-production environments complies with legal, regulatory, and internal policy requirements for concealing or removing of sensitive data elements."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e.4",
+    "id_raw": "D3.PC.Am.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 239,
+    "title": null,
+    "description": "Physical access to high-risk or confidential systems is restricted, logged, and unauthorized access is blocked."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.e.5",
+    "id_raw": "D3.PC.Am.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 240,
+    "title": null,
+    "description": "Controls are in place to prevent unauthorized access to cryptographic keys."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.1",
+    "id_raw": "D3.PC.Am.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 241,
+    "title": null,
+    "description": "The institution has implemented tools to prevent unauthorized access to or exfiltration of confidential data."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.2",
+    "id_raw": "D3.PC.Am.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 242,
+    "title": null,
+    "description": "Controls are in place to prevent unauthorized escalation of user privileges."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.3",
+    "id_raw": "D3.PC.Am.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 243,
+    "title": null,
+    "description": "Access controls are in place for database administrators to prevent unauthorized downloading or transmission of confidential data."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.4",
+    "id_raw": "D3.PC.Am.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 244,
+    "title": null,
+    "description": "All physical and logical access is removed immediately upon notification of involuntary termination and within 24 hours of an employee’s voluntary departure."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.5",
+    "id_raw": "D3.PC.Am.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 245,
+    "title": null,
+    "description": "Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.6",
+    "id_raw": "D3.PC.Am.Int.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 246,
+    "title": null,
+    "description": "Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). (*N/A if no high risk systems.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.7",
+    "id_raw": "D3.PC.Am.Int.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 247,
+    "title": null,
+    "description": "Confidential data are encrypted in transit across private connections (e.g., frame relay and T1) and within the institution’s trusted zones."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.int.8",
+    "id_raw": "D3.PC.Am.Int.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 248,
+    "title": null,
+    "description": "Controls are in place to prevent unauthorized access to collaborative computing devices and applications (e.g., networked white boards, cameras, microphones, online applications such as instant messaging and document sharing). (* N/A if collaborative computing devices are not used.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.a.1",
+    "id_raw": "D3.PC.Am.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 249,
+    "title": null,
+    "description": "Encryption of select data at rest is determined by the institution’s data classification and risk assessment."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.a.2",
+    "id_raw": "D3.PC.Am.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 250,
+    "title": null,
+    "description": "Customer authentication for high-risk transactions includes methods to prevent malware and man-in-the-middle attacks (e.g., using visual transaction signing)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn.1",
+    "id_raw": "D3.PC.Am.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 251,
+    "title": null,
+    "description": "Adaptive access controls de-provision or isolate an employee, third-party, or customer credentials to minimize potential damage if malicious behavior is suspected."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn.2",
+    "id_raw": "D3.PC.Am.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 252,
+    "title": null,
+    "description": "Unstructured confidential data are tracked and secured through an identity-aware, cross-platform storage system that protects against internal threats, monitors user access, and tracks changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn.3",
+    "id_raw": "D3.PC.Am.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 253,
+    "title": null,
+    "description": "Tokenization is used to substitute unique values for confidential information (e.g., virtual credit card)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn.4",
+    "id_raw": "D3.PC.Am.Inn.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 254,
+    "title": null,
+    "description": "The institution is leading efforts to create new technologies and processes for managing customer, employee, and third-party authentication and access."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.am.inn.5",
+    "id_raw": "D3.PC.Am.Inn.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 255,
+    "title": null,
+    "description": "Real-time risk mitigation is taken based on automated risk scoring of user credentials."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.b.1",
+    "id_raw": "D3.PC.De.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 256,
+    "title": null,
+    "description": "Controls are in place to restrict the use of removable media to authorized personnel. (FFIEC Information Security Work Program, Objective I: 4-1)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.1",
+    "id_raw": "D3.PC.De.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 257,
+    "title": null,
+    "description": "Tools automatically block attempted access from unpatched employee and third-party devices."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.2",
+    "id_raw": "D3.PC.De.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 258,
+    "title": null,
+    "description": "Tools automatically block attempted access by unregistered devices to internal networks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.3",
+    "id_raw": "D3.PC.De.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 259,
+    "title": null,
+    "description": "The institution has controls to prevent the unauthorized addition of new connections."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.4",
+    "id_raw": "D3.PC.De.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 260,
+    "title": null,
+    "description": "Controls are in place to prevent unauthorized individuals from copying confidential data to removable media."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.5",
+    "id_raw": "D3.PC.De.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 261,
+    "title": null,
+    "description": "Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.6",
+    "id_raw": "D3.PC.De.E.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 262,
+    "title": null,
+    "description": "Mobile devices with access to the institution’s data are centrally managed for antivirus and patch deployment. (*N/A if mobile devices are not used.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.e.7",
+    "id_raw": "D3.PC.De.E.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 263,
+    "title": null,
+    "description": "The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A if mobile devices are not used.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.int.1",
+    "id_raw": "D3.PC.De.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 264,
+    "title": null,
+    "description": "Data loss prevention controls or devices are implemented for inbound and outbound communications (e.g., e-mail, FTP, Telnet, prevention of large file transfers)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.int.2",
+    "id_raw": "D3.PC.De.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 265,
+    "title": null,
+    "description": "Mobile device management includes integrity scanning (e.g., jailbreak/rooted detection). (*N/A if mobile devices are not used.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.int.3",
+    "id_raw": "D3.PC.De.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 266,
+    "title": null,
+    "description": "Mobile devices connecting to the corporate network for storing and accessing company information allow for remote software version/patch validation. (*N/A if mobile devices are not used.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.a.1",
+    "id_raw": "D3.PC.De.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 267,
+    "title": null,
+    "description": "Employees’ and third parties’ devices (including mobile) without the latest security patches are quarantined and patched before the device is granted access to the network."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.a.2",
+    "id_raw": "D3.PC.De.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 268,
+    "title": null,
+    "description": "Confidential data and applications on mobile devices are only accessible via a secure, isolated sandbox or a secure container."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.de.inn.1",
+    "id_raw": "D3.PC.De.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 269,
+    "title": null,
+    "description": "A centralized end-point management tool provides fully integrated patch, configuration, and vulnerability management, while also being able to detect malware upon arrival to prevent an exploit."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.b.1",
+    "id_raw": "D3.PC.Se.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 270,
+    "title": null,
+    "description": "Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. (FFIEC Information Security Booklet, page 56)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.b.2",
+    "id_raw": "D3.PC.Se.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 271,
+    "title": null,
+    "description": "The security controls of internally developed software are periodically reviewed and tested. (*N/A if there is no software development.) (FFIEC Information Security Booklet, page 59)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.b.3",
+    "id_raw": "D3.PC.Se.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 272,
+    "title": null,
+    "description": "The security controls in internally developed software code are independently reviewed before migrating the code to production. (*N/A if there is no software development.) (FFIEC Development and Acquisition Booklet, page 2)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.b.4",
+    "id_raw": "D3.PC.Se.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 273,
+    "title": null,
+    "description": "Intellectual property and production code are held in escrow. (*N/A if there is no production code to hold in escrow.) (FFIEC Development and Acquisition Booklet, page 39)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.e.1",
+    "id_raw": "D3.PC.Se.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 274,
+    "title": null,
+    "description": "Security testing occurs at all post-design phases of the SDLC for all applications, including mobile applications. (*N/A if there is no software development.)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.int.1",
+    "id_raw": "D3.PC.Se.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 275,
+    "title": null,
+    "description": "Processes are in place to mitigate vulnerabilities identified as part of the secure development of systems and applications."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.int.2",
+    "id_raw": "D3.PC.Se.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 276,
+    "title": null,
+    "description": "The security of applications, including Web-based applications connected to the Internet, is tested against known types of cyber attacks (e.g., SQL injection, cross-site scripting, buffer overflow) before implementation or following significant changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.int.3",
+    "id_raw": "D3.PC.Se.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 277,
+    "title": null,
+    "description": "Software code executables and scripts are digitally signed to confirm the software author and guarantee that the code has not been altered or corrupted."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.int.4",
+    "id_raw": "D3.PC.Se.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 278,
+    "title": null,
+    "description": "A risk-based, independent information assurance function evaluates the security of internal applications."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.a.1",
+    "id_raw": "D3.PC.Se.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 279,
+    "title": null,
+    "description": "Vulnerabilities identified through a static code analysis are remediated before implementing newly developed or changed applications into production."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.a.2",
+    "id_raw": "D3.PC.Se.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 280,
+    "title": null,
+    "description": "All interdependencies between applications and services have been identified."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.a.3",
+    "id_raw": "D3.PC.Se.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 281,
+    "title": null,
+    "description": "Independent code reviews are completed on internally developed or vendor-provided custom applications to ensure there are no security gaps."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.pc.se.inn.1",
+    "id_raw": "D3.PC.Se.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 282,
+    "title": null,
+    "description": "Software code is actively scanned by automated tools in the development environment so that security weaknesses can be resolved immediately during the design phase."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.b.1",
+    "id_raw": "D3.DC.Th.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 283,
+    "title": null,
+    "description": "Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external- facing systems and the internal network. (FFIEC Information Security Booklet, page 61)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.b.2",
+    "id_raw": "D3.DC.Th.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 284,
+    "title": null,
+    "description": "Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.b.3",
+    "id_raw": "D3.DC.Th.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 285,
+    "title": null,
+    "description": "Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.b.4",
+    "id_raw": "D3.DC.Th.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 286,
+    "title": null,
+    "description": "E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links). (FFIEC Information Security Booklet, page 39)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.1",
+    "id_raw": "D3.DC.Th.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 287,
+    "title": null,
+    "description": "Independent penetration testing of network boundary and critical Web- facing applications is performed routinely to identify security control gaps."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.2",
+    "id_raw": "D3.DC.Th.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 288,
+    "title": null,
+    "description": "Independent penetration testing is performed on Internet-facing applications or systems before they are launched or undergo significant change."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.3",
+    "id_raw": "D3.DC.Th.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 289,
+    "title": null,
+    "description": "Antivirus and anti-malware tools are updated automatically."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.4",
+    "id_raw": "D3.DC.Th.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 290,
+    "title": null,
+    "description": "Firewall rules are updated routinely."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.5",
+    "id_raw": "D3.DC.Th.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 291,
+    "title": null,
+    "description": "Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.e.6",
+    "id_raw": "D3.DC.Th.E.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 292,
+    "title": null,
+    "description": "Processes are in place to monitor potential insider activity that could lead to data theft or destruction."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.int.1",
+    "id_raw": "D3.DC.Th.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 293,
+    "title": null,
+    "description": "Audit or risk management resources review the penetration testing scope and results to help determine the need for rotating companies based on the quality of the work."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.int.2",
+    "id_raw": "D3.DC.Th.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 294,
+    "title": null,
+    "description": "E-mails and attachments are automatically scanned to detect malware and are blocked when malware is present."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.a.1",
+    "id_raw": "D3.DC.Th.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 295,
+    "title": null,
+    "description": "Weekly vulnerability scanning is rotated among environments to scan all environments throughout the year."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.a.2",
+    "id_raw": "D3.DC.Th.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 296,
+    "title": null,
+    "description": "Penetration tests include cyber attack simulations and/or real-world tactics and techniques such as red team testing to detect control gaps in employee behavior, security defenses, policies, and resources."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.a.3",
+    "id_raw": "D3.DC.Th.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 297,
+    "title": null,
+    "description": "Automated tool(s) proactively identifies high-risk behavior signaling an employee who may pose an insider threat."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.inn.1",
+    "id_raw": "D3.DC.Th.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 298,
+    "title": null,
+    "description": "User tasks and content (e.g., opening an e-mail attachment) are automatically isolated in a secure container or virtual environment so that malware can be analyzed but cannot access vital data, end-point operating systems, or applications on the institution’s network."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.th.inn.2",
+    "id_raw": "D3.DC.Th.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 299,
+    "title": null,
+    "description": "Vulnerability scanning is performed on a weekly basis across all environments."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b.1",
+    "id_raw": "D3.DC.An.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 300,
+    "title": null,
+    "description": "The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b.2",
+    "id_raw": "D3.DC.An.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 301,
+    "title": null,
+    "description": "Customer transactions generating anomalous activity alerts are monitored and reviewed. (FFIEC Wholesale Payments Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b.3",
+    "id_raw": "D3.DC.An.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 302,
+    "title": null,
+    "description": "Logs of physical and/or logical access are reviewed following events. (FFIEC Information Security Booklet, page 73)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b.4",
+    "id_raw": "D3.DC.An.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 303,
+    "title": null,
+    "description": "Access to critical systems by third parties is monitored for unauthorized or unusual activity. (FFIEC Outsourcing Booklet, page 26)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.b.5",
+    "id_raw": "D3.DC.An.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 304,
+    "title": null,
+    "description": "Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.e.1",
+    "id_raw": "D3.DC.An.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 305,
+    "title": null,
+    "description": "Systems are in place to detect anomalous behavior automatically during customer, employee, and third-party authentication."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.e.2",
+    "id_raw": "D3.DC.An.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 306,
+    "title": null,
+    "description": "Security logs are reviewed regularly."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.e.3",
+    "id_raw": "D3.DC.An.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 307,
+    "title": null,
+    "description": "Logs provide traceability for all system access by individual users. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.e.4",
+    "id_raw": "D3.DC.An.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 308,
+    "title": null,
+    "description": "Thresholds have been established to determine activity within logs that would warrant management response."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.1",
+    "id_raw": "D3.DC.An.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 309,
+    "title": null,
+    "description": "Online customer transactions are actively monitored for anomalous behavior."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.2",
+    "id_raw": "D3.DC.An.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 310,
+    "title": null,
+    "description": "Tools to detect unauthorized data mining are used."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.3",
+    "id_raw": "D3.DC.An.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 311,
+    "title": null,
+    "description": "Tools actively monitor security logs for anomalous behavior and alert within established parameters."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.4",
+    "id_raw": "D3.DC.An.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 312,
+    "title": null,
+    "description": "Audit logs are backed up to a centralized log server or media that is difficult to alter."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.5",
+    "id_raw": "D3.DC.An.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 313,
+    "title": null,
+    "description": "Thresholds for security logging are evaluated periodically."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.int.6",
+    "id_raw": "D3.DC.An.Int.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 314,
+    "title": null,
+    "description": "Anomalous activity and other network and system alerts are correlated across business units to detect and prevent multifaceted attacks (e.g., simultaneous account takeover and DDoS attack)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a.1",
+    "id_raw": "D3.DC.An.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 315,
+    "title": null,
+    "description": "An automated tool triggers system and/or fraud alerts when customer logins occur within a short period of time but from physically distant IP locations."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a.2",
+    "id_raw": "D3.DC.An.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 316,
+    "title": null,
+    "description": "External transfers from customer accounts generate alerts and require review and authorization if anomalous behavior is detected."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a.3",
+    "id_raw": "D3.DC.An.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 317,
+    "title": null,
+    "description": "A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a.4",
+    "id_raw": "D3.DC.An.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 318,
+    "title": null,
+    "description": "An automated tool(s) is in place to detect and prevent data mining by insider threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.a.5",
+    "id_raw": "D3.DC.An.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 319,
+    "title": null,
+    "description": "Tags on fictitious confidential data or files are used to provide advanced alerts of potential malicious activity when the data is accessed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.inn.1",
+    "id_raw": "D3.DC.An.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 320,
+    "title": null,
+    "description": "The institution has a mechanism for real-time automated risk scoring of threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.an.inn.2",
+    "id_raw": "D3.DC.An.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 321,
+    "title": null,
+    "description": "The institution is developing new technologies that will detect potential insider threats and block activity in real time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b.1",
+    "id_raw": "D3.DC.Ev.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 322,
+    "title": null,
+    "description": "A normal network activity baseline is established. (FFIEC Information\nSecurity Booklet, page 77)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b.2",
+    "id_raw": "D3.DC.Ev.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 323,
+    "title": null,
+    "description": "Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. (FFIEC Information Security Booklet, page 78)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b.3",
+    "id_raw": "D3.DC.Ev.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 324,
+    "title": null,
+    "description": "Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M-9)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b.4",
+    "id_raw": "D3.DC.Ev.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 325,
+    "title": null,
+    "description": "Responsibilities for monitoring and reporting suspicious systems activity have been assigned. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.b.5",
+    "id_raw": "D3.DC.Ev.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 326,
+    "title": null,
+    "description": "The physical environment is monitored to detect potential unauthorized access. (FFIEC Information Security Booklet, page 47)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.e.1",
+    "id_raw": "D3.DC.Ev.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 327,
+    "title": null,
+    "description": "A process is in place to correlate event information from multiple sources\n(e.g., network, application, or firewall)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.int.1",
+    "id_raw": "D3.DC.Ev.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 328,
+    "title": null,
+    "description": "Controls or tools (e.g., data loss prevention) are in place to detect potential unauthorized or unintentional transmissions of confidential data."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.int.2",
+    "id_raw": "D3.DC.Ev.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 329,
+    "title": null,
+    "description": "Event detection processes are proven reliable."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.int.3",
+    "id_raw": "D3.DC.Ev.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 330,
+    "title": null,
+    "description": "Specialized security monitoring is used for critical assets throughout the infrastructure."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.a.1",
+    "id_raw": "D3.DC.Ev.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 331,
+    "title": null,
+    "description": "Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.a.2",
+    "id_raw": "D3.DC.Ev.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 332,
+    "title": null,
+    "description": "Real-time network monitoring and detection is implemented and incorporates sector-wide event information."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.a.3",
+    "id_raw": "D3.DC.Ev.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 333,
+    "title": null,
+    "description": "Real-time alerts are automatically sent when unauthorized software, hardware, or changes occur."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.a.4",
+    "id_raw": "D3.DC.Ev.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 334,
+    "title": null,
+    "description": "Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.inn.1",
+    "id_raw": "D3.DC.Ev.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 335,
+    "title": null,
+    "description": "The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.dc.ev.inn.2",
+    "id_raw": "D3.DC.Ev.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 336,
+    "title": null,
+    "description": "The institution is leading the development effort to design new technologies that will detect potential insider threats and block activity in real time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.b.1",
+    "id_raw": "D3.CC.Pa.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 337,
+    "title": null,
+    "description": "A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. (FFIEC Information Security Booklet, page 62)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.b.2",
+    "id_raw": "D3.CC.Pa.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 338,
+    "title": null,
+    "description": "Patches are tested before being applied to systems and/or software.  (FFIEC Operations Booklet, page 22)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.b.3",
+    "id_raw": "D3.CC.Pa.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 339,
+    "title": null,
+    "description": "Patch management reports are reviewed and reflect missing security patches. (FFIEC Development and Acquisition Booklet, page 50)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e.1",
+    "id_raw": "D3.CC.Pa.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 340,
+    "title": null,
+    "description": "A formal process is in place to acquire, test, and deploy software patches based on criticality."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e.2",
+    "id_raw": "D3.CC.Pa.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 341,
+    "title": null,
+    "description": "Systems are configured to retrieve patches automatically. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e.3",
+    "id_raw": "D3.CC.Pa.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 342,
+    "title": null,
+    "description": "Operational impact is evaluated before deploying security patches."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e.4",
+    "id_raw": "D3.CC.Pa.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 343,
+    "title": null,
+    "description": "An automated tool(s) is used to identify missing security patches as well as the number of days since each patch became available."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.e.5",
+    "id_raw": "D3.CC.Pa.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 344,
+    "title": null,
+    "description": "Missing patches across all environments are prioritized and tracked."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.int.1",
+    "id_raw": "D3.CC.Pa.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 345,
+    "title": null,
+    "description": "Patches for high-risk vulnerabilities are tested and applied when released or the risk is accepted and accountability assigned."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.a.1",
+    "id_raw": "D3.CC.Pa.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 346,
+    "title": null,
+    "description": "Patch monitoring software is installed on all servers to identify any missing patches for the operating system software, middleware, database, and other key software."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.a.2",
+    "id_raw": "D3.CC.Pa.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 347,
+    "title": null,
+    "description": "The institution monitors patch management reports to ensure security patches are tested and implemented within aggressive time frames (e.g., 0-30 days)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.inn.1",
+    "id_raw": "D3.CC.Pa.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 348,
+    "title": null,
+    "description": "The institution develops security patches or bug fixes or contributes to open source code development for systems it uses."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.pa.inn.2",
+    "id_raw": "D3.CC.Pa.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 349,
+    "title": null,
+    "description": "Segregated or separate systems are in place that mirror production systems allowing for rapid testing and implementation of patches and provide for rapid fallback when needed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.b.1",
+    "id_raw": "D3.CC.Re.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 350,
+    "title": null,
+    "description": "Issues identified in assessments are prioritized and resolved based on criticality and within the time frames established in the response to the assessment report. (FFIEC Information Security Booklet, page 87)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.e.1",
+    "id_raw": "D3.CC.Re.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 351,
+    "title": null,
+    "description": "Data is destroyed or wiped on hardware and portable/mobile media when a device is missing, stolen, or no longer needed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.e.2",
+    "id_raw": "D3.CC.Re.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 352,
+    "title": null,
+    "description": "Formal processes are in place to resolve weaknesses identified during penetration testing."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.1",
+    "id_raw": "D3.CC.Re.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 353,
+    "title": null,
+    "description": "Remediation efforts are confirmed by conducting a follow-up vulnerability scan."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.2",
+    "id_raw": "D3.CC.Re.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 354,
+    "title": null,
+    "description": "Penetration testing is repeated to confirm that medium- and high-risk, exploitable vulnerabilities have been resolved."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.3",
+    "id_raw": "D3.CC.Re.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 355,
+    "title": null,
+    "description": "Security investigations, forensic analysis, and remediation are performed by qualified staff or third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.4",
+    "id_raw": "D3.CC.Re.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 356,
+    "title": null,
+    "description": "Generally accepted and appropriate forensic procedures, including chain of custody, are used to gather and present evidence to support potential legal action."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.5",
+    "id_raw": "D3.CC.Re.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 357,
+    "title": null,
+    "description": "The maintenance and repair of organizational assets are performed by authorized individuals with approved and controlled tools."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.int.6",
+    "id_raw": "D3.CC.Re.Int.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 358,
+    "title": null,
+    "description": "The maintenance and repair of organizational assets are logged in a timely manner."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.a.1",
+    "id_raw": "D3.CC.Re.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 359,
+    "title": null,
+    "description": "All medium and high risk issues identified in penetration testing, vulnerability scanning, and other independent testing are escalated to the board or an appropriate board committee for risk acceptance if not resolved in a timely manner."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d3.cc.re.inn.1",
+    "id_raw": "D3.CC.Re.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 360,
+    "title": null,
+    "description": "The institution is developing technologies that will remediate systems damaged by zero-day attacks to maintain current recovery time objectives."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.b.1",
+    "id_raw": "D4.C.Co.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 361,
+    "title": null,
+    "description": "The critical business processes that are dependent on external connectivity have been identified. (FFIEC Information Security Booklet, page 9)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.b.2",
+    "id_raw": "D4.C.Co.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 362,
+    "title": null,
+    "description": "The institution ensures that third-party connections are authorized. (FFIEC Information Security Booklet, page 17)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.b.3",
+    "id_raw": "D4.C.Co.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 363,
+    "title": null,
+    "description": "A network diagram is in place and identifies all external connections. (FFIEC Information Security Booklet, page 9)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.b.4",
+    "id_raw": "D4.C.Co.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 364,
+    "title": null,
+    "description": "Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.e.1",
+    "id_raw": "D4.C.Co.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 365,
+    "title": null,
+    "description": "Critical business processes have been mapped to the supporting external connections."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.e.2",
+    "id_raw": "D4.C.Co.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 366,
+    "title": null,
+    "description": "The network diagram is updated when connections with third parties change or at least annually."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.e.3",
+    "id_raw": "D4.C.Co.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 367,
+    "title": null,
+    "description": "Network and systems diagrams are stored in a secure manner with proper restrictions on access."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.e.4",
+    "id_raw": "D4.C.Co.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 368,
+    "title": null,
+    "description": "Controls for primary and backup third-party connections are monitored and tested on a regular basis."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.int.1",
+    "id_raw": "D4.C.Co.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 369,
+    "title": null,
+    "description": "A validated asset inventory is used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, and connectivity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.int.2",
+    "id_raw": "D4.C.Co.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 370,
+    "title": null,
+    "description": "Security controls are designed and verified to detect and prevent intrusions from third-party connections."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.int.3",
+    "id_raw": "D4.C.Co.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 371,
+    "title": null,
+    "description": "Monitoring controls cover all external connections (e.g., third-party service providers, business partners, customers)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.int.4",
+    "id_raw": "D4.C.Co.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 372,
+    "title": null,
+    "description": "Monitoring controls cover all internal network-to-network connections."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.a.1",
+    "id_raw": "D4.C.Co.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 373,
+    "title": null,
+    "description": "The security architecture is validated and documented before network connection infrastructure changes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.a.2",
+    "id_raw": "D4.C.Co.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 374,
+    "title": null,
+    "description": "The institution works closely with third-party service providers to maintain and improve the security of external connections."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.inn.1",
+    "id_raw": "D4.C.Co.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 375,
+    "title": null,
+    "description": "Diagram(s) of external connections is interactive, shows real-time changes to the network connection infrastructure, new connections, and volume fluctuations, and alerts when risks arise."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.c.co.inn.2",
+    "id_raw": "D4.C.Co.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 376,
+    "title": null,
+    "description": "The institution's connections can be segmented or severed instantaneously to prevent contagion from cyber attacks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.b.1",
+    "id_raw": "D4.RM.Dd.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 377,
+    "title": null,
+    "description": "Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (FFIEC Information Security Booklet, page 69)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.b.2",
+    "id_raw": "D4.RM.Dd.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 378,
+    "title": null,
+    "description": "A list of third-party service providers is maintained. (FFIEC Outsourcing Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.b.3",
+    "id_raw": "D4.RM.Dd.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 379,
+    "title": null,
+    "description": "A risk assessment is conducted to identify criticality of service providers. (FFIEC Outsourcing Booklet, page 6)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.e.1",
+    "id_raw": "D4.RM.Dd.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 380,
+    "title": null,
+    "description": "A formal process exists to analyze assessments of third-party cybersecurity controls."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.e.2",
+    "id_raw": "D4.RM.Dd.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 381,
+    "title": null,
+    "description": "The board or an appropriate board committee reviews a summary of due diligence results including management’s recommendations to use third parties that will affect the institution’s inherent risk profile."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.int.1",
+    "id_raw": "D4.RM.Dd.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 382,
+    "title": null,
+    "description": "A process is in place to confirm that the institution’s third-party service providers conduct due diligence of their third parties (e.g., subcontractors)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.int.2",
+    "id_raw": "D4.RM.Dd.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 383,
+    "title": null,
+    "description": "Pre-contract, physical site visits of high-risk vendors are conducted by the institution or by a qualified third party."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.a.1",
+    "id_raw": "D4.RM.Dd.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 384,
+    "title": null,
+    "description": "A continuous process improvement program is in place for third-party due diligence activity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.a.2",
+    "id_raw": "D4.RM.Dd.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 385,
+    "title": null,
+    "description": "Audits of high-risk vendors are conducted on an annual basis."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.inn.1",
+    "id_raw": "D4.RM.Dd.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 386,
+    "title": null,
+    "description": "The institution promotes sector-wide efforts to build due diligence mechanisms that lead to in-depth and efficient security and resilience reviews."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.dd.inn.2",
+    "id_raw": "D4.RM.Dd.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 387,
+    "title": null,
+    "description": "The institution is leading efforts to develop new auditable processes and for conducting due diligence and ongoing monitoring of cybersecurity risks posed by third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.1",
+    "id_raw": "D4.RM.Co.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 388,
+    "title": null,
+    "description": "Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. (FFIEC Information Security Booklet, page 7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.2",
+    "id_raw": "D4.RM.Co.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 389,
+    "title": null,
+    "description": "Contracts acknowledge that the third party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits. (FFIEC Information Security Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.3",
+    "id_raw": "D4.RM.Co.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 390,
+    "title": null,
+    "description": "Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. (FFIEC Information Security Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.4",
+    "id_raw": "D4.RM.Co.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 391,
+    "title": null,
+    "description": "Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. (FFIEC Outsourcing Booklet, page 12)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.5",
+    "id_raw": "D4.RM.Co.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 392,
+    "title": null,
+    "description": "Contracts establish responsibilities for responding to security incidents. (FFIEC E-Banking Booklet, page 22)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.b.6",
+    "id_raw": "D4.RM.Co.B.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 393,
+    "title": null,
+    "description": "Contracts specify the security requirements for the return or destruction of data upon contract termination. (FFIEC Outsourcing Booklet, page 15)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.e.1",
+    "id_raw": "D4.RM.Co.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 394,
+    "title": null,
+    "description": "Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.e.2",
+    "id_raw": "D4.RM.Co.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 395,
+    "title": null,
+    "description": "Responsibility for notification of direct and indirect security incidents and vulnerabilities is documented in contracts or service-level agreements (SLAs)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.e.3",
+    "id_raw": "D4.RM.Co.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 396,
+    "title": null,
+    "description": "Contracts stipulate geographic limits on where data can be stored or transmitted."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.int.1",
+    "id_raw": "D4.RM.Co.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 397,
+    "title": null,
+    "description": "Third-party SLAs or similar means are in place that require timely notification of security events."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.a.1",
+    "id_raw": "D4.RM.Co.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 398,
+    "title": null,
+    "description": "Contracts require third-party service provider’s security policies meet or\nexceed those of the institution."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.a.2",
+    "id_raw": "D4.RM.Co.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 399,
+    "title": null,
+    "description": "A third-party termination/exit strategy has been established and validated with management."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.co.inn.1",
+    "id_raw": "D4.RM.Co.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 400,
+    "title": null,
+    "description": "The institution promotes a sector-wide effort to influence contractual requirements for critical third parties to the industry."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.b.1",
+    "id_raw": "D4.RM.Om.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 401,
+    "title": null,
+    "description": "The third-party risk assessment is updated regularly. (FFIEC Outsourcing Booklet, page 3)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.b.2",
+    "id_raw": "D4.RM.Om.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 402,
+    "title": null,
+    "description": "Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. (FFIEC Information Security Booklet, page 86)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.b.3",
+    "id_raw": "D4.RM.Om.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 403,
+    "title": null,
+    "description": "Ongoing monitoring practices include reviewing critical third-parties’ resilience plans. (FFIEC Outsourcing Booklet, page 19)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.e.1",
+    "id_raw": "D4.RM.Om.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 404,
+    "title": null,
+    "description": "A process to identify new third-party relationships is in place, including identifying new relationships that were established without formal approval."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.e.2",
+    "id_raw": "D4.RM.Om.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 405,
+    "title": null,
+    "description": "A formal program assigns responsibility for ongoing oversight of third- party access."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.e.3",
+    "id_raw": "D4.RM.Om.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 406,
+    "title": null,
+    "description": "Monitoring of third parties is scaled, in terms of depth and frequency, according to the risk of the third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.e.4",
+    "id_raw": "D4.RM.Om.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 407,
+    "title": null,
+    "description": "Automated reminders or ticklers are in place to identify when required third-party information needs to be obtained or analyzed."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.int.1",
+    "id_raw": "D4.RM.Om.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 408,
+    "title": null,
+    "description": "Third-party employee access to the institution's confidential data are tracked actively based on the principles of least privilege."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.int.2",
+    "id_raw": "D4.RM.Om.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 409,
+    "title": null,
+    "description": "Periodic on-site assessments of high-risk vendors are conducted to ensure appropriate security controls are in place."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.a.1",
+    "id_raw": "D4.RM.Om.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 410,
+    "title": null,
+    "description": "Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d4.rm.om.inn.1",
+    "id_raw": "D4.RM.Om.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 411,
+    "title": null,
+    "description": "The institution is leading efforts to develop new auditable processes for ongoing monitoring of cybersecurity risks posed by third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.1",
+    "id_raw": "D5.IR.Pl.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 412,
+    "title": null,
+    "description": "The institution has documented how it will react and respond to cyber incidents. (FFIEC Business Continuity Planning Booklet, page 4)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.2",
+    "id_raw": "D5.IR.Pl.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 413,
+    "title": null,
+    "description": "Communication channels exist to provide employees a means for reporting information security events in a timely manner. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.3",
+    "id_raw": "D5.IR.Pl.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 414,
+    "title": null,
+    "description": "Roles and responsibilities for incident response team members are defined. (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.4",
+    "id_raw": "D5.IR.Pl.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 415,
+    "title": null,
+    "description": "The response team includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution (e.g., management, legal, public relations, as well as information technology). (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.5",
+    "id_raw": "D5.IR.Pl.B.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 416,
+    "title": null,
+    "description": "A formal backup and recovery plan exists for all critical business lines. (FFIEC Business Continuity Planning Booklet, page 4)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.b.6",
+    "id_raw": "D5.IR.Pl.B.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 417,
+    "title": null,
+    "description": "The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. (FFIEC Information Security Booklet, page 71)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e.1",
+    "id_raw": "D5.IR.Pl.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 418,
+    "title": null,
+    "description": "The remediation plan and process outlines the mitigating actions, resources, and time parameters."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e.2",
+    "id_raw": "D5.IR.Pl.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 419,
+    "title": null,
+    "description": "The corporate disaster recovery, business continuity, and crisis management plans have integrated consideration of cyber incidents."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e.3",
+    "id_raw": "D5.IR.Pl.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 420,
+    "title": null,
+    "description": "Alternative processes have been established to continue critical activity within a reasonable time period."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e.4",
+    "id_raw": "D5.IR.Pl.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 421,
+    "title": null,
+    "description": "Business impact analyses have been updated to include cybersecurity."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.e.5",
+    "id_raw": "D5.IR.Pl.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 422,
+    "title": null,
+    "description": "Due diligence has been performed on technical sources, consultants, or forensic service firms that could be called to assist the institution during or following an incident."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.int.1",
+    "id_raw": "D5.IR.Pl.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 423,
+    "title": null,
+    "description": "A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber attack."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.int.2",
+    "id_raw": "D5.IR.Pl.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 424,
+    "title": null,
+    "description": "Plans are in place to re-route or substitute critical functions and/or services that may be affected by a successful attack on Internet-facing systems."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.int.3",
+    "id_raw": "D5.IR.Pl.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 425,
+    "title": null,
+    "description": "A direct cooperative or contractual agreement(s) is in place with an incident response organization(s) or provider(s) to assist rapidly with mitigation efforts."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.int.4",
+    "id_raw": "D5.IR.Pl.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 426,
+    "title": null,
+    "description": "Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the institution’s risk mitigation capabilities and response plan."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.a.1",
+    "id_raw": "D5.IR.Pl.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 427,
+    "title": null,
+    "description": "Methods for responding to and recovering from cyber incidents are tightly woven throughout the business units’ disaster recovery, business continuity, and crisis management plans."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.a.2",
+    "id_raw": "D5.IR.Pl.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 428,
+    "title": null,
+    "description": "Multiple systems, programs, or processes are implemented into a comprehensive cyber resilience program to sustain, minimize, and recover operations from an array of potentially disruptive and destructive cyber incidents."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.a.3",
+    "id_raw": "D5.IR.Pl.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 429,
+    "title": null,
+    "description": "A process is in place to continuously improve the resilience plan."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.inn.1",
+    "id_raw": "D5.IR.Pl.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 430,
+    "title": null,
+    "description": "The incident response plan is designed to ensure recovery from disruption of services, assurance of data integrity, and recovery of lost or corrupted data following a cybersecurity incident."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.pl.inn.2",
+    "id_raw": "D5.IR.Pl.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 431,
+    "title": null,
+    "description": "The incident response process includes detailed actions and rule- based triggers for automated response."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.b.1",
+    "id_raw": "D5.IR.Te.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 432,
+    "title": null,
+    "description": "Scenarios are used to improve incident detection and response.\n(FFIEC Information Security Booklet, page 71)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.b.2",
+    "id_raw": "D5.IR.Te.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 433,
+    "title": null,
+    "description": "Business continuity testing involves collaboration with critical third parties. (FFIEC Business Continuity Planning Booklet, page J-6)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.b.3",
+    "id_raw": "D5.IR.Te.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 434,
+    "title": null,
+    "description": "Systems, applications, and data recovery is tested at least annually.  (FFIEC Business Continuity Planning Booklet, page J-7)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.e.1",
+    "id_raw": "D5.IR.Te.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 435,
+    "title": null,
+    "description": "Recovery scenarios include plans to recover from data destruction and impacts to data integrity, data loss, and system and data availability."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.e.2",
+    "id_raw": "D5.IR.Te.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 436,
+    "title": null,
+    "description": "Widely reported events are used to evaluate and improve the institution's response."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.e.3",
+    "id_raw": "D5.IR.Te.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 437,
+    "title": null,
+    "description": "Information backups are tested periodically to verify they are accessible and readable."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int.1",
+    "id_raw": "D5.IR.Te.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 438,
+    "title": null,
+    "description": "Cyber-attack scenarios are analyzed to determine potential impact to critical business processes."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int.2",
+    "id_raw": "D5.IR.Te.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 439,
+    "title": null,
+    "description": "The institution participates in sector-specific cyber exercises or scenarios (e.g., FS-ISAC Cyber Attack (against) Payment Processors (CAPP))."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int.3",
+    "id_raw": "D5.IR.Te.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 440,
+    "title": null,
+    "description": "Resilience testing is based on analysis and identification of realistic and highly likely threats as well as new and emerging threats facing the institution."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int.4",
+    "id_raw": "D5.IR.Te.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 441,
+    "title": null,
+    "description": "The critical online systems and processes are tested to withstand stresses for extended periods (e.g., DDoS)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.int.5",
+    "id_raw": "D5.IR.Te.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 442,
+    "title": null,
+    "description": "The results of cyber event exercises are used to improve the incident response plan and automated triggers."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a.1",
+    "id_raw": "D5.IR.Te.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 443,
+    "title": null,
+    "description": "Resilience testing is comprehensive and coordinated across all critical business functions."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a.2",
+    "id_raw": "D5.IR.Te.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 444,
+    "title": null,
+    "description": "The institution validates that it is able to recover from cyber events similar to by known sophisticated attacks at other organizations."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a.3",
+    "id_raw": "D5.IR.Te.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 445,
+    "title": null,
+    "description": "Incident response testing evaluates the institution from an attacker's perspective to determine how the institution or its assets at critical third parties may be targeted."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a.4",
+    "id_raw": "D5.IR.Te.A.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 446,
+    "title": null,
+    "description": "The institution corrects root causes for problems discovered during cybersecurity resilience testing."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.a.5",
+    "id_raw": "D5.IR.Te.A.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 447,
+    "title": null,
+    "description": "Cybersecurity incident scenarios involving significant financial loss are used to stress test the institution's risk management."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.inn.1",
+    "id_raw": "D5.IR.Te.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 448,
+    "title": null,
+    "description": "The institution tests the ability to shift business processes or functions between different processing centers or technology systems for cyber incidents without interruption to business or loss of productivity or data."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.inn.2",
+    "id_raw": "D5.IR.Te.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 449,
+    "title": null,
+    "description": "The institution has validated that it is able to remediate systems damaged by zero-day attacks to maintain current recovery time objectives."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.inn.3",
+    "id_raw": "D5.IR.Te.Inn.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 450,
+    "title": null,
+    "description": "The institution is leading the development of more realistic test environments."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.ir.te.inn.4",
+    "id_raw": "D5.IR.Te.Inn.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 451,
+    "title": null,
+    "description": "Cyber incident scenarios are used to stress test potential financial losses across the sector."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.b.1",
+    "id_raw": "D5.DR.De.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 452,
+    "title": null,
+    "description": "Alert parameters are set for detecting information security incidents that prompt mitigating actions. (FFIEC Information Security Booklet, page 43)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.b.2",
+    "id_raw": "D5.DR.De.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 453,
+    "title": null,
+    "description": "System performance reports contain information that can be used as a risk indicator to detect information security incidents. (FFIEC Information Security Booklet, page 86)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.b.3",
+    "id_raw": "D5.DR.De.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 454,
+    "title": null,
+    "description": "Tools and processes are in place to detect, alert, and trigger the incident response program. (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.e.1",
+    "id_raw": "D5.DR.De.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 455,
+    "title": null,
+    "description": "The institution has processes to detect and alert the incident response team when potential insider activity manifests that could lead to data theft or destruction."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int.1",
+    "id_raw": "D5.DR.De.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 456,
+    "title": null,
+    "description": "The incident response program is triggered when anomalous behaviors and attack patterns or signatures are detected."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int.2",
+    "id_raw": "D5.DR.De.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 457,
+    "title": null,
+    "description": "The institution has the ability to discover infiltration, before the attacker traverses across systems, establishes a foothold, steals information, or causes damage to data and systems."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int.3",
+    "id_raw": "D5.DR.De.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 458,
+    "title": null,
+    "description": "Incidents are detected in real time through automated processes that include instant alerts to appropriate personnel who can respond."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int.4",
+    "id_raw": "D5.DR.De.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 459,
+    "title": null,
+    "description": "Network and system alerts are correlated across business units to better detect and prevent multifaceted attacks (e.g., simultaneous DDoS attack and account takeover)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.int.5",
+    "id_raw": "D5.DR.De.Int.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 460,
+    "title": null,
+    "description": "Incident detection processes are capable of correlating events across the enterprise."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.a.1",
+    "id_raw": "D5.DR.De.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 461,
+    "title": null,
+    "description": "Sophisticated and adaptive technologies are deployed that can detect and alert the incident response team of specific tasks when threat indicators across the enterprise indicate potential external and internal threats."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.a.2",
+    "id_raw": "D5.DR.De.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 462,
+    "title": null,
+    "description": "Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert incident response teams in real time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.de.inn.1",
+    "id_raw": "D5.DR.De.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 463,
+    "title": null,
+    "description": "The institution is able to detect and block zero-day attempts and inform management and the incident response team in real time."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.b.1",
+    "id_raw": "D5.DR.Re.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 464,
+    "title": null,
+    "description": "Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer information. (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.1",
+    "id_raw": "D5.DR.Re.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 465,
+    "title": null,
+    "description": "The incident response plan is designed to prioritize incidents, enabling a rapid response for significant cybersecurity incidents or vulnerabilities."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.2",
+    "id_raw": "D5.DR.Re.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 466,
+    "title": null,
+    "description": "A process is in place to help contain incidents and restore operations with minimal service disruption."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.3",
+    "id_raw": "D5.DR.Re.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 467,
+    "title": null,
+    "description": "Containment and mitigation strategies are developed for multiple incident types (e.g., DDoS, malware)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.4",
+    "id_raw": "D5.DR.Re.E.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 468,
+    "title": null,
+    "description": "Procedures include containment strategies and notifying potentially impacted third parties."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.5",
+    "id_raw": "D5.DR.Re.E.5",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 469,
+    "title": null,
+    "description": "Processes are in place to trigger the incident response program when an incident occurs at a third party."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.6",
+    "id_raw": "D5.DR.Re.E.6",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 470,
+    "title": null,
+    "description": "Records are generated to support incident investigation and mitigation. "
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.7",
+    "id_raw": "D5.DR.Re.E.7",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 471,
+    "title": null,
+    "description": "The institution calls upon third parties, as needed, to provide mitigation services"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.e.8",
+    "id_raw": "D5.DR.Re.E.8",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 472,
+    "title": null,
+    "description": "Analysis of events is used to improve the institution's security measures and policies."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.int.1",
+    "id_raw": "D5.DR.Re.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 473,
+    "title": null,
+    "description": "Analysis of security incidents is performed in the early stages of an intrusion to minimize the impact of the incident."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.int.2",
+    "id_raw": "D5.DR.Re.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 474,
+    "title": null,
+    "description": "Any changes to systems/applications or to access entitlements necessary for incident management are reviewed by management for formal approval before implementation."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.int.3",
+    "id_raw": "D5.DR.Re.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 475,
+    "title": null,
+    "description": "Processes are in place to ensure assets affected by a security incident that cannot be returned to operational status are quarantined, removed, disposed of, and/or replaced."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.int.4",
+    "id_raw": "D5.DR.Re.Int.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 476,
+    "title": null,
+    "description": "Processes are in place to ensure that restored assets are appropriately reconfigured and thoroughly tested before being placed back into operation."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.a.1",
+    "id_raw": "D5.DR.Re.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 477,
+    "title": null,
+    "description": "The incident management function collaborates effectively with the cyber threat intelligence function during an incident."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.a.2",
+    "id_raw": "D5.DR.Re.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 478,
+    "title": null,
+    "description": "Links between threat intelligence, network operations, and incident response allow for proactive response to potential incidents."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.a.3",
+    "id_raw": "D5.DR.Re.A.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 479,
+    "title": null,
+    "description": "Technical measures apply defense-in-depth techniques such as deep- packet inspection and black holing for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns and/or DDoS attacks."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.inn.1",
+    "id_raw": "D5.DR.Re.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 480,
+    "title": null,
+    "description": "The institution’s risk management of significant cyber incidents results in\nlimited to no disruptions to critical services."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.dr.re.inn.2",
+    "id_raw": "D5.DR.Re.Inn.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 481,
+    "title": null,
+    "description": "The technology infrastructure has been engineered to limit the effects of a cyber attack on the production environment from migrating to the backup environment (e.g., air-gapped environment and processes)."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.b.1",
+    "id_raw": "D5.ER.Es.B.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 482,
+    "title": null,
+    "description": "A process exists to contact personnel who are responsible for analyzing and responding to an incident. (FFIEC Information Security Booklet, page 83)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.b.2",
+    "id_raw": "D5.ER.Es.B.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 483,
+    "title": null,
+    "description": "Procedures exist to notify customers, regulators, and law enforcement as required or necessary when the institution becomes aware of an incident involving the unauthorized access to or use of sensitive customer information. (FFIEC Information Security Booklet, page 84)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.b.3",
+    "id_raw": "D5.ER.Es.B.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 484,
+    "title": null,
+    "description": "The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. (FFIEC Information Security Booklet, page 5)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.b.4",
+    "id_raw": "D5.ER.Es.B.4",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 485,
+    "title": null,
+    "description": "Incidents are classified, logged, and tracked. (FFIEC Operations Booklet, page 28)"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.e.1",
+    "id_raw": "D5.ER.Es.E.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 486,
+    "title": null,
+    "description": "Criteria have been established for escalating cyber incidents or vulnerabilities to the board and senior management based on the potential impact and criticality of the risk."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.e.2",
+    "id_raw": "D5.ER.Es.E.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 487,
+    "title": null,
+    "description": "Regulators, law enforcement, and service providers, as appropriate, are notified when the institution is aware of any unauthorized access to systems or a cyber incident occurs that could result in degradation of services."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.e.3",
+    "id_raw": "D5.ER.Es.E.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 488,
+    "title": null,
+    "description": "Tracked cyber incidents are correlated for trend analysis and reporting."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.int.1",
+    "id_raw": "D5.ER.Es.Int.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 489,
+    "title": null,
+    "description": "Employees that are essential to mitigate the risk (e.g., fraud, business resilience) know their role in incident escalation."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.int.2",
+    "id_raw": "D5.ER.Es.Int.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 490,
+    "title": null,
+    "description": "A communication plan is used to notify other organizations, including third parties, of incidents that may affect them or their customers."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.int.3",
+    "id_raw": "D5.ER.Es.Int.3",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 491,
+    "title": null,
+    "description": "An external communication plan is used for notifying media regarding incidents when applicable."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.a.1",
+    "id_raw": "D5.ER.Es.A.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 492,
+    "title": null,
+    "description": "The institution has established quantitative and qualitative metrics for the cybersecurity incident response process."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.a.2",
+    "id_raw": "D5.ER.Es.A.2",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 493,
+    "title": null,
+    "description": "Detailed metrics, dashboards, and/or scorecards outlining cyber incidents and events are provided to management and are part of the board meeting package."
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "id": "ffiec_cat_v2017.05:d5.er.es.inn.1",
+    "id_raw": "D5.ER.Es.Inn.1",
+    "tier_raw": "Statement",
+    "tier": 4,
+    "seq": 494,
+    "title": null,
+    "description": "A mechanism is in place to provide instantaneous notification of incidents to management and essential employees through multiple communication channels with tracking and verification of receipt."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc",
+    "id_raw": "CC",
+    "tier_raw": "Category",
+    "tier": 0,
+    "seq": 1,
+    "title": "Common Criteria",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a",
+    "id_raw": "A",
+    "tier_raw": "Category",
+    "tier": 0,
+    "seq": 2,
+    "title": "Availability",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c",
+    "id_raw": "C",
+    "tier_raw": "Category",
+    "tier": 0,
+    "seq": 3,
+    "title": "Confidentiality",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi",
+    "id_raw": "PI",
+    "tier_raw": "Category",
+    "tier": 0,
+    "seq": 4,
+    "title": "Processing Integrity",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p",
+    "id_raw": "P",
+    "tier_raw": "Category",
+    "tier": 0,
+    "seq": 5,
+    "title": "Privacy",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1",
+    "id_raw": "CC1",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 1,
+    "title": "Control Environment",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2",
+    "id_raw": "CC2",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 2,
+    "title": "Communication and Information",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3",
+    "id_raw": "CC3",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 3,
+    "title": "Risk Assessment",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4",
+    "id_raw": "CC4",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 4,
+    "title": "Monitoring Activities",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5",
+    "id_raw": "CC5",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 5,
+    "title": "Control Activities",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6",
+    "id_raw": "CC6",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 6,
+    "title": "Logical and Physical Access Controls",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7",
+    "id_raw": "CC7",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 7,
+    "title": "System Operations",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8",
+    "id_raw": "CC8",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 8,
+    "title": "Change Management",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9",
+    "id_raw": "CC9",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 9,
+    "title": "Risk Mitigation",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1",
+    "id_raw": "A1",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 10,
+    "title": "Availability",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1",
+    "id_raw": "C1",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 11,
+    "title": "Confidentiality",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1",
+    "id_raw": "PI1",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 12,
+    "title": "Processing Integrity",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1",
+    "id_raw": "P1",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 13,
+    "title": "Notice and Communication of Objectives Related to Privacy",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2",
+    "id_raw": "P2",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 14,
+    "title": "Choice and Consent",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3",
+    "id_raw": "P3",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 15,
+    "title": "Collection",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4",
+    "id_raw": "P4",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 16,
+    "title": "Use, Retention, and Disposal",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5",
+    "id_raw": "P5",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 17,
+    "title": "Access",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6",
+    "id_raw": "P6",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 18,
+    "title": "Disclosure and Notification",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p7",
+    "id_raw": "P7",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 19,
+    "title": "Quality",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8",
+    "id_raw": "P8",
+    "tier_raw": "Group",
+    "tier": 1,
+    "seq": 20,
+    "title": "Monitoring and Enforcement",
+    "description": null
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1",
+    "id_raw": "CC1.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 1,
+    "title": null,
+    "description": "COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.2",
+    "id_raw": "CC1.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 2,
+    "title": null,
+    "description": "COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3",
+    "id_raw": "CC1.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 3,
+    "title": null,
+    "description": "COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4",
+    "id_raw": "CC1.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 4,
+    "title": null,
+    "description": "COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5",
+    "id_raw": "CC1.5",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 5,
+    "title": null,
+    "description": "COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.1",
+    "id_raw": "CC2.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 6,
+    "title": null,
+    "description": "COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2",
+    "id_raw": "CC2.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 7,
+    "title": null,
+    "description": "COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3",
+    "id_raw": "CC2.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 8,
+    "title": null,
+    "description": "COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1",
+    "id_raw": "CC3.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 9,
+    "title": null,
+    "description": "COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2",
+    "id_raw": "CC3.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 10,
+    "title": null,
+    "description": "COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3",
+    "id_raw": "CC3.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 11,
+    "title": null,
+    "description": "COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4",
+    "id_raw": "CC3.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 12,
+    "title": null,
+    "description": "COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1",
+    "id_raw": "CC4.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 13,
+    "title": null,
+    "description": "COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.2",
+    "id_raw": "CC4.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 14,
+    "title": null,
+    "description": "COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1",
+    "id_raw": "CC5.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 15,
+    "title": null,
+    "description": "COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.2",
+    "id_raw": "CC5.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 16,
+    "title": null,
+    "description": "COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3",
+    "id_raw": "CC5.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 17,
+    "title": null,
+    "description": "COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1",
+    "id_raw": "CC6.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 18,
+    "title": null,
+    "description": "The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.2",
+    "id_raw": "CC6.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 19,
+    "title": null,
+    "description": "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For\nthose users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.3",
+    "id_raw": "CC6.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 20,
+    "title": null,
+    "description": "The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.4",
+    "id_raw": "CC6.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 21,
+    "title": null,
+    "description": "The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.5",
+    "id_raw": "CC6.5",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 22,
+    "title": null,
+    "description": "The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6 ",
+    "id_raw": "CC6.6 ",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 23,
+    "title": null,
+    "description": "The entity implements logical access security measures to protect against threats from sources outside its system boundaries."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6",
+    "id_raw": "CC6.6",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 24,
+    "title": null,
+    "description": "The entity implements logical access security measures to protect against threats from sources outside its system boundaries."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.7",
+    "id_raw": "CC6.7",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 25,
+    "title": null,
+    "description": "The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8",
+    "id_raw": "CC6.8",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 26,
+    "title": null,
+    "description": "The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1",
+    "id_raw": "CC7.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 27,
+    "title": null,
+    "description": "To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.2",
+    "id_raw": "CC7.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 28,
+    "title": null,
+    "description": "The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3",
+    "id_raw": "CC7.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 29,
+    "title": null,
+    "description": "The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4",
+    "id_raw": "CC7.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 30,
+    "title": null,
+    "description": "The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5",
+    "id_raw": "CC7.5",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 31,
+    "title": null,
+    "description": "The entity identifies, develops, and implements activities to recover from identified security incidents."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1",
+    "id_raw": "CC8.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 32,
+    "title": null,
+    "description": "The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.1",
+    "id_raw": "CC9.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 33,
+    "title": null,
+    "description": "The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2",
+    "id_raw": "CC9.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 34,
+    "title": null,
+    "description": "The entity assesses and manages risks associated with vendors and business partners."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.1",
+    "id_raw": "A1.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 35,
+    "title": null,
+    "description": "The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2",
+    "id_raw": "A1.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 36,
+    "title": null,
+    "description": "The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.3",
+    "id_raw": "A1.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 37,
+    "title": null,
+    "description": "The entity tests recovery plan procedures supporting system recovery to meet its objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.1",
+    "id_raw": "C1.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 38,
+    "title": null,
+    "description": "The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.2",
+    "id_raw": "C1.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 39,
+    "title": null,
+    "description": "The entity disposes of confidential information to meet the entity’s objectives related to confidentiality."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.1",
+    "id_raw": "PI1.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 40,
+    "title": null,
+    "description": "Identifies Information Specifications—The entity identifies information specifications required to support the use of products and services.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.2",
+    "id_raw": "PI1.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 41,
+    "title": null,
+    "description": "The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the\nentity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3",
+    "id_raw": "PI1.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 42,
+    "title": null,
+    "description": "The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.4",
+    "id_raw": "PI1.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 43,
+    "title": null,
+    "description": "The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.5",
+    "id_raw": "PI1.5",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 44,
+    "title": null,
+    "description": "The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1.1",
+    "id_raw": "P1.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 45,
+    "title": null,
+    "description": "The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1",
+    "id_raw": "P2.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 46,
+    "title": null,
+    "description": "The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.1",
+    "id_raw": "P3.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 47,
+    "title": null,
+    "description": "Personal information is collected consistent with the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.2",
+    "id_raw": "P3.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 48,
+    "title": null,
+    "description": "For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.1",
+    "id_raw": "P4.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 49,
+    "title": null,
+    "description": "The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.2",
+    "id_raw": "P4.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 50,
+    "title": null,
+    "description": "The entity retains personal information consistent with the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.3",
+    "id_raw": "P4.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 51,
+    "title": null,
+    "description": "The entity securely disposes of personal information to meet the entity’s objectives related to privacy"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.1",
+    "id_raw": "P5.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 52,
+    "title": null,
+    "description": "The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.2",
+    "id_raw": "P5.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 53,
+    "title": null,
+    "description": "The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.1",
+    "id_raw": "P6.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 54,
+    "title": null,
+    "description": "The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.2",
+    "id_raw": "P6.2",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 55,
+    "title": null,
+    "description": "The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.3",
+    "id_raw": "P6.3",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 56,
+    "title": null,
+    "description": "The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.4",
+    "id_raw": "P6.4",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 57,
+    "title": null,
+    "description": "The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.5",
+    "id_raw": "P6.5",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 58,
+    "title": null,
+    "description": "The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in\naccordance with established incident response procedures to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.6",
+    "id_raw": "P6.6",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 59,
+    "title": null,
+    "description": "The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.7",
+    "id_raw": "P6.7",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 60,
+    "title": null,
+    "description": "The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p7.1",
+    "id_raw": "P7.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 61,
+    "title": null,
+    "description": "The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1",
+    "id_raw": "P8.1",
+    "tier_raw": "Criteria",
+    "tier": 2,
+    "seq": 62,
+    "title": null,
+    "description": "The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1.1",
+    "id_raw": "CC1.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 1,
+    "title": "Sets the Tone at the Top",
+    "description": "The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1.2",
+    "id_raw": "CC1.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 2,
+    "title": "Establishes Standards of Conduct",
+    "description": "The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1.3",
+    "id_raw": "CC1.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 3,
+    "title": "Evaluates Adherence to Standards of Conduct",
+    "description": "Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1.4",
+    "id_raw": "CC1.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 4,
+    "title": "Addresses Deviations in a Timely Manner",
+    "description": "Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.1.5",
+    "id_raw": "CC1.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 5,
+    "title": "Considers Contractors and Vendor Employees in Demonstrating Its Commitment",
+    "description": "Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.2.1",
+    "id_raw": "CC1.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 6,
+    "title": "Establishes Oversight Responsibilities",
+    "description": "The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.2.2",
+    "id_raw": "CC1.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 7,
+    "title": "Applies Relevant Expertise",
+    "description": "The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.2.3",
+    "id_raw": "CC1.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 8,
+    "title": "Operates Independently",
+    "description": "The board of directors has sufficient members who are independent from management and objective in evaluations and decision making."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.2.4",
+    "id_raw": "CC1.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 9,
+    "title": "Supplements Board Expertise",
+    "description": "The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3.1",
+    "id_raw": "CC1.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 10,
+    "title": "Considers All Structures of the Entity",
+    "description": "Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3.2",
+    "id_raw": "CC1.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 11,
+    "title": "Establishes Reporting Lines",
+    "description": "Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3.3",
+    "id_raw": "CC1.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 12,
+    "title": "Defines, Assigns, and Limits Authorities and Responsibilities",
+    "description": "Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3.4",
+    "id_raw": "CC1.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 13,
+    "title": "Addresses Specific Requirements When Defining Authorities and Responsibilities",
+    "description": "Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.3.5",
+    "id_raw": "CC1.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 14,
+    "title": "Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities",
+    "description": "Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.1",
+    "id_raw": "CC1.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 15,
+    "title": "Establishes Policies and Practices",
+    "description": "Policies and practices reflect expectations of competence necessary to support the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.2",
+    "id_raw": "CC1.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 16,
+    "title": "Evaluates Competence and Addresses Shortcomings",
+    "description": "The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.3",
+    "id_raw": "CC1.4.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 17,
+    "title": "Attracts, Develops, and Retains Individuals",
+    "description": "The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.4",
+    "id_raw": "CC1.4.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 18,
+    "title": "Plans and Prepares for Succession",
+    "description": "Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.5",
+    "id_raw": "CC1.4.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 19,
+    "title": "Considers the Background of Individuals",
+    "description": "The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.6",
+    "id_raw": "CC1.4.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 20,
+    "title": "Considers the Technical Competency of Individuals",
+    "description": "The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.4.7",
+    "id_raw": "CC1.4.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 21,
+    "title": "Provides Training to Maintain Technical Competencies",
+    "description": "The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5.1",
+    "id_raw": "CC1.5.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 22,
+    "title": "Enforces Accountability Through Structures, Authorities, and Responsibilities",
+    "description": "Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5.2",
+    "id_raw": "CC1.5.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 23,
+    "title": "Establishes Performance Measures, Incentives, and Rewards",
+    "description": "Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5.3",
+    "id_raw": "CC1.5.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 24,
+    "title": "Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance",
+    "description": "Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5.4",
+    "id_raw": "CC1.5.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 25,
+    "title": "Considers Excessive Pressures",
+    "description": "Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc1.5.5",
+    "id_raw": "CC1.5.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 26,
+    "title": "Evaluates Performance and Rewards or Disciplines Individuals",
+    "description": "Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.1.1",
+    "id_raw": "CC2.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 27,
+    "title": "Identifies Information Requirements",
+    "description": "A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.1.2",
+    "id_raw": "CC2.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 28,
+    "title": "Captures Internal and External Sources of Data",
+    "description": "Information systems capture internal and external sources of data."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.1.3",
+    "id_raw": "CC2.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 29,
+    "title": "Processes Relevant Data Into Information",
+    "description": "Information systems process and transform relevant data into information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.1.4",
+    "id_raw": "CC2.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 30,
+    "title": "Maintains Quality Throughout Processing",
+    "description": "Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.1",
+    "id_raw": "CC2.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 31,
+    "title": "Communicates Internal Control Information",
+    "description": "A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.2",
+    "id_raw": "CC2.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 32,
+    "title": "Communicates With the Board of Directors",
+    "description": "Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.3",
+    "id_raw": "CC2.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 33,
+    "title": "Provides Separate Communication Lines",
+    "description": "Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.4",
+    "id_raw": "CC2.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 34,
+    "title": "Selects Relevant Method of Communication",
+    "description": "The method of communication considers the timing, audience, and nature of the information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.5",
+    "id_raw": "CC2.2.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 35,
+    "title": "Communicates Responsibilities",
+    "description": "Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.6",
+    "id_raw": "CC2.2.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 36,
+    "title": "Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters",
+    "description": "Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.7",
+    "id_raw": "CC2.2.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 37,
+    "title": "Communicates Objectives and Changes to Objectives ",
+    "description": "The entity communicates its objectives and changes to those objectives to personnel in a timely manner. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.8",
+    "id_raw": "CC2.2.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 38,
+    "title": "Communicates Information to Improve Security Knowledge and Awareness",
+    "description": "The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.9",
+    "id_raw": "CC2.2.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 39,
+    "title": "Communicates Information About System Operation and Boundaries",
+    "description": "The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.10",
+    "id_raw": "CC2.2.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 40,
+    "title": "Communicates System Objectives",
+    "description": "The entity communicates its objectives to personnel to enable them to carry out their responsibilities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.2.11",
+    "id_raw": "CC2.2.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 41,
+    "title": "Communicates System Changes",
+    "description": "System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.1",
+    "id_raw": "CC2.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 42,
+    "title": "Communicates to External Parties",
+    "description": "Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.2",
+    "id_raw": "CC2.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 43,
+    "title": "Enables Inbound Communications",
+    "description": "Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.3",
+    "id_raw": "CC2.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 44,
+    "title": "Communicates With the Board of Directors",
+    "description": "Relevant information resulting from assessments conducted by external parties is communicated to the board of directors."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.4",
+    "id_raw": "CC2.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 45,
+    "title": "Provides Separate Communication Lines",
+    "description": "Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.5",
+    "id_raw": "CC2.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 46,
+    "title": "Selects Relevant Method of Communication",
+    "description": "The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.6",
+    "id_raw": "CC2.3.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 47,
+    "title": "Communicates Objectives Related to Confidentiality and Changes to Objectives",
+    "description": "The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.7",
+    "id_raw": "CC2.3.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 48,
+    "title": "Communicates Objectives Related to Privacy and Changes to Objectives",
+    "description": "The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.8",
+    "id_raw": "CC2.3.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 49,
+    "title": "Communicates Information About System Operation and Boundaries",
+    "description": "The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.9",
+    "id_raw": "CC2.3.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 50,
+    "title": "Communicates System Objectives",
+    "description": "The entity communicates its system objectives to appropriate external users. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.10",
+    "id_raw": "CC2.3.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 51,
+    "title": "Communicates System Responsibilities",
+    "description": "External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc2.3.11",
+    "id_raw": "CC2.3.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 52,
+    "title": "Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters",
+    "description": "External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.1",
+    "id_raw": "CC3.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 53,
+    "title": "Reflects Management's Choices",
+    "description": "Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.2",
+    "id_raw": "CC3.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 54,
+    "title": "Considers Tolerances for Risk",
+    "description": "Management considers the acceptable levels of variation relative to the achievement of operations objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.3",
+    "id_raw": "CC3.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 55,
+    "title": "Includes Operations and Financial Performance Goals",
+    "description": "The organization reflects the desired level of operations and financial performance for the entity within operations objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.4",
+    "id_raw": "CC3.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 56,
+    "title": "Forms a Basis for Committing of Resources",
+    "description": "Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.5",
+    "id_raw": "CC3.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 57,
+    "title": "Complies With Applicable Accounting Standards",
+    "description": "Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.6",
+    "id_raw": "CC3.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 58,
+    "title": "Considers Materiality",
+    "description": "Management considers materiality in financial statement presentation."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.7",
+    "id_raw": "CC3.1.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 59,
+    "title": "Reflects Entity Activities",
+    "description": "External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.8",
+    "id_raw": "CC3.1.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 60,
+    "title": "Complies With Externally Established Frameworks",
+    "description": "Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.9",
+    "id_raw": "CC3.1.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 61,
+    "title": "Considers the Required Level of Precision",
+    "description": "Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.10",
+    "id_raw": "CC3.1.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 62,
+    "title": "Reflects Entity Activities",
+    "description": "External reporting reflects the underlying transactions and events within a range of acceptable limits."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.11",
+    "id_raw": "CC3.1.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 63,
+    "title": "Reflects Management's Choices",
+    "description": "Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.12",
+    "id_raw": "CC3.1.12",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 64,
+    "title": "Considers the Required Level of Precision",
+    "description": "Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.13",
+    "id_raw": "CC3.1.13",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 65,
+    "title": "Reflects Entity Activities",
+    "description": "Internal reporting reflects the underlying transactions and events within a range of acceptable limits."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.14",
+    "id_raw": "CC3.1.14",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 66,
+    "title": "Reflects External Laws and Regulations",
+    "description": "Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.15",
+    "id_raw": "CC3.1.15",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 67,
+    "title": "Considers Tolerances for Risk",
+    "description": "Management considers the acceptable levels of variation relative to the achievement of operations objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.1.16",
+    "id_raw": "CC3.1.16",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 68,
+    "title": "Establishes Sub-objectives to Support Objectives",
+    "description": "Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.1",
+    "id_raw": "CC3.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 69,
+    "title": "Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels",
+    "description": "The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.2",
+    "id_raw": "CC3.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 70,
+    "title": "Analyzes Internal and External Factors",
+    "description": "Risk identification considers both internal and external factors and their impact on the achievement of objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.3",
+    "id_raw": "CC3.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 71,
+    "title": "Involves Appropriate Levels of Management",
+    "description": "The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.4",
+    "id_raw": "CC3.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 72,
+    "title": "Estimates Significance of Risks Identified",
+    "description": "Identified risks are analyzed through a process that includes estimating the potential significance of the risk. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.5",
+    "id_raw": "CC3.2.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 73,
+    "title": "Determines How to Respond to Risks",
+    "description": "Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.6",
+    "id_raw": "CC3.2.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 74,
+    "title": "Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities",
+    "description": "The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.7",
+    "id_raw": "CC3.2.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 75,
+    "title": "Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties",
+    "description": "The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.2.8",
+    "id_raw": "CC3.2.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 76,
+    "title": "Considers the Significance of the Risk",
+    "description": "The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3.1",
+    "id_raw": "CC3.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 77,
+    "title": "Considers Various Types of Fraud",
+    "description": "The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3.2",
+    "id_raw": "CC3.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 78,
+    "title": "Assesses Incentives and Pressures",
+    "description": "The assessment of fraud risks considers incentives and pressures."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3.3",
+    "id_raw": "CC3.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 79,
+    "title": "Assesses Opportunities",
+    "description": "The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3.4",
+    "id_raw": "CC3.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 80,
+    "title": "Assesses Attitudes and Rationalizations",
+    "description": "The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.3.5",
+    "id_raw": "CC3.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 81,
+    "title": "Considers the Risks Related to the Use of IT and Access to Information",
+    "description": "The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4.1",
+    "id_raw": "CC3.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 82,
+    "title": "Assesses Changes in the External Environment",
+    "description": "The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4.2",
+    "id_raw": "CC3.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 83,
+    "title": "Assesses Changes in the Business Model",
+    "description": "The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4.3",
+    "id_raw": "CC3.4.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 84,
+    "title": "Assesses Changes in Leadership",
+    "description": "The entity considers changes in management and respective attitudes and philosophies on the system of internal control."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4.4",
+    "id_raw": "CC3.4.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 85,
+    "title": "Assess Changes in Systems and Technology",
+    "description": "The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc3.4.5",
+    "id_raw": "CC3.4.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 86,
+    "title": "Assess Changes in Vendor and Business Partner Relationships",
+    "description": "The risk identification process considers changes in vendor and business partner relationships. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.1",
+    "id_raw": "CC4.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 87,
+    "title": "Considers a Mix of Ongoing and Separate Evaluations",
+    "description": "Management includes a balance of ongoing and separate evaluations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.2",
+    "id_raw": "CC4.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 88,
+    "title": "Considers Rate of Change",
+    "description": "Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.3",
+    "id_raw": "CC4.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 89,
+    "title": "Establishes Baseline Understanding",
+    "description": "The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.4",
+    "id_raw": "CC4.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 90,
+    "title": "Uses Knowledgeable Personnel",
+    "description": "Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.5",
+    "id_raw": "CC4.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 91,
+    "title": "Integrates With Business Processes",
+    "description": "Ongoing evaluations are built into the business processes and adjust to changing conditions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.6",
+    "id_raw": "CC4.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 92,
+    "title": "Adjusts Scope and Frequency",
+    "description": "Management varies the scope and frequency of separate evaluations depending on risk."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.7",
+    "id_raw": "CC4.1.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 93,
+    "title": "Objectively Evaluates",
+    "description": "Separate evaluations are performed periodically to provide objective feedback."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.1.8",
+    "id_raw": "CC4.1.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 94,
+    "title": "Considers Different Types of Ongoing and Separate Evaluations",
+    "description": "Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.2.1",
+    "id_raw": "CC4.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 95,
+    "title": "Assesses Results",
+    "description": "Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.2.2",
+    "id_raw": "CC4.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 96,
+    "title": "Communicates Deficiencies",
+    "description": "Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc4.2.3",
+    "id_raw": "CC4.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 97,
+    "title": "Monitors Corrective Action",
+    "description": "Management tracks whether deficiencies are remedied on a timely basis."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.1",
+    "id_raw": "CC5.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 98,
+    "title": "Integrates With Risk Assessment",
+    "description": "Control activities help ensure that risk responses that address and mitigate risks are carried out.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.2",
+    "id_raw": "CC5.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 99,
+    "title": "Considers Entity-Specific Factors",
+    "description": "Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.3",
+    "id_raw": "CC5.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 100,
+    "title": "Determines Relevant Business Processes",
+    "description": "Management determines which relevant business processes require control activities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.4",
+    "id_raw": "CC5.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 101,
+    "title": "Evaluates a Mix of Control Activity Types",
+    "description": "Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.5",
+    "id_raw": "CC5.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 102,
+    "title": "Considers at What Level Activities Are Applied",
+    "description": "Management considers control activities at various levels in the entity."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.1.6",
+    "id_raw": "CC5.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 103,
+    "title": "Addresses Segregation of Duties",
+    "description": "Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.2.1",
+    "id_raw": "CC5.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 104,
+    "title": "Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls",
+    "description": "Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.2.2",
+    "id_raw": "CC5.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 105,
+    "title": "Establishes Relevant Technology Infrastructure Control Activities",
+    "description": "Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.2.3",
+    "id_raw": "CC5.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 106,
+    "title": "Establishes Relevant Security Management Process Controls Activities",
+    "description": "Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.2.4",
+    "id_raw": "CC5.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 107,
+    "title": "Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities",
+    "description": "Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.1",
+    "id_raw": "CC5.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 108,
+    "title": "Establishes Policies and Procedures to Support Deployment of Management ‘s Directives",
+    "description": "Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.2",
+    "id_raw": "CC5.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 109,
+    "title": "Establishes Responsibility and Accountability for Executing Policies and Procedures",
+    "description": "Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.3",
+    "id_raw": "CC5.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 110,
+    "title": "Performs in a Timely Manner",
+    "description": "Responsible personnel perform control activities in a timely manner as defined by the policies and procedures."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.4",
+    "id_raw": "CC5.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 111,
+    "title": "Takes Corrective Action",
+    "description": "Responsible personnel investigate and act on matters identified as a result of executing control activities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.5",
+    "id_raw": "CC5.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 112,
+    "title": "Performs Using Competent Personnel",
+    "description": "Competent personnel with sufficient authority perform control activities with diligence and continuing focus."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc5.3.6",
+    "id_raw": "CC5.3.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 113,
+    "title": "Reassesses Policies and Procedures",
+    "description": "Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.1",
+    "id_raw": "CC6.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 114,
+    "title": "Identifies and Manages the Inventory of Information Assets",
+    "description": "The entity identifies, inventories, classifies, and manages information assets.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.2",
+    "id_raw": "CC6.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 115,
+    "title": "Restricts  Logical Access",
+    "description": "Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.3",
+    "id_raw": "CC6.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 116,
+    "title": "Identifies and Authenticates Users",
+    "description": "Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.4",
+    "id_raw": "CC6.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 117,
+    "title": "Considers Network Segmentation",
+    "description": "Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.5",
+    "id_raw": "CC6.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 118,
+    "title": "Manages Points of Access",
+    "description": "Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.6",
+    "id_raw": "CC6.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 119,
+    "title": "Restricts Access to Information Assets",
+    "description": "Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.7",
+    "id_raw": "CC6.1.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 120,
+    "title": "Manages Identification and Authentication",
+    "description": "Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.8",
+    "id_raw": "CC6.1.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 121,
+    "title": "Manages Credentials for Infrastructure and Software",
+    "description": "New internal and external infrastructure and software  are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.9",
+    "id_raw": "CC6.1.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 122,
+    "title": "Uses Encryption to Protect Data",
+    "description": "The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.1.10",
+    "id_raw": "CC6.1.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 123,
+    "title": "Protects Encryption Keys",
+    "description": "Processes are in place to protect encryption keys during generation, storage, use, and destruction."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.2.1",
+    "id_raw": "CC6.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 124,
+    "title": "Controls Access Credentials to Protected Assets",
+    "description": "Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.2.2",
+    "id_raw": "CC6.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 125,
+    "title": "Removes Access to Protected Assets When Appropriate",
+    "description": "Processes are in place to remove credential access when an individual no longer requires such access."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.2.3",
+    "id_raw": "CC6.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 126,
+    "title": "Reviews Appropriateness of Access Credentials",
+    "description": "The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.3.1",
+    "id_raw": "CC6.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 127,
+    "title": "Creates or Modifies Access to Protected Information Assets",
+    "description": "Processes are in place to create or modify access to protected information assets based on authorization  from the asset’s owner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.3.2",
+    "id_raw": "CC6.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 128,
+    "title": "Removes Access to Protected Information Assets",
+    "description": "Processes are in place to remove access to protected information assets when an individual no longer requires access."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.3.3",
+    "id_raw": "CC6.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 129,
+    "title": "Uses Role-Based Access Controls",
+    "description": "Role-based access control is utilized to support segregation of incompatible functions."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.4.1",
+    "id_raw": "CC6.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 130,
+    "title": "Creates or Modifies Physical Access",
+    "description": "Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.4.2",
+    "id_raw": "CC6.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 131,
+    "title": "Removes Physical Access",
+    "description": "Processes are in place to remove access to physical resources when an individual no longer requires access."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.4.3",
+    "id_raw": "CC6.4.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 132,
+    "title": "Reviews Physical Access",
+    "description": "Processes are in place to periodically review physical access to ensure consistency with job responsibilities."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.5.1",
+    "id_raw": "CC6.5.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 133,
+    "title": "Identifies Data and Software for Disposal",
+    "description": "Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.5.2",
+    "id_raw": "CC6.5.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 134,
+    "title": "Removes Data and Software From Entity Control",
+    "description": "Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6.1",
+    "id_raw": "CC6.6.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 135,
+    "title": "Restricts Access",
+    "description": "The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6.2",
+    "id_raw": "CC6.6.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 136,
+    "title": "Protects Identification and Authentication Credentials",
+    "description": "Identification and authentication credentials are protected during transmission outside its system boundaries."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6.3",
+    "id_raw": "CC6.6.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 137,
+    "title": "Requires Additional Authentication or Credentials",
+    "description": "Additional authentication information or credentials are required when accessing the system from outside its boundaries."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.6.4",
+    "id_raw": "CC6.6.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 138,
+    "title": "Implements Boundary Protection Systems",
+    "description": "Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.7.1",
+    "id_raw": "CC6.7.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 139,
+    "title": "Restricts the Ability to Perform Transmission",
+    "description": "Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.7.2",
+    "id_raw": "CC6.7.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 140,
+    "title": "Uses Encryption Technologies or Secure Communication Channels to Protect Data",
+    "description": "Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.7.3",
+    "id_raw": "CC6.7.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 141,
+    "title": "Protects Removal Media",
+    "description": "Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.7.4",
+    "id_raw": "CC6.7.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 142,
+    "title": "Protects Mobile Devices",
+    "description": "Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8.1",
+    "id_raw": "CC6.8.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 143,
+    "title": "Restricts Application and Software Installation",
+    "description": "The ability to install applications and software is restricted to authorized individuals."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8.2",
+    "id_raw": "CC6.8.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 144,
+    "title": "Detects Unauthorized Changes to Software and Configuration Parameters",
+    "description": "Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8.3",
+    "id_raw": "CC6.8.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 145,
+    "title": "Uses a Defined Change Control Process",
+    "description": "A management-defined change control process is used for the implementation of software. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8.4",
+    "id_raw": "CC6.8.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 146,
+    "title": "Uses Antivirus and Anti-Malware Software",
+    "description": "Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc6.8.5",
+    "id_raw": "CC6.8.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 147,
+    "title": "Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software",
+    "description": "Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1.1",
+    "id_raw": "CC7.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 148,
+    "title": "Uses Defined Configuration Standards",
+    "description": "Management has defined configuration standards. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1.2",
+    "id_raw": "CC7.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 149,
+    "title": "Monitors Infrastructure and Software",
+    "description": "The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1.3",
+    "id_raw": "CC7.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 150,
+    "title": "Implements Change-Detection Mechanisms",
+    "description": "The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1.4",
+    "id_raw": "CC7.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 151,
+    "title": "Detects Unknown or Unauthorized Components",
+    "description": "Procedures are in place to detect the introduction of unknown or unauthorized components.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.1.5",
+    "id_raw": "CC7.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 152,
+    "title": "Conducts Vulnerability Scans",
+    "description": "The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.2.1",
+    "id_raw": "CC7.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 153,
+    "title": "Implements Detection Policies, Procedures, and Tools",
+    "description": "Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.2.2",
+    "id_raw": "CC7.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 154,
+    "title": "Designs Detection Measures",
+    "description": "Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.2.3",
+    "id_raw": "CC7.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 155,
+    "title": "Implements Filters to Analyze Anomalies",
+    "description": "Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.2.4",
+    "id_raw": "CC7.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 156,
+    "title": "Monitors Detection Tools for Effective Operation",
+    "description": "Management has implemented processes to monitor the effectiveness of detection tools."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3.1",
+    "id_raw": "CC7.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 157,
+    "title": "Responds to Security Incidents",
+    "description": "Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3.2",
+    "id_raw": "CC7.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 158,
+    "title": "Communicates and Reviews Detected Security Events",
+    "description": "Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3.3",
+    "id_raw": "CC7.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 159,
+    "title": "Develops and Implements Procedures to Analyze Security Incidents",
+    "description": "Procedures are in place to analyze security incidents and determine system impact."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3.4",
+    "id_raw": "CC7.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 160,
+    "title": "Assesses the Impact on Personal Information",
+    "description": "Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.3.5",
+    "id_raw": "CC7.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 161,
+    "title": "Determines Personal Information Used or Disclosed",
+    "description": "When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.1",
+    "id_raw": "CC7.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 162,
+    "title": "Assigns Roles and Responsibilities",
+    "description": "Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.2",
+    "id_raw": "CC7.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 163,
+    "title": "Contains Security Incidents",
+    "description": "Procedures are in place to contain security incidents that actively threaten entity objectives. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.3",
+    "id_raw": "CC7.4.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 164,
+    "title": "Mitigates Ongoing Security Incidents",
+    "description": "Procedures are in place to mitigate the effects of ongoing security incidents."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.4",
+    "id_raw": "CC7.4.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 165,
+    "title": "Ends Threats Posed by Security Incidents",
+    "description": "Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.5",
+    "id_raw": "CC7.4.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 166,
+    "title": "Restores Operations",
+    "description": "Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.6",
+    "id_raw": "CC7.4.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 167,
+    "title": "Develops and Implements Communication Protocols for Security Incidents",
+    "description": "Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.7",
+    "id_raw": "CC7.4.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 168,
+    "title": "Obtains Understanding of Nature of Incident and Determines Containment Strategy",
+    "description": "An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.8",
+    "id_raw": "CC7.4.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 169,
+    "title": "Remediates Identified Vulnerabilities",
+    "description": "Identified vulnerabilities are remediated through the development and execution of remediation activities.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.9",
+    "id_raw": "CC7.4.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 170,
+    "title": "Communicates Remediation Activities",
+    "description": "Remediation activities are documented and communicated in accordance with the incident response program. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.10",
+    "id_raw": "CC7.4.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 171,
+    "title": "Evaluates the Effectiveness of Incident Response",
+    "description": "The design of incident response activities is evaluated for effectiveness on a periodic basis.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.11",
+    "id_raw": "CC7.4.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 172,
+    "title": "Periodically Evaluates Incidents",
+    "description": "Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.12",
+    "id_raw": "CC7.4.12",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 173,
+    "title": "Communicates Unauthorized Use and Disclosure",
+    "description": "Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.4.13",
+    "id_raw": "CC7.4.13",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 174,
+    "title": "Application of Sanctions",
+    "description": "The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.1",
+    "id_raw": "CC7.5.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 175,
+    "title": "Restores the Affected Environment",
+    "description": "The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.2",
+    "id_raw": "CC7.5.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 176,
+    "title": "Communicates Information About the Event",
+    "description": "Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external).   "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.3",
+    "id_raw": "CC7.5.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 177,
+    "title": "Determines Root Cause of the Event",
+    "description": "The root cause of the event is determined. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.4",
+    "id_raw": "CC7.5.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 178,
+    "title": "Implements Changes to Prevent and Detect Recurrences",
+    "description": "Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.5",
+    "id_raw": "CC7.5.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 179,
+    "title": "Improves Response and Recovery Procedures",
+    "description": "Lessons learned are analyzed, and the incident response plan and recovery procedures are improved. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc7.5.6",
+    "id_raw": "CC7.5.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 180,
+    "title": "Implements Incident Recovery Plan Testing",
+    "description": "Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.1",
+    "id_raw": "CC8.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 181,
+    "title": "Manages Changes Throughout the System Lifecycle",
+    "description": "A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.2",
+    "id_raw": "CC8.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 182,
+    "title": "Authorizes Changes",
+    "description": "A process is in place to authorize system changes prior to development."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.3",
+    "id_raw": "CC8.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 183,
+    "title": "Designs and Develops Changes",
+    "description": "A process is in place to design and develop system changes."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.4",
+    "id_raw": "CC8.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 184,
+    "title": "Documents Changes",
+    "description": "A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.5",
+    "id_raw": "CC8.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 185,
+    "title": "Tracks System Changes",
+    "description": "A process is in place to track system changes prior to implementation. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.6",
+    "id_raw": "CC8.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 186,
+    "title": "Configures Software",
+    "description": "A process is in place to select and implement the configuration parameters used to control the functionality of software. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.7",
+    "id_raw": "CC8.1.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 187,
+    "title": "Tests System Changes",
+    "description": "A process is in place to test system changes prior to implementation. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.8",
+    "id_raw": "CC8.1.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 188,
+    "title": "Approves System Changes",
+    "description": "A process is in place to approve system changes prior to implementation.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.9",
+    "id_raw": "CC8.1.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 189,
+    "title": "Deploys System Changes",
+    "description": "A process is in place to implement system changes."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.10",
+    "id_raw": "CC8.1.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 190,
+    "title": "Identifies and Evaluates System Changes",
+    "description": "Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.11",
+    "id_raw": "CC8.1.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 191,
+    "title": "Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents",
+    "description": "Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.12",
+    "id_raw": "CC8.1.12",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 192,
+    "title": "Creates Baseline Configuration of IT Technology",
+    "description": "A baseline configuration of IT and control systems is created and maintained."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.13",
+    "id_raw": "CC8.1.13",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 193,
+    "title": "Provides for Changes Necessary in Emergency Situations ",
+    "description": "A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.14",
+    "id_raw": "CC8.1.14",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 194,
+    "title": "Protects Confidential Information",
+    "description": "The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc8.1.15",
+    "id_raw": "CC8.1.15",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 195,
+    "title": "Protects Personal Information",
+    "description": "The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.1.1",
+    "id_raw": "CC9.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 196,
+    "title": "Considers Mitigation of Risks of Business Disruption",
+    "description": "Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.1.2",
+    "id_raw": "CC9.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 197,
+    "title": "Considers the Use of Insurance to Mitigate Financial Impact Risks",
+    "description": "The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.1",
+    "id_raw": "CC9.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 198,
+    "title": "Establishes Requirements for Vendor and Business Partner Engagements",
+    "description": "The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.2",
+    "id_raw": "CC9.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 199,
+    "title": "Assesses Vendor and Business Partner Risks",
+    "description": "The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.3",
+    "id_raw": "CC9.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 200,
+    "title": "Assigns Responsibility and Accountability for Managing Vendors and Business Partners",
+    "description": "The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.4",
+    "id_raw": "CC9.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 201,
+    "title": "Establishes Communication Protocols for Vendors and Business Partners",
+    "description": "The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.5",
+    "id_raw": "CC9.2.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 202,
+    "title": "Establishes Exception Handling Procedures From Vendors and Business Partners ",
+    "description": "The entity establishes exception handling procedures for service or product issues related to vendors and business partners. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.6",
+    "id_raw": "CC9.2.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 203,
+    "title": "Assesses Vendor and Business Partner Performance",
+    "description": "The entity periodically assesses the performance of vendors and business partners. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.7",
+    "id_raw": "CC9.2.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 204,
+    "title": "Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments",
+    "description": "The entity implements procedures for addressing issues identified with vendor and business partner relationships.   "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.8",
+    "id_raw": "CC9.2.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 205,
+    "title": "Implements Procedures for Terminating Vendor and Business Partner Relationships ",
+    "description": " The entity implements procedures for terminating vendor and business partner relationships."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.9",
+    "id_raw": "CC9.2.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 206,
+    "title": "Obtains Confidentiality Commitments from Vendors and Business Partners",
+    "description": "The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.10",
+    "id_raw": "CC9.2.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 207,
+    "title": "Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners ",
+    "description": "On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.11",
+    "id_raw": "CC9.2.11",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 208,
+    "title": "Obtains Privacy Commitments from Vendors and Business Partners",
+    "description": "The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:cc9.2.12",
+    "id_raw": "CC9.2.12",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 209,
+    "title": "Assesses Compliance with Privacy Commitments of Vendors and Business Partners",
+    "description": "On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.1.1",
+    "id_raw": "A1.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 210,
+    "title": "Measures Current Usage",
+    "description": "The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.1.2",
+    "id_raw": "A1.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 211,
+    "title": "Forecasts Capacity",
+    "description": "The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.1.3",
+    "id_raw": "A1.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 212,
+    "title": "Makes Changes Based on Forecasts",
+    "description": "The system change management process is initiated when forecasted usage exceeds capacity tolerances. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.1",
+    "id_raw": "A1.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 213,
+    "title": "Identifies Environmental Threats",
+    "description": "As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.2",
+    "id_raw": "A1.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 214,
+    "title": "Designs Detection Measures",
+    "description": "Detection measures are implemented to identify anomalies that could result from environmental threat events. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.3",
+    "id_raw": "A1.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 215,
+    "title": "Implements and Maintains Environmental Protection Mechanisms",
+    "description": "Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.4",
+    "id_raw": "A1.2.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 216,
+    "title": "Implements Alerts to Analyze Anomalies",
+    "description": "Management implements alerts that are communicated to personnel for analysis to identify environmental threat events."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.5",
+    "id_raw": "A1.2.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 217,
+    "title": "Responds to Environmental Threat Events",
+    "description": "Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem)."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.6",
+    "id_raw": "A1.2.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 218,
+    "title": "Communicates and Reviews Detected Environmental Threat Events",
+    "description": "Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.7",
+    "id_raw": "A1.2.7",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 219,
+    "title": "Determines Data Requiring Backup",
+    "description": "Data is evaluated to determine whether backup is required. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.8",
+    "id_raw": "A1.2.8",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 220,
+    "title": "Performs Data Backup",
+    "description": "Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.9",
+    "id_raw": "A1.2.9",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 221,
+    "title": "Addresses Offsite Storage",
+    "description": "Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.2.10",
+    "id_raw": "A1.2.10",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 222,
+    "title": "Implements Alternate Processing Infrastructure",
+    "description": "Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.3.1",
+    "id_raw": "A1.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 223,
+    "title": "Implements Business Continuity Plan Testing",
+    "description": "Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:a1.3.2",
+    "id_raw": "A1.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 224,
+    "title": "Tests Integrity and Completeness of Back-Up Data",
+    "description": "The integrity and completeness of back-up information is tested on a periodic basis. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.1.1",
+    "id_raw": "C1.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 225,
+    "title": "Identifies Confidential information",
+    "description": "Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.1.2",
+    "id_raw": "C1.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 226,
+    "title": "Protects Confidential Information from Destruction",
+    "description": "Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.2.1",
+    "id_raw": "C1.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 227,
+    "title": "Identifies Confidential Information for Destruction",
+    "description": "Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:c1.2.2",
+    "id_raw": "C1.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 228,
+    "title": "Destroys Confidential Information",
+    "description": "Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.1.1",
+    "id_raw": "PI1.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 229,
+    "title": "Defines Data Necessary to Support a Product or Service",
+    "description": "When data is provided as part of a service or product or as part of a reporting obligation related to a product or service:\n(1)    The definition of the data is available to the users of the data\n(2)    The definition of the data includes the following information:\n—    The population of events or instances included in the data\n—    The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day)\n—    Source(s) of the data\n—    The unit(s) of measurement of data elements (for example, fields)\n—    The accuracy/correctness/precision of measurement\n—    The uncertainty or confidence interval inherent in each data element and in the population of those elements\n—    The date the data was observed or the period of time during which the events relevant to the data occurred\n—    The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population\n(3)    The definition is complete and accurate.\n(4)    The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (meta-data) that has not been included within the data.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.2.1",
+    "id_raw": "PI1.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 230,
+    "title": "Defines Characteristics of Processing Inputs",
+    "description": "The characteristics of processing inputs that are necessary to meet requirements are defined."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.2.2",
+    "id_raw": "PI1.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 231,
+    "title": "Evaluates Processing Inputs",
+    "description": "Processing inputs are evaluated for compliance with defined input requirements."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.2.3",
+    "id_raw": "PI1.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 232,
+    "title": "Creates and Maintains Records of System Inputs",
+    "description": "Records of system input activities are created and maintained completely and accurately in a timely manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3.1",
+    "id_raw": "PI1.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 233,
+    "title": "Defines Processing Specifications",
+    "description": "The processing specifications that are necessary to meet product or service requirements are defined."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3.2",
+    "id_raw": "PI1.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 234,
+    "title": "Defines Processing Activities",
+    "description": "Processing activities are defined to result in products or services that meet specifications."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3.3",
+    "id_raw": "PI1.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 235,
+    "title": "Detects and Corrects Production Errors",
+    "description": "Errors in the production process are detected and corrected in a timely manner. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3.4",
+    "id_raw": "PI1.3.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 236,
+    "title": "Records System Processing Activities",
+    "description": "System processing activities are recorded completely and accurately in a timely manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.3.5",
+    "id_raw": "PI1.3.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 237,
+    "title": "Processes Inputs",
+    "description": "Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.4.1",
+    "id_raw": "PI1.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 238,
+    "title": "Protects Output",
+    "description": "Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.4.2",
+    "id_raw": "PI1.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 239,
+    "title": "Distributes Output Only to Intended Parties",
+    "description": "Output is distributed or made available only to intended parties."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.4.3",
+    "id_raw": "PI1.4.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 240,
+    "title": "Distributes Output Completely and Accurately",
+    "description": "Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.4.4",
+    "id_raw": "PI1.4.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 241,
+    "title": "Creates and Maintains Records of System Output Activities",
+    "description": "Records of system output activities are created and maintained completely and accurately in a timely manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.5.1",
+    "id_raw": "PI1.5.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 242,
+    "title": "Protects Stored Items",
+    "description": "Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.5.2",
+    "id_raw": "PI1.5.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 243,
+    "title": "Archives and Protects System Records",
+    "description": "System records are archived, and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.5.3",
+    "id_raw": "PI1.5.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 244,
+    "title": "Stores Data Completely and Accurately",
+    "description": "Procedures are in place to provide for the complete, accurate, and timely storage of data. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:pi1.5.4",
+    "id_raw": "PI1.5.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 245,
+    "title": "Creates and Maintains Records of System Storage Activities",
+    "description": "Records of system storage activities are created and maintained completely and accurately in a timely manner."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1.1.1",
+    "id_raw": "P1.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 246,
+    "title": "Communicates to Data Subjects",
+    "description": "Notice is provided to data subjects regarding the following:\n—    Purpose for collecting personal information\n—    Choice and consent\n—    Types of personal information collected\n—    Methods of collection (for example, use of cookies or other tracking techniques)\n—    Use, retention, and disposal\n—    Access\n—    Disclosure to third parties\n—    Security for privacy\n—    Quality, including data subjects’ responsibilities for quality\n—    Monitoring and enforcement\nIf personal information is collected from sources other than the individual, such sources are described in the privacy notice."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1.1.2",
+    "id_raw": "P1.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 247,
+    "title": "Provides Notice to Data Subjects",
+    "description": "Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1.1.3",
+    "id_raw": "P1.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 248,
+    "title": "Covers Entities and Activities in Notice ",
+    "description": "An objective description of the entities and activities covered is included in the entity’s privacy notice."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p1.1.4",
+    "id_raw": "P1.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 249,
+    "title": "Uses Clear and Conspicuous Language",
+    "description": "The entity’s privacy notice is conspicuous and uses clear language."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.1",
+    "id_raw": "P2.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 250,
+    "title": "Communicates to Data Subjects",
+    "description": "Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.2",
+    "id_raw": "P2.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 251,
+    "title": "Communicates Consequences of Denying or Withdrawing Consent",
+    "description": "When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.3",
+    "id_raw": "P2.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 252,
+    "title": "Obtains Implicit or Explicit Consent",
+    "description": "Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.4",
+    "id_raw": "P2.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 253,
+    "title": "Documents and Obtains Consent for New Purposes and Uses",
+    "description": "If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.5",
+    "id_raw": "P2.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 254,
+    "title": "Obtains Explicit Consent for Sensitive Information",
+    "description": "Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p2.1.6",
+    "id_raw": "P2.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 255,
+    "title": "Obtains Consent for Data Transfers",
+    "description": "Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.1.1",
+    "id_raw": "P3.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 256,
+    "title": "Limits the Collection of Personal Information",
+    "description": "The collection of personal information is limited to that necessary to meet the entity’s objectives."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.1.2",
+    "id_raw": "P3.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 257,
+    "title": "Collects Information by Fair and Lawful Means",
+    "description": "Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.1.3",
+    "id_raw": "P3.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 258,
+    "title": "Collects Information From Reliable Sources",
+    "description": "Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.1.4",
+    "id_raw": "P3.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 259,
+    "title": "Informs Data Subjects When Additional Information Is Acquired",
+    "description": "Data subjects are informed if the entity develops or acquires additional information about them for its use. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.2.1",
+    "id_raw": "P3.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 260,
+    "title": "Obtains Explicit Consent for Sensitive Information",
+    "description": "Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p3.2.2",
+    "id_raw": "P3.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 261,
+    "title": "Documents Explicit Consent to Retain Information",
+    "description": "Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.1.1",
+    "id_raw": "P4.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 262,
+    "title": "Uses Personal Information for Intended Purposes",
+    "description": "Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.2.1",
+    "id_raw": "P4.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 263,
+    "title": "Retains Personal Information",
+    "description": "Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.2.2",
+    "id_raw": "P4.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 264,
+    "title": "Protects Personal Information",
+    "description": "Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.3.1",
+    "id_raw": "P4.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 265,
+    "title": "Captures, Identifies, and Flags Requests for Deletion",
+    "description": "Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.3.2",
+    "id_raw": "P4.3.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 266,
+    "title": "Disposes of, Destroys, and Redacts Personal Information",
+    "description": "Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p4.3.3",
+    "id_raw": "P4.3.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 267,
+    "title": "Destroys Personal Information",
+    "description": "Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.1.1",
+    "id_raw": "P5.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 268,
+    "title": "Authenticates Data Subjects’ Identity",
+    "description": "The identity of data subjects who request access to their personal information is authenticated before they are given access to that information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.1.2",
+    "id_raw": "P5.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 269,
+    "title": "Permits Data Subjects Access to Their Personal Information",
+    "description": "Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.1.3",
+    "id_raw": "P5.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 270,
+    "title": "Provides Understandable Personal Information Within Reasonable Time",
+    "description": "Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.1.4",
+    "id_raw": "P5.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 271,
+    "title": "Informs Data Subjects If Access Is Denied",
+    "description": "When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.2.1",
+    "id_raw": "P5.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 272,
+    "title": "Communicates Denial of Access Requests",
+    "description": "Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.2.2",
+    "id_raw": "P5.2.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 273,
+    "title": "Permits Data Subjects to Update or Correct Personal Information",
+    "description": "Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p5.2.3",
+    "id_raw": "P5.2.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 274,
+    "title": "Communicates Denial of Correction Requests",
+    "description": "Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.1.1",
+    "id_raw": "P6.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 275,
+    "title": "Communicates Privacy Policies to Third Parties",
+    "description": "Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.1.2",
+    "id_raw": "P6.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 276,
+    "title": "Discloses Personal Information Only When Appropriate",
+    "description": "Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.1.3",
+    "id_raw": "P6.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 277,
+    "title": "Discloses Personal Information Only to Appropriate Third Parties",
+    "description": "Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.1.4",
+    "id_raw": "P6.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 278,
+    "title": "Discloses Information to Third Parties for New Purposes and Uses",
+    "description": "Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.2.1",
+    "id_raw": "P6.2.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 279,
+    "title": "Creates and Retains Record of Authorized Disclosures",
+    "description": "The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely. "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.3.1",
+    "id_raw": "P6.3.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 280,
+    "title": "Creates and Retains Record of Detected or Reported Unauthorized Disclosures",
+    "description": "The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.4.1",
+    "id_raw": "P6.4.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 281,
+    "title": "Discloses Personal Information Only to Appropriate Third Parties",
+    "description": "Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.4.2",
+    "id_raw": "P6.4.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 282,
+    "title": "Remediates Misuse of Personal Information by a Third Party ",
+    "description": "The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.5.1",
+    "id_raw": "P6.5.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 283,
+    "title": "Remediates Misuse of Personal Information by a Third Party",
+    "description": "The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.5.2",
+    "id_raw": "P6.5.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 284,
+    "title": "Reports Actual or Suspected Unauthorized Disclosures",
+    "description": "A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.6.1",
+    "id_raw": "P6.6.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 285,
+    "title": "Remediates Misuse of Personal Information by a Third Party",
+    "description": "The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.6.2",
+    "id_raw": "P6.6.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 286,
+    "title": "Provides Notice of Breaches and Incidents",
+    "description": "The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.  "
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.7.1",
+    "id_raw": "P6.7.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 287,
+    "title": "Identifies Types of Personal Information and Handling Process",
+    "description": "The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p6.7.2",
+    "id_raw": "P6.7.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 288,
+    "title": "Captures, Identifies, and Communicates Requests for Information",
+    "description": "Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p7.1.1",
+    "id_raw": "P7.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 289,
+    "title": "Ensures Accuracy and Completeness of Personal Information",
+    "description": "Personal information is accurate and complete for the purposes for which it is to be used."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p7.1.2",
+    "id_raw": "P7.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 290,
+    "title": "Ensures Relevance of Personal Information",
+    "description": "Personal information is relevant to the purposes for which it is to be used."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.1",
+    "id_raw": "P8.1.1",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 291,
+    "title": "Communicates to Data Subjects",
+    "description": "Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.2",
+    "id_raw": "P8.1.2",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 292,
+    "title": "Addresses Inquiries, Complaints, and Disputes",
+    "description": "A process is in place to address inquiries, complaints, and disputes."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.3",
+    "id_raw": "P8.1.3",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 293,
+    "title": "Documents and Communicates Dispute Resolution and Recourse",
+    "description": "Each complaint is addressed, and the resolution is documented and communicated to the individual."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.4",
+    "id_raw": "P8.1.4",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 294,
+    "title": "Documents and Reports Compliance Review Results",
+    "description": "Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.5",
+    "id_raw": "P8.1.5",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 295,
+    "title": "Documents and Reports Instances of Noncompliance",
+    "description": "Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis."
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "id": "aicpa_tsc_v2017:p8.1.6",
+    "id_raw": "P8.1.6",
+    "tier_raw": "Point of Focus",
+    "tier": 3,
+    "seq": 296,
+    "title": "Performs Ongoing Monitoring",
+    "description": "Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov",
+    "id_raw": "GOV",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 1,
+    "title": "Security & Privacy Governance",
+    "description": "Security & Privacy by Design (S|P) Principles:\nExecute a documented, risk-based program that supports business objectives while encompassing appropriate security and privacy principles that addresses applicable statutory, regulatory and contractual obligations.\n\nPrinciple Intent:\nOrganizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast",
+    "id_raw": "AST",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 2,
+    "title": "Asset Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nManage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.\n\nPrinciple Intent:\nOrganizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd",
+    "id_raw": "BCD",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 3,
+    "title": "Business Continuity & Disaster Recovery",
+    "description": "Security & Privacy by Design (S|P) Principles:\nMaintain a resilient capability to sustain business-critical functions while successfully responding to and recovering from incidents through well-documented and exercised processes.\n\nPrinciple Intent:\nOrganizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cap",
+    "id_raw": "CAP",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 4,
+    "title": "Capacity & Performance Planning",
+    "description": "Security & Privacy by Design (S|P) Principles:\nGovern the current and future capacities and performance of technology assets.\n\nPrinciple Intent:\nOrganizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance."
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg",
+    "id_raw": "CHG",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 5,
+    "title": "Change Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nManage change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur. \n\nPrinciple Intent:\nOrganizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld",
+    "id_raw": "CLD",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 6,
+    "title": "Cloud Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nGovern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal cybersecurity and privacy controls.\n\nPrinciple Intent:\nOrganizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl",
+    "id_raw": "CPL",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 7,
+    "title": "Compliance",
+    "description": "Security & Privacy by Design (S|P) Principles:\nOversee the execution of cybersecurity and privacy controls to ensure appropriate evidence required due care and due diligence exists to meet compliance with applicable statutory, regulatory and contractual obligations.\n\nPrinciple Intent:\nOrganizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg",
+    "id_raw": "CFG",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 8,
+    "title": "Configuration Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nEnforce secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.\n\nPrinciple Intent:\nOrganizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon",
+    "id_raw": "MON",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 9,
+    "title": "Continuous Monitoring",
+    "description": "Security & Privacy by Design (S|P) Principles:\nMaintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services. \n\nPrinciple Intent:\nOrganizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry",
+    "id_raw": "CRY",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 10,
+    "title": "Cryptographic Protections",
+    "description": "Security & Privacy by Design (S|P) Principles:\nUtilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.\n\nPrinciple Intent:\nOrganizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch",
+    "id_raw": "DCH",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 11,
+    "title": "Data Classification & Handling",
+    "description": "Security & Privacy by Design (S|P) Principles:\nEnforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can \n\nPrinciple Intent:\nOrganizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb",
+    "id_raw": "EMB",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 12,
+    "title": "Embedded Technology",
+    "description": "Security & Privacy by Design (S|P) Principles:\nProvide additional scrutiny to reduce the risks associated with embedded technology, based on the potential damages posed from malicious use of the technology.\n\nPrinciple Intent:\nOrganizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end",
+    "id_raw": "END",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 13,
+    "title": "Endpoint Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nHarden endpoint devices to protect against reasonable threats to those devices and the data those devices store, transmit and process. \n\nPrinciple Intent:\nOrganizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs",
+    "id_raw": "HRS",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 14,
+    "title": "Human Resources Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nExecute sound hiring practices and ongoing personnel management to cultivate a security and privacy-minded workforce.\n\nPrinciple Intent:\nOrganizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac",
+    "id_raw": "IAC",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 15,
+    "title": "Identification & Authentication",
+    "description": "Security & Privacy by Design (S|P) Principles:\nEnforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability.\n\nPrinciple Intent:\nOrganizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro",
+    "id_raw": "IRO",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 16,
+    "title": "Incident Response",
+    "description": "Security & Privacy by Design (S|P) Principles:\nMaintain a viable incident response capability that trains personnel on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with a documented Incident Response Plan (IRP). \n\nPrinciple Intent:\nOrganizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao",
+    "id_raw": "IAO",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 17,
+    "title": "Information Assurance",
+    "description": "Security & Privacy by Design (S|P) Principles:\nExecute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity and privacy controls, prior to a system, application or service being used in a production environment.\n\nPrinciple Intent:\nOrganizations ensure the adequately of security and controls are appropriate in both development and production environments."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt",
+    "id_raw": "MNT",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 18,
+    "title": "Maintenance",
+    "description": "Security & Privacy by Design (S|P) Principles:\nProactively maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties. \n\nPrinciple Intent:\nOrganizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm",
+    "id_raw": "MDM",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 19,
+    "title": "Mobile Device Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nImplement measures to restrict mobile device connectivity with critical infrastructure and sensitive data that limit the attack surface and potential data exposure from mobile device usage.\n\nPrinciple Intent:\nOrganizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net",
+    "id_raw": "NET",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 20,
+    "title": "Network Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nArchitect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services. \n\nPrinciple Intent:\nOrganizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes",
+    "id_raw": "PES",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 21,
+    "title": "Physical & Environmental Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nProtect physical environments through layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage. \n\nPrinciple Intent:\nOrganizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri",
+    "id_raw": "PRI",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 22,
+    "title": "Privacy",
+    "description": "Security & Privacy by Design (S|P) Principles:\nAlign privacy practices with industry-recognized privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services.\n\nPrinciple Intent:\nOrganizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Data (PD) that implements the concept of privacy by design and by default."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm",
+    "id_raw": "PRM",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 23,
+    "title": "Project & Resource Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nOperationalize a viable strategy to achieve cybersecurity & privacy objectives that establishes cybersecurity as a key stakeholder within project management practices to ensure the delivery of resilient and secure solutions.\n\nPrinciple Intent:\nOrganizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution."
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk",
+    "id_raw": "RSK",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 24,
+    "title": "Risk Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nProactively identify, assess, prioritize and remediate risk through alignment with industry-recognized risk management principles to ensure risk decisions adhere to the organization's risk threshold.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea",
+    "id_raw": "SEA",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 25,
+    "title": "Secure Engineering & Architecture",
+    "description": "Security & Privacy by Design (S|P) Principles:\nUtilize industry-recognized secure engineering and architecture principles to deliver secure and resilient systems, applications and services.\n\nPrinciple Intent:\nOrganizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops",
+    "id_raw": "OPS",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 26,
+    "title": "Security Operations",
+    "description": "Security & Privacy by Design (S|P) Principles:\nExecute the delivery of security and privacy operations to provide quality services and secure systems, applications and services that meet the organization's business needs.\n\nPrinciple Intent:\nOrganizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity, physical security and privacy operations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat",
+    "id_raw": "SAT",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 27,
+    "title": "Security Awareness & Training",
+    "description": "Security & Privacy by Design (S|P) Principles:\nFoster a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.\n\nPrinciple Intent:\nOrganizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda",
+    "id_raw": "TDA",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 28,
+    "title": "Technology Development & Acquisition",
+    "description": "Security & Privacy by Design (S|P) Principles:\nDevelop and test systems, applications or services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design weaknesses.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm",
+    "id_raw": "TPM",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 29,
+    "title": "Third-Party Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nExecute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become compromised, untrustworthy or defunct."
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr",
+    "id_raw": "THR",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 30,
+    "title": "Threat Management ",
+    "description": "Security & Privacy by Design (S|P) Principles:\nProactively identify and assess technology-related threats, to both assets and business processes, to determine the applicable risk and necessary corrective action.\n\nPrinciple Intent:\nOrganizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm",
+    "id_raw": "VPM",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 31,
+    "title": "Vulnerability & Patch Management",
+    "description": "Security & Privacy by Design (S|P) Principles:\nLeverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors.\n\nPrinciple Intent:\nOrganizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web",
+    "id_raw": "WEB",
+    "tier_raw": "Domains & Principles",
+    "tier": 0,
+    "seq": 32,
+    "title": "Web Security",
+    "description": "Security & Privacy by Design (S|P) Principles:\nEnsure the security and resilience of Internet-facing technologies through secure configuration management practices and monitoring for anomalous activity.\n\nPrinciple Intent:\nOrganizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-01",
+    "id_raw": "GOV-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1,
+    "title": "Security & Privacy Governance Program ",
+    "description": "Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-01.1",
+    "id_raw": "GOV-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 2,
+    "title": "Steering Committee",
+    "description": "Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-01.2",
+    "id_raw": "GOV-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 3,
+    "title": "Status Reporting To Governing Body",
+    "description": "Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity and privacy program."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-02",
+    "id_raw": "GOV-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 4,
+    "title": "Publishing Security & Privacy Documentation ",
+    "description": "Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Wiki\n- SharePoint"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-03",
+    "id_raw": "GOV-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 5,
+    "title": "Periodic Review & Update of Security & Privacy Program",
+    "description": "Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. \n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-04",
+    "id_raw": "GOV-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 6,
+    "title": "Assigned Security & Privacy Responsibilities ",
+    "description": "Mechanisms exist to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program. \n\nMethods To Comply With SCF Controls:\n- NIST NICE Framework\n- Chief Information Security Officer (CISO)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-05",
+    "id_raw": "GOV-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 7,
+    "title": "Measures of Performance ",
+    "description": "Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.\n\nMethods To Comply With SCF Controls:\n- Metrics\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Enterprise Risk Management (ERM) solution"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-05.1",
+    "id_raw": "GOV-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 8,
+    "title": "Key Performance Indicators (KPIs)",
+    "description": "Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and privacy program.\n\nMethods To Comply With SCF Controls:\n- Key Performance Indicators (KPIs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-05.2",
+    "id_raw": "GOV-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 9,
+    "title": "Key Risk Indicators (KRIs)",
+    "description": "Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.\n\nMethods To Comply With SCF Controls:\n- Key Risk Indicators (KRIs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-06",
+    "id_raw": "GOV-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 10,
+    "title": "Contacts With Authorities ",
+    "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.\n\nMethods To Comply With SCF Controls:\n- Threat intelligence personnel\n- Integrated Security Incident Response Team (ISIRT)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-07",
+    "id_raw": "GOV-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 11,
+    "title": "Contacts With Groups & Associations ",
+    "description": "Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: \n\nMethods To Comply With SCF Controls:\n- SANS\n- CISO Executive Network\n- ISACA chapters\n- IAPP chapters\n- ISAA chapters"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-08",
+    "id_raw": "GOV-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 12,
+    "title": "Defining Business Context & Mission",
+    "description": "Mechanisms exist to define the context of its business model and document the mission of the organization."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-09",
+    "id_raw": "GOV-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 13,
+    "title": "Define Control Objectives",
+    "description": "Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-10",
+    "id_raw": "GOV-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 14,
+    "title": "Data Governance",
+    "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-11",
+    "id_raw": "GOV-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 15,
+    "title": "Purpose Validation",
+    "description": "Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-12",
+    "id_raw": "GOV-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 16,
+    "title": "Forced Technology Transfer (FTT)",
+    "description": "Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-13",
+    "id_raw": "GOV-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 17,
+    "title": "State-Sponsored Espionage",
+    "description": "Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities. \n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-14",
+    "id_raw": "GOV-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 18,
+    "title": "Business As Usual (BAU) Secure Practices",
+    "description": "Mechanisms exist to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices through executive leadership involvement."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15",
+    "id_raw": "GOV-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 19,
+    "title": "Operationalizing Cybersecurity & Privacy Practices",
+    "description": "Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15.1",
+    "id_raw": "GOV-15.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 20,
+    "title": "Select Controls",
+    "description": "Mechanisms exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15.2",
+    "id_raw": "GOV-15.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 21,
+    "title": "Implement Controls",
+    "description": "Mechanisms exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15.3",
+    "id_raw": "GOV-15.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 22,
+    "title": "Assess Controls",
+    "description": "Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15.4",
+    "id_raw": "GOV-15.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 23,
+    "title": "Authorize Systems, Applications & Services",
+    "description": "Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control."
+  },
+  {
+    "source": "scf",
+    "id": "scf:gov-15.5",
+    "id_raw": "GOV-15.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 24,
+    "title": "Monitor Controls",
+    "description": "Mechanisms exist to compel data and/or process owners to monitor  systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity and privacy controls are operating as intended."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-01",
+    "id_raw": "AST-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 25,
+    "title": "Asset Governance ",
+    "description": "Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.\n\nMethods To Comply With SCF Controls:\n- Generally Accepted Accounting Principles (GAAP)\n- ITIL - Configuration Management Database (CMDB)\n- IT Asset Management (ITAM) program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-01.1",
+    "id_raw": "AST-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 26,
+    "title": "Asset-Service Dependencies",
+    "description": "Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-01.2",
+    "id_raw": "AST-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 27,
+    "title": "Stakeholder Identification & Involvement",
+    "description": "Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-01.3",
+    "id_raw": "AST-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 28,
+    "title": "Standardized Naming Convention",
+    "description": "Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02",
+    "id_raw": "AST-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 29,
+    "title": "Asset Inventories ",
+    "description": "Mechanisms exist to perform inventories of technology assets that:\n\nMethods To Comply With SCF Controls:\n- ManageEngine AssetExplorer\n- LANDesk IT Asset Management Suite\n- ServiceNow (https://www.servicenow.com/)\n- Solarwinds (https://www.solarwinds.com/)\n- CrowdStrike\n- JAMF\n- ITIL - Configuration Management Database (CMDB)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.1",
+    "id_raw": "AST-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 30,
+    "title": "Updates During Installations / Removals",
+    "description": "Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades. \n\nMethods To Comply With SCF Controls:\n- CrowdStrike\n- JAMF\n- ITIL - Configuration Management Database (CMDB)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.2",
+    "id_raw": "AST-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 31,
+    "title": "Automated Unauthorized Component Detection",
+    "description": "Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- DHCP logging\n- Active discovery tools\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Vectra\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Microsoft SCCM\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.3",
+    "id_raw": "AST-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 32,
+    "title": "Component Duplication Avoidance ",
+    "description": "Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.\n\nMethods To Comply With SCF Controls:\n- ITIL - Configuration Management Database (CMDB)\n- Manual or automated process"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.4",
+    "id_raw": "AST-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 33,
+    "title": "Approved Baseline Deviations",
+    "description": "Mechanisms exist to document and govern instances of approved deviations from established baseline configurations. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- SCCM\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Microsoft SCCM"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.5",
+    "id_raw": "AST-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 34,
+    "title": "Network Access Control (NAC)",
+    "description": "Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, that is capable of detecting unauthorized devices and disable network access to those unauthorized devices.\n\nMethods To Comply With SCF Controls:\n- Cisco NAC\n- Aruba Networks\n- Juniper NAC\n- Packet Fence\n- Symantec NAC\n- Sophos NAC\n- Bradford Networks NAC Director\n- Cisco ISE\n- ForeScout"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.6",
+    "id_raw": "AST-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 35,
+    "title": "Dynamic Host Configuration Protocol (DHCP) Server Logging",
+    "description": "Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems. \n\nMethods To Comply With SCF Controls:\n- Splunk\n- Manual Process\n- Build Automation Tools\n- NNT Log Tracker (https://www.newnettechnologies.com/event-log-management.html)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.7",
+    "id_raw": "AST-02.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 36,
+    "title": "Software Licensing Restrictions",
+    "description": "Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.\n\nMethods To Comply With SCF Controls:\n- Manual Process\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.8",
+    "id_raw": "AST-02.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 37,
+    "title": "Data Action Mapping",
+    "description": "Mechanisms exist to create and maintain a map of technology assets where sensitive data is stored, transmitted or processed.\n\nMethods To Comply With SCF Controls:\n- Visio\n- LucidChart"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.9",
+    "id_raw": "AST-02.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 38,
+    "title": "Configuration Management Database (CMDB)",
+    "description": "Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.\n\nMethods To Comply With SCF Controls:\n- Configuration Management Database (CMDB)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.10",
+    "id_raw": "AST-02.10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 39,
+    "title": "Automated Location",
+    "description": "Mechanisms exist to track the geographic location of system components."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-02.11",
+    "id_raw": "AST-02.11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 40,
+    "title": "Component Assignment",
+    "description": "Mechanisms exist to bind components to a specific system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-03",
+    "id_raw": "AST-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 41,
+    "title": "Asset Ownership Assignment",
+    "description": "Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-03.1",
+    "id_raw": "AST-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 42,
+    "title": "Accountability Information",
+    "description": "Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-03.2",
+    "id_raw": "AST-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 43,
+    "title": "Provenance",
+    "description": "Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-04",
+    "id_raw": "AST-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 44,
+    "title": "Network Diagrams & Data Flow Diagrams (DFDs)",
+    "description": "Mechanisms exist to maintain network architecture diagrams that: \n\nMethods To Comply With SCF Controls:\n- High-Level Diagram (HLD)\n- Low-Level Diagram (LLD)\n- Data Flow Diagram (DFD)\n- Solarwinds (https://www.solarwinds.com/)\n- Paessler\n- PRTG"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-04.1",
+    "id_raw": "AST-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 45,
+    "title": "Asset Scope Classification",
+    "description": "Mechanisms exist to determine cybersecurity and privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-04.2",
+    "id_raw": "AST-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 46,
+    "title": "Control Applicability Boundary Graphical Representation",
+    "description": "Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-04.3",
+    "id_raw": "AST-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 47,
+    "title": "Compliance-Specific Asset Identification",
+    "description": "Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-05",
+    "id_raw": "AST-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 48,
+    "title": "Security of Assets & Media",
+    "description": "Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media. \n\nMethods To Comply With SCF Controls:\n- ITIL - Configuration Management Database (CMDB)\n- Definitive Software Library (DSL)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-05.1",
+    "id_raw": "AST-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 49,
+    "title": "Management Approval For External Media Transfer",
+    "description": "Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-06",
+    "id_raw": "AST-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 50,
+    "title": "Unattended End-User Equipment ",
+    "description": "Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Lockable casings\n- Tamper detection tape\n- Full Disk Encryption (FDE) \n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-06.1",
+    "id_raw": "AST-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 51,
+    "title": "Asset Storage In Automobiles",
+    "description": "Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.\n\nMethods To Comply With SCF Controls:\n- Security awareness training\n- Gamification"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-07",
+    "id_raw": "AST-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 52,
+    "title": "Kiosks & Point of Interaction (PoI) Devices",
+    "description": "Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Lockable casings\n- Tamper detection tape\n- Chip & PIN"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-08",
+    "id_raw": "AST-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 53,
+    "title": "Tamper Detection",
+    "description": "Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).\n\nMethods To Comply With SCF Controls:\n- \"Burner\" phones & laptops\n- Tamper tape"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-09",
+    "id_raw": "AST-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 54,
+    "title": "Secure Disposal, Destruction or Re-Use of Equipment ",
+    "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.\n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain\n- sdelete (sysinternals)\n- Bootnukem"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-10",
+    "id_raw": "AST-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 55,
+    "title": "Return of Assets ",
+    "description": "Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.\n\nMethods To Comply With SCF Controls:\n- Termination checklist\n- Manual Process\n- Native OS and Device Asset Tracking capabilities"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-11",
+    "id_raw": "AST-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 56,
+    "title": "Removal of Assets ",
+    "description": "Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities. \n\nMethods To Comply With SCF Controls:\n- RFID asset tagging\n- RFID proximity sensors at access points\n- Asset management software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-12",
+    "id_raw": "AST-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 57,
+    "title": "Use of Personal Devices",
+    "description": "Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.\n\nMethods To Comply With SCF Controls:\n- BYOD policy"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-13",
+    "id_raw": "AST-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 58,
+    "title": "Use of Third-Party Devices",
+    "description": "Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.\n\nMethods To Comply With SCF Controls:\n- NAC\n- Separate SSIDs for wireless networks\n- SIEM monitoring/alerting\n- Manual process to disable network all unused ports\n- Network Access Control (NAC)\n- Mobile Device Management (MDM) software\n- Data Loss Prevention (DLP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-14",
+    "id_raw": "AST-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 59,
+    "title": "Usage Parameters",
+    "description": "Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-14.1",
+    "id_raw": "AST-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 60,
+    "title": "Bluetooth & Wireless Devices",
+    "description": "Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-14.2",
+    "id_raw": "AST-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 61,
+    "title": "Infrared Communications",
+    "description": "Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-15",
+    "id_raw": "AST-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 62,
+    "title": "Tamper Protection",
+    "description": "Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Tamper detection tape\n- File Integrity Monitoring (FIM)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-15.1",
+    "id_raw": "AST-15.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 63,
+    "title": "Inspection of Systems, Components & Devices ",
+    "description": "Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Tamper detection tape\n- File Integrity Monitoring (FIM)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-16",
+    "id_raw": "AST-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 64,
+    "title": "Bring Your Own Device (BYOD) Usage ",
+    "description": "Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.\n\nMethods To Comply With SCF Controls:\n- AirWatch\n- SCCM\n- Casper\n- BYOD policy"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-17",
+    "id_raw": "AST-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 65,
+    "title": "Prohibited Equipment & Services",
+    "description": "Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-18",
+    "id_raw": "AST-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 66,
+    "title": "Roots of Trust Protection",
+    "description": "Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-19",
+    "id_raw": "AST-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 67,
+    "title": "Telecommunications Equipment",
+    "description": "Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-20",
+    "id_raw": "AST-20",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 68,
+    "title": "Video Teleconference (VTC) Security",
+    "description": "Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-21",
+    "id_raw": "AST-21",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 69,
+    "title": "Voice Over Internet Protocol (VoIP) Security",
+    "description": "Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-22",
+    "id_raw": "AST-22",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 70,
+    "title": "Microphones & Web Cameras",
+    "description": "Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive information is discussed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-23",
+    "id_raw": "AST-23",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 71,
+    "title": "Multi-Function Devices (MFD)",
+    "description": "Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-24",
+    "id_raw": "AST-24",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 72,
+    "title": "Travel-Only Devices",
+    "description": "Mechanisms exist to issue personnel travelling overseas with temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-25",
+    "id_raw": "AST-25",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 73,
+    "title": "Re-Imaging Devices After Travel",
+    "description": "Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-26",
+    "id_raw": "AST-26",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 74,
+    "title": "System Administrative Processes",
+    "description": "Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-27",
+    "id_raw": "AST-27",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 75,
+    "title": "Jump Server",
+    "description": "Mechanisms exist to conduct remote system administrative functions via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-28",
+    "id_raw": "AST-28",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 76,
+    "title": "Database Administrative Processes",
+    "description": "Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-28.1",
+    "id_raw": "AST-28.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 77,
+    "title": "Database Management System (DBMS)",
+    "description": "Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-29",
+    "id_raw": "AST-29",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 78,
+    "title": "Radio Frequency Identification (RFID) Security",
+    "description": "Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-29.1",
+    "id_raw": "AST-29.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 79,
+    "title": "Contactless Access Control Systems",
+    "description": "Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ast-30",
+    "id_raw": "AST-30",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 80,
+    "title": "Decommissioning",
+    "description": "Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-01",
+    "id_raw": "BCD-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 81,
+    "title": "Business Continuity Management System (BCMS)",
+    "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)\n- Business Impact Analysis (BIA)\n- Criticality assessments"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-01.1",
+    "id_raw": "BCD-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 82,
+    "title": "Coordinate with Related Plans ",
+    "description": "Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans. \n\nMethods To Comply With SCF Controls:\n- Cybersecurity Incident Response Plan (IIRP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-01.2",
+    "id_raw": "BCD-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 83,
+    "title": "Coordinate With External Service Providers",
+    "description": "Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-01.3",
+    "id_raw": "BCD-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 84,
+    "title": "Transfer to Alternate Processing / Storage Site",
+    "description": "Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-01.4",
+    "id_raw": "BCD-01.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 85,
+    "title": "Recovery Time / Point Objectives (RTO / RPO)",
+    "description": "Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-02",
+    "id_raw": "BCD-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 86,
+    "title": "Identify Critical Assets ",
+    "description": "Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.\n\nMethods To Comply With SCF Controls:\n- Business Impact Analysis (BIA)\n- Criticality assessments"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-02.1",
+    "id_raw": "BCD-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 87,
+    "title": "Resume All Missions & Business Functions",
+    "description": "Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.\n\nMethods To Comply With SCF Controls:\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)\n- Disaster recovery software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-02.2",
+    "id_raw": "BCD-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 88,
+    "title": "Continue Essential Mission & Business Functions",
+    "description": "Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.\n\nMethods To Comply With SCF Controls:\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-02.3",
+    "id_raw": "BCD-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 89,
+    "title": "Resume Essential Missions & Business Functions ",
+    "description": "Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation. \n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-02.4",
+    "id_raw": "BCD-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 90,
+    "title": "Data Storage Location Reviews",
+    "description": "Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-03",
+    "id_raw": "BCD-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 91,
+    "title": "Contingency Training",
+    "description": "Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities. \n\nMethods To Comply With SCF Controls:\n- NIST NICE Framework\n- Tabletop exercises"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-03.1",
+    "id_raw": "BCD-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 92,
+    "title": "Simulated Events",
+    "description": "Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.\n\nMethods To Comply With SCF Controls:\n- Tabletop exercises"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-03.2",
+    "id_raw": "BCD-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 93,
+    "title": "Automated Training Environments",
+    "description": "Automated mechanisms exist to provide a more thorough and realistic contingency training environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-04",
+    "id_raw": "BCD-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 94,
+    "title": "Contingency Plan Testing & Exercises ",
+    "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan. \n\nMethods To Comply With SCF Controls:\n- Simulated disasters / emergencies"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-04.1",
+    "id_raw": "BCD-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 95,
+    "title": "Coordinated Testing with Related Plans ",
+    "description": "Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans. \n\nMethods To Comply With SCF Controls:\n- Playbooks\n- Enterprise-wide Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-04.2",
+    "id_raw": "BCD-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 96,
+    "title": "Alternate Storage & Processing Sites",
+    "description": "Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-05",
+    "id_raw": "BCD-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 97,
+    "title": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned",
+    "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)\n- Disaster Recovery Plan (DRP)\n- Business Continuity Plan (BCP)\n- Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-06",
+    "id_raw": "BCD-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 98,
+    "title": "Contingency Planning & Updates",
+    "description": "Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.\n\nMethods To Comply With SCF Controls:\n- Offline / offsite documentation"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-07",
+    "id_raw": "BCD-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 99,
+    "title": "Alternative Security Measures ",
+    "description": "Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised. \n\nMethods To Comply With SCF Controls:\n- Business Impact Analysis (BIA)\n- Criticality assessments"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-08",
+    "id_raw": "BCD-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 100,
+    "title": "Alternate Storage Site",
+    "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information. \n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-08.1",
+    "id_raw": "BCD-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 101,
+    "title": "Separation from Primary Site ",
+    "description": "Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-08.2",
+    "id_raw": "BCD-08.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 102,
+    "title": "Accessibility ",
+    "description": "Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09",
+    "id_raw": "BCD-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 103,
+    "title": "Alternate Processing Site",
+    "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09.1",
+    "id_raw": "BCD-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 104,
+    "title": "Separation from Primary Site",
+    "description": "Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09.2",
+    "id_raw": "BCD-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 105,
+    "title": "Accessibility",
+    "description": "Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Continuity of Operations Plan (COOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09.3",
+    "id_raw": "BCD-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 106,
+    "title": "Alternate Site Priority of Service",
+    "description": "Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs). \n\nMethods To Comply With SCF Controls:\n- Hot / warm / cold site contracts"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09.4",
+    "id_raw": "BCD-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 107,
+    "title": "Preparation for Use",
+    "description": "Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-09.5",
+    "id_raw": "BCD-09.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 108,
+    "title": "Inability to Return to Primary Site",
+    "description": "Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-10",
+    "id_raw": "BCD-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 109,
+    "title": "Telecommunications Services Availability",
+    "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.\n\nMethods To Comply With SCF Controls:\n- Alternate telecommunications services are maintained with multiple ISP / network providers"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-10.1",
+    "id_raw": "BCD-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 110,
+    "title": "Telecommunications Priority of Service Provisions",
+    "description": "Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs). \n\nMethods To Comply With SCF Controls:\n- Hot / warm / cold site contracts"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-10.2",
+    "id_raw": "BCD-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 111,
+    "title": "Separation of Primary / Alternate Providers",
+    "description": "Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-10.3",
+    "id_raw": "BCD-10.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 112,
+    "title": "Provider Continency Plan ",
+    "description": "Mechanisms exist to contractually-require telecommunications service providers to have contingency plans that meet organizational contingency requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-10.4",
+    "id_raw": "BCD-10.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 113,
+    "title": "Alternate Communications Paths",
+    "description": "Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11",
+    "id_raw": "BCD-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 114,
+    "title": "Data Backups",
+    "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).\n\nMethods To Comply With SCF Controls:\n- Backup technologies & procedures\n- Offline storage"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.1",
+    "id_raw": "BCD-11.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 115,
+    "title": "Testing for Reliability & Integrity ",
+    "description": "Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.2",
+    "id_raw": "BCD-11.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 116,
+    "title": "Separate Storage for Critical Information ",
+    "description": "Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.\n\nMethods To Comply With SCF Controls:\n- IronMountain"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.3",
+    "id_raw": "BCD-11.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 117,
+    "title": "Information System Imaging",
+    "description": "Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Acronis\n- Docker (https://www.docker.com/)\n- VMWare"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.4",
+    "id_raw": "BCD-11.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 118,
+    "title": "Cryptographic Protection",
+    "description": "Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.\n\nMethods To Comply With SCF Controls:\n- Backup technologies & procedures"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.5",
+    "id_raw": "BCD-11.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 119,
+    "title": "Test Restoration Using Sampling",
+    "description": "Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.6",
+    "id_raw": "BCD-11.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 120,
+    "title": "Transfer to Alternate Storage Site",
+    "description": "Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.7",
+    "id_raw": "BCD-11.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 121,
+    "title": "Redundant Secondary System",
+    "description": "Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-11.8",
+    "id_raw": "BCD-11.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 122,
+    "title": "Dual Authorization For Backup Media Destruction",
+    "description": "Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-12",
+    "id_raw": "BCD-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 123,
+    "title": "Information System Recovery & Reconstitution",
+    "description": "Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-12.1",
+    "id_raw": "BCD-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 124,
+    "title": "Transaction Recovery",
+    "description": "Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-12.2",
+    "id_raw": "BCD-12.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 125,
+    "title": "Failover Capability",
+    "description": "Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.\n\nMethods To Comply With SCF Controls:\n- Load balancers\n- High Availability (HA) firewalls"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-12.3",
+    "id_raw": "BCD-12.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 126,
+    "title": "Electronic Discovery (eDiscovery)",
+    "description": "Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-12.4",
+    "id_raw": "BCD-12.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 127,
+    "title": "Restore Within Time Period",
+    "description": "Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-13",
+    "id_raw": "BCD-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 128,
+    "title": "Backup & Restoration Hardware Protection ",
+    "description": "Mechanisms exist to protect backup and restoration hardware and software."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-14",
+    "id_raw": "BCD-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 129,
+    "title": "Isolated Recovery Environment",
+    "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:bcd-15",
+    "id_raw": "BCD-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 130,
+    "title": "Reserve Hardware",
+    "description": "Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cap-01",
+    "id_raw": "CAP-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 131,
+    "title": "Capacity & Performance Management ",
+    "description": "Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- Resource monitoring"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cap-02",
+    "id_raw": "CAP-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 132,
+    "title": "Resource Priority",
+    "description": "Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- Resource monitoring"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cap-03",
+    "id_raw": "CAP-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 133,
+    "title": "Capacity Planning ",
+    "description": "Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cap-04",
+    "id_raw": "CAP-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 134,
+    "title": "Performance Monitoring",
+    "description": "Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-01",
+    "id_raw": "CHG-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 135,
+    "title": "Change Management Program ",
+    "description": "Mechanisms exist to facilitate the implementation of a change management program.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- ServiceNow (https://www.servicenow.com/)\n- Remedy\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02",
+    "id_raw": "CHG-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 136,
+    "title": "Configuration Change Control ",
+    "description": "Mechanisms exist to govern the technical configuration change control processes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Change Control Board (CCB)\n- Configuration Management Database (CMDB)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) Enterprise\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)\n- Solarwinds (https://www.solarwinds.com/)\n- Docker (https://www.docker.com/)\n- VisibleOps methodology \n- ITIL infrastructure library"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02.1",
+    "id_raw": "CHG-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 137,
+    "title": "Prohibition Of Changes",
+    "description": "Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- Manual processes/workflows\n- Application whitelisting"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02.2",
+    "id_raw": "CHG-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 138,
+    "title": "Test, Validate & Document Changes ",
+    "description": "Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- VMware\n- Docker (https://www.docker.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02.3",
+    "id_raw": "CHG-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 139,
+    "title": "Security & Privacy Representative for Asset Lifecycle Changes",
+    "description": "Mechanisms exist to include a cybersecurity and/or privacy representative in the configuration change control review process.\n\nMethods To Comply With SCF Controls:\n- Change Control Board (CCB)\n- Change Advisory Board (CAB)\n- VisibleOps methodology \n- ITIL infrastructure library"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02.4",
+    "id_raw": "CHG-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 140,
+    "title": "Automated Security Response",
+    "description": "Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-02.5",
+    "id_raw": "CHG-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 141,
+    "title": "Cryptographic Management",
+    "description": "Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-03",
+    "id_raw": "CHG-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 142,
+    "title": "Security Impact Analysis for Changes ",
+    "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.\n\nMethods To Comply With SCF Controls:\n- VisibleOps methodology \n- ITIL infrastructure library\n- Change management software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04",
+    "id_raw": "CHG-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 143,
+    "title": "Access Restriction For Change",
+    "description": "Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- Role-based permissions\n- Mandatory Access Control (MAC)\n- Application whitelisting"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04.1",
+    "id_raw": "CHG-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 144,
+    "title": "Automated Access Enforcement / Auditing ",
+    "description": "Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Manual review processes\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04.2",
+    "id_raw": "CHG-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 145,
+    "title": "Signed Components ",
+    "description": "Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.\n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)\n- Patch management tools\n- OS configuration standards"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04.3",
+    "id_raw": "CHG-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 146,
+    "title": "Dual Authorization for Change",
+    "description": "Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.\n\nMethods To Comply With SCF Controls:\n- Separation of Duties (SoD)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04.4",
+    "id_raw": "CHG-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 147,
+    "title": "Limit Production / Operational Privileges (Incompatible Roles)",
+    "description": "Mechanisms exist to limit operational privileges for implementing changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Separation of Duties (SoD)\n- Privileged Account Management (PAM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-04.5",
+    "id_raw": "CHG-04.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 148,
+    "title": "Library Privileges",
+    "description": "Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access. \n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-05",
+    "id_raw": "CHG-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 149,
+    "title": "Stakeholder Notification of Changes ",
+    "description": "Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes. \n\nMethods To Comply With SCF Controls:\n- Change management procedures\n- VisibleOps methodology \n- ITIL infrastructure library"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-06",
+    "id_raw": "CHG-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 150,
+    "title": "Security Functionality Verification",
+    "description": "Mechanisms exist to verify the functionality of security controls when anomalies are discovered.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:chg-06.1",
+    "id_raw": "CHG-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 151,
+    "title": "Report Verification Results",
+    "description": "Mechanisms exist to report the results of security and privacy function verification to appropriate organizational management.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-01",
+    "id_raw": "CLD-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 152,
+    "title": "Cloud Services",
+    "description": "Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-01.1",
+    "id_raw": "CLD-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 153,
+    "title": "Cloud Infrastructure Onboarding",
+    "description": "Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-01.2",
+    "id_raw": "CLD-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 154,
+    "title": "Cloud Infrastructure Offboarding",
+    "description": "Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-02",
+    "id_raw": "CLD-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 155,
+    "title": "Cloud Security Architecture ",
+    "description": "Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. \n\nMethods To Comply With SCF Controls:\n- Architectural review board\n- System Security Plan (SSP)\n- Security architecture roadmaps"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-03",
+    "id_raw": "CLD-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 156,
+    "title": "Cloud Infrastructure Security Subnet",
+    "description": "Mechanisms exist to host security-specific technologies in a dedicated subnet.\n\nMethods To Comply With SCF Controls:\n- Security management subnet"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-04",
+    "id_raw": "CLD-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 157,
+    "title": "Application & Program Interface (API) Security ",
+    "description": "Mechanisms exist to ensure support for secure interoperability between components.\n\nMethods To Comply With SCF Controls:\n- Use only open and published APIs"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-05",
+    "id_raw": "CLD-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 158,
+    "title": "Virtual Machine Images ",
+    "description": "Mechanisms exist to ensure the integrity of virtual machine images at all times. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Docker (https://www.docker.com/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-06",
+    "id_raw": "CLD-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 159,
+    "title": "Multi-Tenant Environments ",
+    "description": "Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.\n\nMethods To Comply With SCF Controls:\n- Security architecture review\n- Defined processes to segment at the network, application, databases layers"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-06.1",
+    "id_raw": "CLD-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 160,
+    "title": "Customer Responsibility Matrix (CRM)",
+    "description": "Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.\n\nMethods To Comply With SCF Controls:\n- Customer Responsibility Matrix (CRM)\n- Shared Responsibility Matrix (SRM)\n- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-06.2",
+    "id_raw": "CLD-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 161,
+    "title": "Multi-Tenant Event Logging Capabilities",
+    "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-06.3",
+    "id_raw": "CLD-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 162,
+    "title": "Multi-Tenant Forensics Capabilities",
+    "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-06.4",
+    "id_raw": "CLD-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 163,
+    "title": "Multi-Tenant Incident Response Capabilities",
+    "description": "Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-07",
+    "id_raw": "CLD-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 164,
+    "title": "Data Handling & Portability",
+    "description": "Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Security architecture review\n- Encrypted data transfers (e.g. TLS or VPNs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-08",
+    "id_raw": "CLD-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 165,
+    "title": "Standardized Virtualization Formats ",
+    "description": "Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Data Protection Impact Assessment (DPIA)\n- Manual review process\n- Vendor risk assessments\n- Independent vendor compliance assessments "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-09",
+    "id_raw": "CLD-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 166,
+    "title": "Geolocation Requirements for Processing, Storage and Service Locations",
+    "description": "Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-10",
+    "id_raw": "CLD-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 167,
+    "title": "Sensitive Data In Public Cloud Providers",
+    "description": "Mechanisms exist to limit and manage the storage of sensitive data in public cloud providers. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Security and network architecture diagrams\n- Data Flow Diagram (DFD)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-11",
+    "id_raw": "CLD-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 168,
+    "title": "Cloud Access Point (CAP)",
+    "description": "Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.\n\nMethods To Comply With SCF Controls:\n- Next Generation Firewall (NGF)\n- Web Application Firewall (WAF)\n- Network Routing / Switching\n- Intrusion Detection / Protection (IDS / IPS)\n- Data Loss Prevention (DLP)\n- Full Packet Capture"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cld-12",
+    "id_raw": "CLD-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 169,
+    "title": "Side Channel Attack Prevention",
+    "description": "Mechanisms exist to prevent \"side channel attacks\" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-01",
+    "id_raw": "CPL-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 170,
+    "title": "Statutory, Regulatory & Contractual Compliance ",
+    "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-01.1",
+    "id_raw": "CPL-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 171,
+    "title": "Non-Compliance Oversight",
+    "description": "Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-01.2",
+    "id_raw": "CPL-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 172,
+    "title": "Compliance Scope",
+    "description": "Mechanisms exist to document and validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-02",
+    "id_raw": "CPL-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 173,
+    "title": "Security & Privacy Controls Oversight ",
+    "description": "Mechanisms exist to provide a security & privacy controls oversight function that reports to the organization's executive leadership.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee\n- Formalized SDLC program\n- Formalized DevOps program\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-02.1",
+    "id_raw": "CPL-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 174,
+    "title": "Internal Audit Function",
+    "description": "Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-03",
+    "id_raw": "CPL-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 175,
+    "title": "Security Assessments ",
+    "description": "Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-03.1",
+    "id_raw": "CPL-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 176,
+    "title": "Independent Assessors ",
+    "description": "Mechanisms exist to utilize independent assessors to evaluate security & privacy controls at planned intervals or when the system, service or project undergoes significant changes.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-03.2",
+    "id_raw": "CPL-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 177,
+    "title": "Functional Review Of Security Controls ",
+    "description": "Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity and privacy policies and standards. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Internal audit program\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Operational review processes\n- Regular/yearly policy and standards review process\n- Governance, Risk and Compliance Solution (GRC) (ZenGRC, Archer, RSAM, Metric stream, etc.)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-04",
+    "id_raw": "CPL-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 178,
+    "title": "Audit Activities ",
+    "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.\n\nMethods To Comply With SCF Controls:\n- Internal audit program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-05",
+    "id_raw": "CPL-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 179,
+    "title": "Legal Assessment of Investigative Inquires",
+    "description": "Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-05.1",
+    "id_raw": "CPL-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 180,
+    "title": "Investigation Request Notifications",
+    "description": "Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-05.2",
+    "id_raw": "CPL-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 181,
+    "title": "Investigation Access Restrictions",
+    "description": "Mechanisms exist to support official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the data and systems needed to perform the investigation."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cpl-06",
+    "id_raw": "CPL-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 182,
+    "title": "Government Surveillance",
+    "description": "Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-01",
+    "id_raw": "CFG-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 183,
+    "title": "Configuration Management Program",
+    "description": "Mechanisms exist to facilitate the implementation of configuration management controls.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Configuration Management Database (CMDB)\n- Baseline hardening standards\n- Formalized DevOps program\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-01.1",
+    "id_raw": "CFG-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 184,
+    "title": "Assignment of Responsibility",
+    "description": "Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02",
+    "id_raw": "CFG-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 185,
+    "title": "System Hardening Through Baseline Configurations ",
+    "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n- Center for Internet Security (CIS) Benchmarks\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.1",
+    "id_raw": "CFG-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 186,
+    "title": "Reviews & Updates",
+    "description": "Mechanisms exist to review and update baseline configurations:\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n- Center for Internet Security (CIS) Benchmarks\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.2",
+    "id_raw": "CFG-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 187,
+    "title": "Automated Central Management & Verification ",
+    "description": "Automated mechanisms exist to govern and report on baseline configurations of the systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.3",
+    "id_raw": "CFG-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 188,
+    "title": "Retention Of Previous Configurations ",
+    "description": "Mechanisms exist to retain previous versions of baseline configuration to support roll back. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.4",
+    "id_raw": "CFG-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 189,
+    "title": "Development & Test Environment Configurations",
+    "description": "Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.5",
+    "id_raw": "CFG-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 190,
+    "title": "Configure Systems, Components or Services for High-Risk Areas ",
+    "description": "Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.6",
+    "id_raw": "CFG-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 191,
+    "title": "Network Device Configuration File Synchronization",
+    "description": "Mechanisms exist to configure network devices to synchronize startup and running configuration files. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.7",
+    "id_raw": "CFG-02.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 192,
+    "title": "Approved Configuration Deviations ",
+    "description": "Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.8",
+    "id_raw": "CFG-02.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 193,
+    "title": "Respond To Unauthorized Changes ",
+    "description": "Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Service Level Agreements (SLAs)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-02.9",
+    "id_raw": "CFG-02.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 194,
+    "title": "Baseline Tailoring",
+    "description": "Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:\n\nMethods To Comply With SCF Controls:\n- DISA STIGs\n- CIS Benchmarks"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-03",
+    "id_raw": "CFG-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 195,
+    "title": "Least Functionality",
+    "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-03.1",
+    "id_raw": "CFG-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 196,
+    "title": "Periodic Review",
+    "description": "Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-03.2",
+    "id_raw": "CFG-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 197,
+    "title": "Prevent Unauthorized Software Execution",
+    "description": "Mechanisms exist to configure systems to prevent the execution of unauthorized software programs. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-03.3",
+    "id_raw": "CFG-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 198,
+    "title": "Unauthorized or Authorized Software (Blacklisting or Whitelisting)",
+    "description": "Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-03.4",
+    "id_raw": "CFG-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 199,
+    "title": "Split Tunneling",
+    "description": "Mechanisms exist to prevent systems from creating split tunneling connections or similar techniques that could be used to exfiltrate data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-04",
+    "id_raw": "CFG-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 200,
+    "title": "Software Usage Restrictions ",
+    "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-04.1",
+    "id_raw": "CFG-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 201,
+    "title": "Open Source Software",
+    "description": "Mechanisms exist to establish parameters for the secure use of open source software. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-04.2",
+    "id_raw": "CFG-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 202,
+    "title": "Unsupported Internet Browsers & Email Clients ",
+    "description": "Mechanisms exist to allow only approved Internet browsers and email clients to run on systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-05",
+    "id_raw": "CFG-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 203,
+    "title": "User-Installed Software",
+    "description": "Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.\n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-05.1",
+    "id_raw": "CFG-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 204,
+    "title": "Unauthorized Installation Alerts",
+    "description": "Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-05.2",
+    "id_raw": "CFG-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 205,
+    "title": "Restrict Roles Permitted To Install Software",
+    "description": "Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-06",
+    "id_raw": "CFG-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 206,
+    "title": "Configuration Enforcement",
+    "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-07",
+    "id_raw": "CFG-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 207,
+    "title": "Zero-Touch Provisioning (ZTP)",
+    "description": "Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-08",
+    "id_raw": "CFG-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 208,
+    "title": "Sensitive / Regulated Data Access Enforcement",
+    "description": "Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cfg-08.1",
+    "id_raw": "CFG-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 209,
+    "title": "Sensitive / Regulated Data Actions",
+    "description": "Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01",
+    "id_raw": "MON-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 210,
+    "title": "Continuous Monitoring",
+    "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.1",
+    "id_raw": "MON-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 211,
+    "title": "Intrusion Detection & Prevention Systems (IDS & IPS)",
+    "description": "Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.2",
+    "id_raw": "MON-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 212,
+    "title": "Automated Tools for Real-Time Analysis ",
+    "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.3",
+    "id_raw": "MON-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 213,
+    "title": "Inbound & Outbound Communications Traffic ",
+    "description": "Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.4",
+    "id_raw": "MON-01.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 214,
+    "title": "System Generated Alerts ",
+    "description": "Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.5",
+    "id_raw": "MON-01.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 215,
+    "title": "Wireless Intrusion Detection System (WIDS)",
+    "description": "Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.6",
+    "id_raw": "MON-01.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 216,
+    "title": "Host-Based Devices ",
+    "description": "Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.7",
+    "id_raw": "MON-01.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 217,
+    "title": "File Integrity Monitoring (FIM)",
+    "description": "Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.8",
+    "id_raw": "MON-01.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 218,
+    "title": "Reviews & Updates ",
+    "description": "Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.9",
+    "id_raw": "MON-01.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 219,
+    "title": "Proxy Logging ",
+    "description": "Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.10",
+    "id_raw": "MON-01.10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 220,
+    "title": "Deactivated Account Activity ",
+    "description": "Mechanisms exist to monitor deactivated accounts for attempted usage.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.11",
+    "id_raw": "MON-01.11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 221,
+    "title": "Automated Response to Suspicious Events",
+    "description": "Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.12",
+    "id_raw": "MON-01.12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 222,
+    "title": "Automated Alerts",
+    "description": "Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.13",
+    "id_raw": "MON-01.13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 223,
+    "title": "Alert Threshold Tuning",
+    "description": "Mechanisms exist to \"tune\" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.14",
+    "id_raw": "MON-01.14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 224,
+    "title": "Individuals Posing Greater Risk",
+    "description": "Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.15",
+    "id_raw": "MON-01.15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 225,
+    "title": "Privileged User Oversight",
+    "description": "Mechanisms exist to implement enhanced activity monitoring for privileged users."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.16",
+    "id_raw": "MON-01.16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 226,
+    "title": "Analyze and Prioritize Monitoring Requirements",
+    "description": "Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-01.17",
+    "id_raw": "MON-01.17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 227,
+    "title": "Real-Time Session Monitoring",
+    "description": "Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02",
+    "id_raw": "MON-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 228,
+    "title": "Centralized Collection of Security Event Logs",
+    "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.1",
+    "id_raw": "MON-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 229,
+    "title": "Correlate Monitoring Information",
+    "description": "Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.2",
+    "id_raw": "MON-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 230,
+    "title": "Central Review & Analysis",
+    "description": "Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.3",
+    "id_raw": "MON-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 231,
+    "title": "Integration of Scanning & Other Monitoring Information",
+    "description": "Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.4",
+    "id_raw": "MON-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 232,
+    "title": "Correlation with Physical Monitoring",
+    "description": "Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.5",
+    "id_raw": "MON-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 233,
+    "title": "Permitted Actions",
+    "description": "Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.6",
+    "id_raw": "MON-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 234,
+    "title": "Audit Level Adjustments",
+    "description": "Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.7",
+    "id_raw": "MON-02.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 235,
+    "title": "System-Wide / Time-Correlated Audit Trail",
+    "description": "Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-02.8",
+    "id_raw": "MON-02.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 236,
+    "title": "Changes by Authorized Individuals",
+    "description": "Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03",
+    "id_raw": "MON-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 237,
+    "title": "Content of Audit Records ",
+    "description": "Mechanisms exist to configure systems to produce audit records that contain sufficient information to, at a minimum:\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.1",
+    "id_raw": "MON-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 238,
+    "title": "Sensitive Audit Information",
+    "description": "Mechanisms exist to protect sensitive data contained in log files. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.2",
+    "id_raw": "MON-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 239,
+    "title": "Audit Trails",
+    "description": "Mechanisms exist to link system access to individual users or service accounts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.3",
+    "id_raw": "MON-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 240,
+    "title": "Privileged Functions Logging ",
+    "description": "Mechanisms exist to log and review the actions of users and/or services with elevated privileges.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.4",
+    "id_raw": "MON-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 241,
+    "title": "Verbosity Logging for Boundary Devices ",
+    "description": "Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.5",
+    "id_raw": "MON-03.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 242,
+    "title": "Limit Personal Data (PD) In Audit Records",
+    "description": "Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the privacy risk assessment.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.6",
+    "id_raw": "MON-03.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 243,
+    "title": "Centralized Management of Planned Audit Record Content",
+    "description": "Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-03.7",
+    "id_raw": "MON-03.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 244,
+    "title": "Database Logging",
+    "description": "Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-04",
+    "id_raw": "MON-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 245,
+    "title": "Event Log Storage Capacity ",
+    "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-05",
+    "id_raw": "MON-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 246,
+    "title": "Response To Event Log Processing Failures",
+    "description": "Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-05.1",
+    "id_raw": "MON-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 247,
+    "title": "Real-Time Alerts of Event Logging Failure",
+    "description": "Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-05.2",
+    "id_raw": "MON-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 248,
+    "title": "Event Log Storage Capacity Alerting ",
+    "description": "Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-06",
+    "id_raw": "MON-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 249,
+    "title": "Monitoring Reporting ",
+    "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-06.1",
+    "id_raw": "MON-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 250,
+    "title": "Query Parameter Audits of Personal Data (PD)",
+    "description": "Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-06.2",
+    "id_raw": "MON-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 251,
+    "title": "Trend Analysis Reporting",
+    "description": "Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-07",
+    "id_raw": "MON-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 252,
+    "title": "Time Stamps ",
+    "description": "Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-07.1",
+    "id_raw": "MON-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 253,
+    "title": "Synchronization With Authoritative Time Source",
+    "description": "Mechanisms exist to synchronize internal system clocks with an authoritative time source. \n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-08",
+    "id_raw": "MON-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 254,
+    "title": "Protection of Event Logs ",
+    "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-08.1",
+    "id_raw": "MON-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 255,
+    "title": "Event Log Backup on Separate Physical Systems / Components ",
+    "description": "Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-08.2",
+    "id_raw": "MON-08.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 256,
+    "title": "Access by Subset of Privileged Users ",
+    "description": "Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-08.3",
+    "id_raw": "MON-08.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 257,
+    "title": "Cryptographic Protection of Event Log Information",
+    "description": "Cryptographic mechanisms exist to protect the integrity of event logs and audit tools. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-08.4",
+    "id_raw": "MON-08.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 258,
+    "title": "Dual Authorization for Event Log Movement",
+    "description": "Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-09",
+    "id_raw": "MON-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 259,
+    "title": "Non-Repudiation",
+    "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-09.1",
+    "id_raw": "MON-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 260,
+    "title": "Identity Binding",
+    "description": "Mechanisms exist to bind the identity of the information producer to the information generated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-10",
+    "id_raw": "MON-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 261,
+    "title": "Event Log Retention",
+    "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-11",
+    "id_raw": "MON-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 262,
+    "title": "Monitoring For Information Disclosure",
+    "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information. \n\nMethods To Comply With SCF Controls:\n- Content filtering solution\n- Review of social media outlets"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-11.1",
+    "id_raw": "MON-11.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 263,
+    "title": "Analyze Traffic for Covert Exfiltration",
+    "description": "Automated mechanisms exist to analyze network traffic to detect covert data exfiltration."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-11.2",
+    "id_raw": "MON-11.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 264,
+    "title": "Unauthorized Network Services",
+    "description": "Automated mechanisms exist to detect unauthorized network services and alert incident response personnel. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-11.3",
+    "id_raw": "MON-11.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 265,
+    "title": "Monitoring for Indicators of Compromise (IOC)",
+    "description": "Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC). \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-12",
+    "id_raw": "MON-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 266,
+    "title": "Session Audit ",
+    "description": "Mechanisms exist to provide session audit capabilities that can: \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-13",
+    "id_raw": "MON-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 267,
+    "title": "Alternate Event Logging Capability ",
+    "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-14",
+    "id_raw": "MON-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 268,
+    "title": "Cross-Organizational Monitoring ",
+    "description": "Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-14.1",
+    "id_raw": "MON-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 269,
+    "title": "Sharing of Event Logs",
+    "description": "Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.\n\nMethods To Comply With SCF Controls:\n- Veris (incident sharing) (http://veriscommunity.net)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-15",
+    "id_raw": "MON-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 270,
+    "title": "Covert Channel Analysis ",
+    "description": "Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-16",
+    "id_raw": "MON-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 271,
+    "title": "Anomalous Behavior",
+    "description": "Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-16.1",
+    "id_raw": "MON-16.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 272,
+    "title": "Insider Threats",
+    "description": "Mechanisms exist to monitor internal personnel activity for potential security incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-16.2",
+    "id_raw": "MON-16.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 273,
+    "title": "Third-Party Threats",
+    "description": "Mechanisms exist to monitor third-party personnel activity for potential security incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-16.3",
+    "id_raw": "MON-16.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 274,
+    "title": "Unauthorized Activities",
+    "description": "Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mon-16.4",
+    "id_raw": "MON-16.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 275,
+    "title": "Account Creation and Modification Logging",
+    "description": "Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01",
+    "id_raw": "CRY-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 276,
+    "title": "Use of Cryptographic Controls ",
+    "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.\n\nMethods To Comply With SCF Controls:\n- Key and certificate management solutions\n- Microsoft BitLocker (https://www.microsoft.com/en-us/download/details.aspx?id=53006)\n- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)\n- Vormetric Transparent Encryption (https://www.thalesesecurity.com/products/data-encryption/vormetric-transparent-encryption)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01.1",
+    "id_raw": "CRY-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 277,
+    "title": "Alternate Physical Protection ",
+    "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01.2",
+    "id_raw": "CRY-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 278,
+    "title": "Export-Controlled Technology",
+    "description": "Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01.3",
+    "id_raw": "CRY-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 279,
+    "title": "Pre/Post Transmission Handling",
+    "description": "Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01.4",
+    "id_raw": "CRY-01.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 280,
+    "title": "Conceal / Randomize Communications",
+    "description": "Cryptographic mechanisms exist to conceal or randomize communication patterns."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-01.5",
+    "id_raw": "CRY-01.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 281,
+    "title": "Cryptographic Cipher Suites and Protocols Inventory",
+    "description": "Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-02",
+    "id_raw": "CRY-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 282,
+    "title": "Cryptographic Module Authentication",
+    "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.\n\nMethods To Comply With SCF Controls:\n- Yubico (https://www.yubico.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-03",
+    "id_raw": "CRY-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 283,
+    "title": "Transmission Confidentiality ",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted. \n\nMethods To Comply With SCF Controls:\n- SSL / TLS protocols\n- IPSEC Tunnels\n- Native MPLS encrypted tunnel configurations\n- Custom encrypted payloads"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-04",
+    "id_raw": "CRY-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 284,
+    "title": "Transmission Integrity ",
+    "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-05",
+    "id_raw": "CRY-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 285,
+    "title": "Encrypting Data At Rest ",
+    "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest. \n\nMethods To Comply With SCF Controls:\n- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-05.1",
+    "id_raw": "CRY-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 286,
+    "title": "Storage Media",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive data residing on storage media.\n\nMethods To Comply With SCF Controls:\n- Native Storage Area Network (SAN) encryption functionality\n- BitLocker and EFS"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-05.2",
+    "id_raw": "CRY-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 287,
+    "title": "Offline Storage",
+    "description": "Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-05.3",
+    "id_raw": "CRY-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 288,
+    "title": "Database Encryption",
+    "description": "Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-06",
+    "id_raw": "CRY-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 289,
+    "title": "Non-Console Administrative Access",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-07",
+    "id_raw": "CRY-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 290,
+    "title": "Wireless Access Authentication & Encryption ",
+    "description": "Mechanisms exist to protect wireless access via secure authentication and encryption."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-08",
+    "id_raw": "CRY-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 291,
+    "title": "Public Key Infrastructure (PKI) ",
+    "description": "Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider. \n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD) Certificate Services\n- Digitcert (https://www.digicert.com)\n- Entrust (https://www.entrust.com)\n- Comodo (https://www.comodo.com)\n- Vault (https://www.vaultproject.io/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-08.1",
+    "id_raw": "CRY-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 292,
+    "title": "Availability",
+    "description": "Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09",
+    "id_raw": "CRY-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 293,
+    "title": "Cryptographic Key Management ",
+    "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.\n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD) Certificate Services\n- Digitcert (https://www.digicert.com)\n- Entrust (https://www.entrust.com)\n- Comodo (https://www.comodo.com)\n- Vault (https://www.vaultproject.io/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.1",
+    "id_raw": "CRY-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 294,
+    "title": "Symmetric Keys",
+    "description": "Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.2",
+    "id_raw": "CRY-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 295,
+    "title": "Asymmetric Keys",
+    "description": "Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.3",
+    "id_raw": "CRY-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 296,
+    "title": "Cryptographic Key Loss or Change",
+    "description": "Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users. \n\nMethods To Comply With SCF Controls:\n- Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.4",
+    "id_raw": "CRY-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 297,
+    "title": "Control & Distribution of Cryptographic Keys",
+    "description": "Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.5",
+    "id_raw": "CRY-09.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 298,
+    "title": "Assigned Owners ",
+    "description": "Mechanisms exist to ensure cryptographic keys are bound to individual identities. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.6",
+    "id_raw": "CRY-09.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 299,
+    "title": "Third-Party Cryptographic Keys",
+    "description": "Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-09.7",
+    "id_raw": "CRY-09.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 300,
+    "title": "External System Cryptographic Key Control",
+    "description": "Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-10",
+    "id_raw": "CRY-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 301,
+    "title": "Transmission of Security & Privacy Attributes ",
+    "description": "Mechanisms exist to ensure systems associate security attributes with information exchanged between systems. \n\nMethods To Comply With SCF Controls:\n- Integrity checking"
+  },
+  {
+    "source": "scf",
+    "id": "scf:cry-11",
+    "id_raw": "CRY-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 302,
+    "title": "Certificate Authorities",
+    "description": "Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-01",
+    "id_raw": "DCH-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 303,
+    "title": "Data Protection ",
+    "description": "Mechanisms exist to facilitate the implementation of data protection controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-01.1",
+    "id_raw": "DCH-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 304,
+    "title": "Data Stewardship ",
+    "description": "Mechanisms exist to ensure data stewardship is assigned, documented and communicated. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-01.2",
+    "id_raw": "DCH-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 305,
+    "title": "Sensitive / Regulated Data Protection",
+    "description": "Mechanisms exist to protect sensitive/regulated data wherever it is stored."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-01.3",
+    "id_raw": "DCH-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 306,
+    "title": "Sensitive / Regulated Media Records",
+    "description": "Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-02",
+    "id_raw": "DCH-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 307,
+    "title": "Data & Asset Classification ",
+    "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-02.1",
+    "id_raw": "DCH-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 308,
+    "title": "Highest Classification Level",
+    "description": "Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-03",
+    "id_raw": "DCH-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 309,
+    "title": "Media Access ",
+    "description": "Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals. \n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-03.1",
+    "id_raw": "DCH-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 310,
+    "title": "Disclosure of Information",
+    "description": "Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-03.2",
+    "id_raw": "DCH-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 311,
+    "title": "Masking Displayed Data ",
+    "description": "Mechanisms exist to apply data masking to sensitive information that is displayed or printed. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-03.3",
+    "id_raw": "DCH-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 312,
+    "title": "Controlled Release",
+    "description": "Automated mechanisms exist to validate security and privacy attributes prior to releasing information to external systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-04",
+    "id_raw": "DCH-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 313,
+    "title": "Media Marking ",
+    "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-04.1",
+    "id_raw": "DCH-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 314,
+    "title": "Automated Marking",
+    "description": "Automated mechanisms exist to mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aide Data Loss Prevention (DLP) technologies. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05",
+    "id_raw": "DCH-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 315,
+    "title": "Security & Privacy Attributes",
+    "description": "Mechanisms exist to bind security attributes to information as it is stored, transmitted and processed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.1",
+    "id_raw": "DCH-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 316,
+    "title": "Dynamic Attribute Association",
+    "description": "Mechanisms exist to dynamically associate security and privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and privacy policies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.2",
+    "id_raw": "DCH-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 317,
+    "title": "Attribute Value Changes By Authorized Individuals",
+    "description": "Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.3",
+    "id_raw": "DCH-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 318,
+    "title": "Maintenance of Attribute Associations By System",
+    "description": "Mechanisms exist to maintain the association and integrity of security and privacy attributes to individuals and objects."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.4",
+    "id_raw": "DCH-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 319,
+    "title": "Association of Attributes By Authorized Individuals",
+    "description": "Mechanisms exist to provide the capability to associate security and privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.5",
+    "id_raw": "DCH-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 320,
+    "title": "Attribute Displays for Output Devices",
+    "description": "Mechanisms exist to display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.6",
+    "id_raw": "DCH-05.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 321,
+    "title": "Data Subject Attribute Associations",
+    "description": "Mechanisms exist to require personnel to associate and maintain the association of security and privacy attributes with individuals and objects in accordance with security and privacy policies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.7",
+    "id_raw": "DCH-05.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 322,
+    "title": "Consistent Attribute Interpretation",
+    "description": "Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.8",
+    "id_raw": "DCH-05.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 323,
+    "title": "Identity Association Techniques & Technologies",
+    "description": "Mechanisms exist to associate security and privacy attributes to information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.9",
+    "id_raw": "DCH-05.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 324,
+    "title": "Attribute Reassignment",
+    "description": "Mechanisms exist to reclassify data as required, due to changing business/technical requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.10",
+    "id_raw": "DCH-05.10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 325,
+    "title": "Attribute Configuration By Authorized Individuals",
+    "description": "Mechanisms exist to provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-05.11",
+    "id_raw": "DCH-05.11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 326,
+    "title": "Audit Changes",
+    "description": "Mechanisms exist to audit changes to security and privacy attributes and responds to events in accordance with incident response procedures.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06",
+    "id_raw": "DCH-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 327,
+    "title": "Media Storage",
+    "description": "Mechanisms exist to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06.1",
+    "id_raw": "DCH-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 328,
+    "title": "Physically Secure All Media",
+    "description": "Mechanisms exist to physically secure all media that contains sensitive information.\n\nMethods To Comply With SCF Controls:\n- Lockbox"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06.2",
+    "id_raw": "DCH-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 329,
+    "title": "Sensitive Data Inventories",
+    "description": "Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06.3",
+    "id_raw": "DCH-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 330,
+    "title": "Periodic Scans for Sensitive Data",
+    "description": "Mechanisms exist to periodically scan unstructured data sources for sensitive data or data requiring special protection measures by statutory, regulatory or contractual obligations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06.4",
+    "id_raw": "DCH-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 331,
+    "title": "Making Sensitive Data Unreadable In Storage",
+    "description": "Mechanisms exist to ensure sensitive data is rendered human unreadable anywhere sensitive data is stored. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-06.5",
+    "id_raw": "DCH-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 332,
+    "title": "Storing Authentication Data",
+    "description": "Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-07",
+    "id_raw": "DCH-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 333,
+    "title": "Media Transportation ",
+    "description": "Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.\n\nMethods To Comply With SCF Controls:\n- Assigned couriers"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-07.1",
+    "id_raw": "DCH-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 334,
+    "title": "Custodians",
+    "description": "Mechanisms exist to identify custodians throughout the transport of digital or non-digital media. \n\nMethods To Comply With SCF Controls:\n- Chain of custody"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-07.2",
+    "id_raw": "DCH-07.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 335,
+    "title": "Encrypting Data In Storage Media",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-08",
+    "id_raw": "DCH-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 336,
+    "title": "Physical Media Disposal",
+    "description": "Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures. \n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain\n- DoD-strength data erasers"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09",
+    "id_raw": "DCH-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 337,
+    "title": "Digital Media Sanitization",
+    "description": "Mechanisms exist to sanitize digital media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09.1",
+    "id_raw": "DCH-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 338,
+    "title": "Media Sanitization Documentation",
+    "description": "Mechanisms exist to supervise, track, document and verify media sanitization and disposal actions. \n\nMethods To Comply With SCF Controls:\n- Certificate of destruction"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09.2",
+    "id_raw": "DCH-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 339,
+    "title": "Equipment Testing",
+    "description": "Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09.3",
+    "id_raw": "DCH-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 340,
+    "title": "Sanitization of Personal Data (PD)",
+    "description": "Mechanisms exist to facilitate the sanitization of Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- De-identifying PI"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09.4",
+    "id_raw": "DCH-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 341,
+    "title": "First Time Use Sanitization",
+    "description": "Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-09.5",
+    "id_raw": "DCH-09.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 342,
+    "title": "Dual Authorization for Sensitive Data Destruction",
+    "description": "Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-10",
+    "id_raw": "DCH-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 343,
+    "title": "Media Use",
+    "description": "Mechanisms exist to restrict the use of types of digital media on systems or system components. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-10.1",
+    "id_raw": "DCH-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 344,
+    "title": "Limitations on Use ",
+    "description": "Mechanisms exist to restrict the use and distribution of sensitive / regulated data. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-10.2",
+    "id_raw": "DCH-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 345,
+    "title": "Prohibit Use Without Owner",
+    "description": "Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-11",
+    "id_raw": "DCH-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 346,
+    "title": "Data Reclassification ",
+    "description": "Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-12",
+    "id_raw": "DCH-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 347,
+    "title": "Removable Media Security",
+    "description": "Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-13",
+    "id_raw": "DCH-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 348,
+    "title": "Use of External Information Systems ",
+    "description": "Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-13.1",
+    "id_raw": "DCH-13.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 349,
+    "title": "Limits of Authorized Use ",
+    "description": "Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-13.2",
+    "id_raw": "DCH-13.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 350,
+    "title": "Portable Storage Devices",
+    "description": "Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-13.3",
+    "id_raw": "DCH-13.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 351,
+    "title": "Protecting Sensitive Data on External Systems",
+    "description": "Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.\n\nMethods To Comply With SCF Controls:\n- NIST 800-171 Compliance Criteria (NCC) (ComplianceForge)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-13.4",
+    "id_raw": "DCH-13.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 352,
+    "title": "Non-Organizationally Owned Systems / Components / Devices",
+    "description": "Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-14",
+    "id_raw": "DCH-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 353,
+    "title": "Information Sharing ",
+    "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.\n\nMethods To Comply With SCF Controls:\n- ShareFile\n- SmartVault\n- Veris (incident sharing) (http://veriscommunity.net)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-14.1",
+    "id_raw": "DCH-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 354,
+    "title": "Information Search & Retrieval",
+    "description": "Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-14.2",
+    "id_raw": "DCH-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 355,
+    "title": "Transfer Authorizations",
+    "description": "Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-14.3",
+    "id_raw": "DCH-14.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 356,
+    "title": "Data Access Mapping",
+    "description": "Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the personnel with whom sensitive data is shared."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-15",
+    "id_raw": "DCH-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 357,
+    "title": "Publicly Accessible Content",
+    "description": "Mechanisms exist to control publicly-accessible content.\n\nMethods To Comply With SCF Controls:\n- Designate individuals authorized to post information onto systems that are publicly accessible.\n- Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.\n- Review the proposed content of publicly accessible information for nonpublic information prior to posting.\n- Remove nonpublic information from the publicly accessible system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-16",
+    "id_raw": "DCH-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 358,
+    "title": "Data Mining Protection",
+    "description": "Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-17",
+    "id_raw": "DCH-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 359,
+    "title": "Ad-Hoc Transfers ",
+    "description": "Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.\n\nMethods To Comply With SCF Controls:\n- ShareFile\n- Box"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-18",
+    "id_raw": "DCH-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 360,
+    "title": "Media & Data Retention ",
+    "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-18.1",
+    "id_raw": "DCH-18.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 361,
+    "title": "Limit Personal Data (PD) Elements In Testing, Training & Research",
+    "description": "Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-18.2",
+    "id_raw": "DCH-18.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 362,
+    "title": "Minimize Personal Data (PD)",
+    "description": "Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-18.3",
+    "id_raw": "DCH-18.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 363,
+    "title": "Temporary Files Containing Personal Data (PD)",
+    "description": "Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-19",
+    "id_raw": "DCH-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 364,
+    "title": "Geographic Location of Data",
+    "description": "Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-20",
+    "id_raw": "DCH-20",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 365,
+    "title": "Archived Data Sets ",
+    "description": "Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-21",
+    "id_raw": "DCH-21",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 366,
+    "title": "Information Disposal",
+    "description": "Mechanisms exist to securely dispose of, destroy or erase information.\n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-22",
+    "id_raw": "DCH-22",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 367,
+    "title": "Data Quality Operations",
+    "description": "Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-22.1",
+    "id_raw": "DCH-22.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 368,
+    "title": "Updating & Correcting Personal Data (PD)",
+    "description": "Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-22.2",
+    "id_raw": "DCH-22.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 369,
+    "title": "Data Tags",
+    "description": "Mechanisms exist to utilize data tags to automate tracking of sensitive data across the information lifecycle.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-22.3",
+    "id_raw": "DCH-22.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 370,
+    "title": "Primary Source Personal Data (PD) Collection",
+    "description": "Mechanisms exist to collect Personal Data (PD) directly from the individual. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23",
+    "id_raw": "DCH-23",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 371,
+    "title": "De-Identification (Anonymization)",
+    "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.1",
+    "id_raw": "DCH-23.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 372,
+    "title": "De-Identify Dataset Upon Collection",
+    "description": "Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.2",
+    "id_raw": "DCH-23.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 373,
+    "title": "Archiving",
+    "description": "Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.3",
+    "id_raw": "DCH-23.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 374,
+    "title": "Release",
+    "description": "Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.4",
+    "id_raw": "DCH-23.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 375,
+    "title": "Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers",
+    "description": "Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.5",
+    "id_raw": "DCH-23.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 376,
+    "title": "Statistical Disclosure Control",
+    "description": "Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.6",
+    "id_raw": "DCH-23.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 377,
+    "title": "Differential Privacy",
+    "description": "Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.7",
+    "id_raw": "DCH-23.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 378,
+    "title": "Automated De-Identification of Sensitive Data",
+    "description": "Mechanisms exist to perform de-identification of sensitive data, using validated algorithms and software to implement the algorithms.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.8",
+    "id_raw": "DCH-23.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 379,
+    "title": "Motivated Intruder",
+    "description": "Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-23.9",
+    "id_raw": "DCH-23.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 380,
+    "title": "Code Names",
+    "description": "Mechanisms exist to use aliases to name assets, that are mission-critical and/or contain highly-sensitive data, are unique and not readily associated with a product, project or type of data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-24",
+    "id_raw": "DCH-24",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 381,
+    "title": "Information Location",
+    "description": "Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.\n\nMethods To Comply With SCF Controls:\n- Data Flow Diagram (DFD)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-24.1",
+    "id_raw": "DCH-24.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 382,
+    "title": "Automated Tools to Support Information Location",
+    "description": "Automated mechanisms exist to identify by data classification type to ensure adequate security and privacy controls are in place to protect organizational information and individual privacy."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-25",
+    "id_raw": "DCH-25",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 383,
+    "title": "Transfer of Sensitive and/or Regulated Data",
+    "description": "Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.\n\nMethods To Comply With SCF Controls:\n- Model contracts\n- Privacy Shield\n- Binding Corporate Rules (BCR)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-25.1",
+    "id_raw": "DCH-25.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 384,
+    "title": "Transfer Activity Limits",
+    "description": "Mechanisms exist to establish organization-defined \"normal business activities\" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:dch-26",
+    "id_raw": "DCH-26",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 385,
+    "title": "Data Localization",
+    "description": "Mechanisms exist to constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-01",
+    "id_raw": "EMB-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 386,
+    "title": "Embedded Technology Security Program ",
+    "description": "Mechanisms exist to facilitate the implementation of embedded technology controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-02",
+    "id_raw": "EMB-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 387,
+    "title": "Internet of Things (IOT) ",
+    "description": "Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Internet of Things (IoT)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-03",
+    "id_raw": "EMB-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 388,
+    "title": "Operational Technology (OT) ",
+    "description": "Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-04",
+    "id_raw": "EMB-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 389,
+    "title": "Interface Security",
+    "description": "Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-05",
+    "id_raw": "EMB-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 390,
+    "title": "Embedded Technology Configuration Monitoring",
+    "description": "Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-06",
+    "id_raw": "EMB-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 391,
+    "title": "Prevent Alterations",
+    "description": "Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-07",
+    "id_raw": "EMB-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 392,
+    "title": "Embedded Technology Maintenance",
+    "description": "Mechanisms exist to securely update software and upgrade functionality on embedded devices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-08",
+    "id_raw": "EMB-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 393,
+    "title": "Resilience To Outages",
+    "description": "Mechanisms exist to configure embedded technology to be resilient to data network and power outages."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-09",
+    "id_raw": "EMB-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 394,
+    "title": "Power Level Monitoring",
+    "description": "Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-10",
+    "id_raw": "EMB-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 395,
+    "title": "Embedded Technology Reviews",
+    "description": "Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-11",
+    "id_raw": "EMB-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 396,
+    "title": "Message Queuing Telemetry Transport (MQTT) Security",
+    "description": "Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-12",
+    "id_raw": "EMB-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 397,
+    "title": "Restrict Communications",
+    "description": "Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-13",
+    "id_raw": "EMB-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 398,
+    "title": "Authorized Communications",
+    "description": "Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-14",
+    "id_raw": "EMB-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 399,
+    "title": "Operating Environment Certification",
+    "description": "Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-15",
+    "id_raw": "EMB-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 400,
+    "title": "Safety Assessment",
+    "description": "Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-16",
+    "id_raw": "EMB-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 401,
+    "title": "Certificate-Based Authentication",
+    "description": "Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-17",
+    "id_raw": "EMB-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 402,
+    "title": "Chip-To-Cloud Security",
+    "description": "Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-18",
+    "id_raw": "EMB-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 403,
+    "title": "Real-Time Operating System (RTOS) Security",
+    "description": "Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:emb-19",
+    "id_raw": "EMB-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 404,
+    "title": "Safe Operations",
+    "description": "Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-01",
+    "id_raw": "END-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 405,
+    "title": "Endpoint Security ",
+    "description": "Mechanisms exist to facilitate the implementation of endpoint security controls.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Group Policy Objects (GPOs)\n- Antimalware technologies\n- Software firewalls\n- Host-based IDS/IPS technologies\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-02",
+    "id_raw": "END-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 406,
+    "title": "Endpoint Protection Measures ",
+    "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-03",
+    "id_raw": "END-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 407,
+    "title": "Prohibit Installation Without Privileged Status ",
+    "description": "Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Removal of local admin rights\n- Privileged Account Management (PAM)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-03.1",
+    "id_raw": "END-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 408,
+    "title": "Software Installation Alerts",
+    "description": "Mechanisms exist to generate an alert when new software is detected. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-03.2",
+    "id_raw": "END-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 409,
+    "title": "Governing Access Restriction for Change",
+    "description": "Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04",
+    "id_raw": "END-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 410,
+    "title": "Malicious Code Protection (Anti-Malware) ",
+    "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Antimalware software\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.1",
+    "id_raw": "END-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 411,
+    "title": "Automatic Antimalware Signature Updates",
+    "description": "Mechanisms exist to automatically update antimalware technologies, including signature definitions. \n\nMethods To Comply With SCF Controls:\n- Antimalware software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.2",
+    "id_raw": "END-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 412,
+    "title": "Documented Protection Measures",
+    "description": "Mechanisms exist to document antimalware technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.3",
+    "id_raw": "END-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 413,
+    "title": "Centralized Management of Antimalware Technologies",
+    "description": "Mechanisms exist to centrally-manage antimalware technologies.\n\nMethods To Comply With SCF Controls:\n- Antimalware software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.4",
+    "id_raw": "END-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 414,
+    "title": "Heuristic / Nonsignature-Based Detection",
+    "description": "Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.\n\nMethods To Comply With SCF Controls:\n- Antimalware software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.5",
+    "id_raw": "END-04.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 415,
+    "title": "Malware Protection Mechanism Testing",
+    "description": "Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs. \n\nMethods To Comply With SCF Controls:\n- EICAR test file"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.6",
+    "id_raw": "END-04.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 416,
+    "title": "Evolving Malware Threats",
+    "description": "Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-04.7",
+    "id_raw": "END-04.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 417,
+    "title": "Always On Protection",
+    "description": "Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period. \n\nMethods To Comply With SCF Controls:\n- Antimalware software"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-05",
+    "id_raw": "END-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 418,
+    "title": "Software Firewall ",
+    "description": "Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06",
+    "id_raw": "END-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 419,
+    "title": "Endpoint File Integrity Monitoring (FIM) ",
+    "description": "Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.1",
+    "id_raw": "END-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 420,
+    "title": "Integrity Checks ",
+    "description": "Mechanisms exist to validate configurations through integrity checking of software and firmware.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.2",
+    "id_raw": "END-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 421,
+    "title": "Integration of Detection & Response ",
+    "description": "Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.3",
+    "id_raw": "END-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 422,
+    "title": "Automated Notifications of Integrity Violations",
+    "description": "Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.4",
+    "id_raw": "END-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 423,
+    "title": "Automated Response to Integrity Violations",
+    "description": "Automated mechanisms exist to implement remediation actions when integrity violations are discovered. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.5",
+    "id_raw": "END-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 424,
+    "title": "Boot Process Integrity",
+    "description": "Automated mechanisms exist to verify the integrity of the boot process of information systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.6",
+    "id_raw": "END-06.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 425,
+    "title": "Protection of Boot Firmware",
+    "description": "Automated mechanisms exist to protect the integrity of boot firmware in information systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-06.7",
+    "id_raw": "END-06.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 426,
+    "title": "Binary or Machine-Executable Code",
+    "description": "Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-07",
+    "id_raw": "END-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 427,
+    "title": "Host Intrusion Detection and Prevention Systems (HIDS / HIPS) ",
+    "description": "Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-08",
+    "id_raw": "END-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 428,
+    "title": "Phishing & Spam Protection ",
+    "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-08.1",
+    "id_raw": "END-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 429,
+    "title": "Central Management",
+    "description": "Mechanisms exist to centrally-manage anti-phishing and spam protection technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-08.2",
+    "id_raw": "END-08.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 430,
+    "title": "Automatic Spam and Phishing Protection Updates",
+    "description": "Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-09",
+    "id_raw": "END-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 431,
+    "title": "Trusted Path",
+    "description": "Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-10",
+    "id_raw": "END-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 432,
+    "title": "Mobile Code",
+    "description": "Mechanisms exist to address mobile code / operating system-independent applications. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-11",
+    "id_raw": "END-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 433,
+    "title": "Thin Nodes",
+    "description": "Mechanisms exist to configure thin nodes to have minimal functionality and information storage. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-12",
+    "id_raw": "END-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 434,
+    "title": "Port & Input / Output (I/O) Device Access ",
+    "description": "Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-13",
+    "id_raw": "END-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 435,
+    "title": "Sensor Capability",
+    "description": "Mechanisms exist to configure embedded sensors on systems to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-13.1",
+    "id_raw": "END-13.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 436,
+    "title": "Authorized Use",
+    "description": "Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-13.2",
+    "id_raw": "END-13.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 437,
+    "title": "Notice of Collection",
+    "description": "Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.\n\nMethods To Comply With SCF Controls:\n- Visible or auditory alert\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-13.3",
+    "id_raw": "END-13.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 438,
+    "title": "Collection Minimization",
+    "description": "Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-13.4",
+    "id_raw": "END-13.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 439,
+    "title": "Sensor Delivery Verification",
+    "description": "Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-14",
+    "id_raw": "END-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 440,
+    "title": "Collaborative Computing Devices ",
+    "description": "Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n\nMethods To Comply With SCF Controls:\n- Unplug devices when not needed"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-14.1",
+    "id_raw": "END-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 441,
+    "title": "Disabling / Removal In Secure Work Areas",
+    "description": "Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-14.2",
+    "id_raw": "END-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 442,
+    "title": "Explicitly Indicate Current Participants",
+    "description": "Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-15",
+    "id_raw": "END-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 443,
+    "title": "Hypervisor Access ",
+    "description": "Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-16",
+    "id_raw": "END-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 444,
+    "title": "Restrict Access To Security Functions",
+    "description": "Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.\n\nMethods To Comply With SCF Controls:\n- Windows Defender Device Guard"
+  },
+  {
+    "source": "scf",
+    "id": "scf:end-16.1",
+    "id_raw": "END-16.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 445,
+    "title": "Host-Based Security Function Isolation",
+    "description": "Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation. \n\nMethods To Comply With SCF Controls:\n- Windows Defender Device Guard"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-01",
+    "id_raw": "HRS-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 446,
+    "title": "Human Resources Security Management",
+    "description": "Mechanisms exist to facilitate the implementation of personnel security controls."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-02",
+    "id_raw": "HRS-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 447,
+    "title": "Position Categorization ",
+    "description": "Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-02.1",
+    "id_raw": "HRS-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 448,
+    "title": "Users With Elevated Privileges",
+    "description": "Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-02.2",
+    "id_raw": "HRS-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 449,
+    "title": "Probationary Periods",
+    "description": "Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-03",
+    "id_raw": "HRS-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 450,
+    "title": "Roles & Responsibilities ",
+    "description": "Mechanisms exist to define cybersecurity responsibilities for all personnel. \n\nMethods To Comply With SCF Controls:\n- NIST NICE framework\n- RACI diagram"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-03.1",
+    "id_raw": "HRS-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 451,
+    "title": "User Awareness ",
+    "description": "Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-03.2",
+    "id_raw": "HRS-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 452,
+    "title": "Competency Requirements for Security-Related Positions",
+    "description": "Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-04",
+    "id_raw": "HRS-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 453,
+    "title": "Personnel Screening ",
+    "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.\n\nMethods To Comply With SCF Controls:\n- Criminal, education and employment background checks"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-04.1",
+    "id_raw": "HRS-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 454,
+    "title": "Roles With Special Protection Measures",
+    "description": "Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.\n\nMethods To Comply With SCF Controls:\n- Security clearances for classified information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-04.2",
+    "id_raw": "HRS-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 455,
+    "title": "Formal Indoctrination",
+    "description": "Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-04.3",
+    "id_raw": "HRS-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 456,
+    "title": "Citizenship Requirements",
+    "description": "Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-04.4",
+    "id_raw": "HRS-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 457,
+    "title": "Citizenship Identification",
+    "description": "Mechanisms exist to identify foreign nationals, including by their specific citizenship."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05",
+    "id_raw": "HRS-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 458,
+    "title": "Terms of Employment ",
+    "description": "Mechanisms exist to require all employees and contractors to apply security and privacy principles in their daily work.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.1",
+    "id_raw": "HRS-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 459,
+    "title": "Rules of Behavior",
+    "description": "Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.2",
+    "id_raw": "HRS-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 460,
+    "title": "Social Media & Social Networking Restrictions",
+    "description": "Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.3",
+    "id_raw": "HRS-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 461,
+    "title": "Use of Communications Technology",
+    "description": "Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.4",
+    "id_raw": "HRS-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 462,
+    "title": "Use of Critical Technologies ",
+    "description": "Mechanisms exist to govern usage policies for critical technologies. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.5",
+    "id_raw": "HRS-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 463,
+    "title": "Use of Mobile Devices",
+    "description": "Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior\n- BYOD policy"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.6",
+    "id_raw": "HRS-05.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 464,
+    "title": "Security-Minded Dress Code",
+    "description": "Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-05.7",
+    "id_raw": "HRS-05.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 465,
+    "title": "Policy Familiarization & Acknowledgement",
+    "description": "Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies and provide acknowledgement."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-06",
+    "id_raw": "HRS-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 466,
+    "title": "Access Agreements ",
+    "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-06.1",
+    "id_raw": "HRS-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 467,
+    "title": "Confidentiality Agreements",
+    "description": "Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-06.2",
+    "id_raw": "HRS-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 468,
+    "title": "Post-Employment Obligations",
+    "description": "Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-07",
+    "id_raw": "HRS-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 469,
+    "title": "Personnel Sanctions",
+    "description": "Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-07.1",
+    "id_raw": "HRS-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 470,
+    "title": "Workplace Investigations",
+    "description": "Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-08",
+    "id_raw": "HRS-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 471,
+    "title": "Personnel Transfer",
+    "description": "Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-09",
+    "id_raw": "HRS-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 472,
+    "title": "Personnel Termination ",
+    "description": "Mechanisms exist to govern the termination of individual employment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-09.1",
+    "id_raw": "HRS-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 473,
+    "title": "Asset Collection",
+    "description": "Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-09.2",
+    "id_raw": "HRS-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 474,
+    "title": "High-Risk Terminations",
+    "description": "Mechanisms exist to expedite the process of removing \"high risk\" individual’s access to systems and applications upon termination, as determined by management."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-09.3",
+    "id_raw": "HRS-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 475,
+    "title": "Post-Employment Requirements ",
+    "description": "Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-09.4",
+    "id_raw": "HRS-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 476,
+    "title": "Automated Employment Status Notifications",
+    "description": "Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-10",
+    "id_raw": "HRS-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 477,
+    "title": "Third-Party Personnel Security",
+    "description": "Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities.\n\nMethods To Comply With SCF Controls:\n- Independent background check service"
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-11",
+    "id_raw": "HRS-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 478,
+    "title": "Separation of Duties (SoD)",
+    "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-12",
+    "id_raw": "HRS-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 479,
+    "title": "Incompatible Roles ",
+    "description": "Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-12.1",
+    "id_raw": "HRS-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 480,
+    "title": "Two-Person Rule",
+    "description": "Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-13",
+    "id_raw": "HRS-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 481,
+    "title": "Identify Critical Skills & Gaps",
+    "description": "Mechanisms exist to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-13.1",
+    "id_raw": "HRS-13.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 482,
+    "title": "Remediate Identified Skills Deficiencies",
+    "description": "Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s mission and business functions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-13.2",
+    "id_raw": "HRS-13.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 483,
+    "title": "Identify Vital Cybersecurity & Privacy Staff",
+    "description": "Mechanisms exist to identify vital cybersecurity & privacy staff."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-13.3",
+    "id_raw": "HRS-13.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 484,
+    "title": "Establish Redundancy for Vital Cybersecurity & Privacy Staff",
+    "description": "Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff."
+  },
+  {
+    "source": "scf",
+    "id": "scf:hrs-13.4",
+    "id_raw": "HRS-13.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 485,
+    "title": "Perform Succession Planning",
+    "description": "Mechanisms exist to perform succession planning for vital cybersecurity & privacy roles."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-01",
+    "id_raw": "IAC-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 486,
+    "title": "Identity & Access Management (IAM) ",
+    "description": "Mechanisms exist to facilitate the implementation of identification and access management controls."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-01.1",
+    "id_raw": "IAC-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 487,
+    "title": "Retain Access Records",
+    "description": "Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-02",
+    "id_raw": "IAC-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 488,
+    "title": "Identification & Authentication for Organizational Users ",
+    "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-02.1",
+    "id_raw": "IAC-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 489,
+    "title": "Group Authentication ",
+    "description": "Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-02.2",
+    "id_raw": "IAC-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 490,
+    "title": "Network Access to Privileged Accounts - Replay Resistant",
+    "description": "Automated mechanisms exist to employ replay-resistant network access authentication."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-02.3",
+    "id_raw": "IAC-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 491,
+    "title": "Acceptance of PIV Credentials ",
+    "description": "Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials. \n\nMethods To Comply With SCF Controls:\n- Personal Identity Verification (PIV) credentials"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-02.4",
+    "id_raw": "IAC-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 492,
+    "title": "Out-of-Band Authentication (OOBA) ",
+    "description": "Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03",
+    "id_raw": "IAC-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 493,
+    "title": "Identification & Authentication for Non-Organizational Users ",
+    "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03.1",
+    "id_raw": "IAC-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 494,
+    "title": "Acceptance of PIV Credentials from Other Organizations ",
+    "description": "Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03.2",
+    "id_raw": "IAC-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 495,
+    "title": "Acceptance of Third-Party Credentials",
+    "description": "Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03.3",
+    "id_raw": "IAC-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 496,
+    "title": "Use of FICAM-Issued Profiles",
+    "description": "Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03.4",
+    "id_raw": "IAC-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 497,
+    "title": "Disassociability",
+    "description": "Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-03.5",
+    "id_raw": "IAC-03.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 498,
+    "title": "Acceptance of External Authenticators",
+    "description": "Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-04",
+    "id_raw": "IAC-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 499,
+    "title": "Identification & Authentication for Devices",
+    "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Kerberos"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-04.1",
+    "id_raw": "IAC-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 500,
+    "title": "Device Attestation",
+    "description": "Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-05",
+    "id_raw": "IAC-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 501,
+    "title": "Identification & Authentication for Third Party Systems & Services",
+    "description": "Mechanisms exist to identify and authenticate third-party systems and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-05.1",
+    "id_raw": "IAC-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 502,
+    "title": "Sharing Identification & Authentication Information",
+    "description": "Mechanisms exist to ensure third-party service providers provide current and accurate information for any third-party user with access to the organization's data or assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-05.2",
+    "id_raw": "IAC-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 503,
+    "title": "Privileged Access by Non-Organizational Users",
+    "description": "Mechanisms exist to prohibit privileged access by non-organizational users."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-06",
+    "id_raw": "IAC-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 504,
+    "title": "Multi-Factor Authentication (MFA)",
+    "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-06.1",
+    "id_raw": "IAC-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 505,
+    "title": "Network Access to Privileged Accounts",
+    "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-06.2",
+    "id_raw": "IAC-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 506,
+    "title": "Network Access to Non-Privileged Accounts ",
+    "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-06.3",
+    "id_raw": "IAC-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 507,
+    "title": "Local Access to Privileged Accounts ",
+    "description": "Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-06.4",
+    "id_raw": "IAC-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 508,
+    "title": "Out-of-Band Multi-Factor Authentication ",
+    "description": "Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-07",
+    "id_raw": "IAC-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 509,
+    "title": "User Provisioning & De-Provisioning ",
+    "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-07.1",
+    "id_raw": "IAC-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 510,
+    "title": "Change of Roles & Duties",
+    "description": "Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-07.2",
+    "id_raw": "IAC-07.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 511,
+    "title": "Termination of Employment",
+    "description": "Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-08",
+    "id_raw": "IAC-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 512,
+    "title": "Role-Based Access Control (RBAC) ",
+    "description": "Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive data access.\n\nMethods To Comply With SCF Controls:\n- Role-Based Access Control (RBAC)\n"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09",
+    "id_raw": "IAC-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 513,
+    "title": "Identifier Management (User Names)",
+    "description": "Mechanisms exist to govern naming standards for usernames and systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.1",
+    "id_raw": "IAC-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 514,
+    "title": "User Identity (ID) Management ",
+    "description": "Mechanisms exist to ensure proper user identification management for non-consumer users and administrators. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.2",
+    "id_raw": "IAC-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 515,
+    "title": "Identity User Status",
+    "description": "Mechanisms exist to identify contractor and other third-party users through unique username characteristics. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.3",
+    "id_raw": "IAC-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 516,
+    "title": "Dynamic Management",
+    "description": "Mechanisms exist to dynamically manage usernames and system identifiers. \n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.4",
+    "id_raw": "IAC-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 517,
+    "title": "Cross-Organization Management",
+    "description": "Mechanisms exist to coordinate username identifiers with external organizations for cross-organization management of identifiers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.5",
+    "id_raw": "IAC-09.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 518,
+    "title": "Privileged Account Identifiers",
+    "description": "Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged user or service."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-09.6",
+    "id_raw": "IAC-09.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 519,
+    "title": "Pairwise Pseudonymous Identifiers (PPID)",
+    "description": "Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10",
+    "id_raw": "IAC-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 520,
+    "title": "Authenticator Management",
+    "description": "Mechanisms exist to securely manage authenticators for users and devices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.1",
+    "id_raw": "IAC-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 521,
+    "title": "Password-Based Authentication ",
+    "description": "Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.2",
+    "id_raw": "IAC-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 522,
+    "title": "PKI-Based Authentication",
+    "description": "Automated mechanisms exist to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.3",
+    "id_raw": "IAC-10.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 523,
+    "title": "In-Person or Trusted Third-Party Registration",
+    "description": "Mechanisms exist to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.4",
+    "id_raw": "IAC-10.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 524,
+    "title": "Automated Support For Password Strength",
+    "description": "Automated mechanisms exist to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.5",
+    "id_raw": "IAC-10.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 525,
+    "title": "Protection of Authenticators",
+    "description": "Mechanisms exist to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.6",
+    "id_raw": "IAC-10.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 526,
+    "title": "No Embedded Unencrypted Static Authenticators",
+    "description": "Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.7",
+    "id_raw": "IAC-10.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 527,
+    "title": "Hardware Token-Based Authentication",
+    "description": "Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.\n\nMethods To Comply With SCF Controls:\n- Tokens are sufficiently encrypted or do not reveal credentials or passwords within the token."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.8",
+    "id_raw": "IAC-10.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 528,
+    "title": "Vendor-Supplied Defaults",
+    "description": "Mechanisms exist to ensure vendor-supplied defaults are changed as part of the installation process.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.9",
+    "id_raw": "IAC-10.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 529,
+    "title": "Multiple Information System Accounts",
+    "description": "Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.10",
+    "id_raw": "IAC-10.10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 530,
+    "title": "Expiration of Cached Authenticators",
+    "description": "Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.11",
+    "id_raw": "IAC-10.11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 531,
+    "title": "Password Managers",
+    "description": "Mechanisms exist to protect and store passwords via a password manager tool."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-10.12",
+    "id_raw": "IAC-10.12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 532,
+    "title": "Biometric Authentication",
+    "description": "Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-11",
+    "id_raw": "IAC-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 533,
+    "title": "Authenticator Feedback",
+    "description": "Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-12",
+    "id_raw": "IAC-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 534,
+    "title": "Cryptographic Module Authentication ",
+    "description": "Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.\n\nMethods To Comply With SCF Controls:\n- FIPS 140-2"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-12.1",
+    "id_raw": "IAC-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 535,
+    "title": "Hardware Security Modules (HSM)",
+    "description": "Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-13",
+    "id_raw": "IAC-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 536,
+    "title": "Adaptive Identification & Authentication ",
+    "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-13.1",
+    "id_raw": "IAC-13.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 537,
+    "title": "Single Sign-On (SSO)",
+    "description": "Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-13.2",
+    "id_raw": "IAC-13.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 538,
+    "title": "Federated Credential Management",
+    "description": "Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-14",
+    "id_raw": "IAC-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 539,
+    "title": "Re-Authentication ",
+    "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15",
+    "id_raw": "IAC-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 540,
+    "title": "Account Management ",
+    "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.\n\nMethods To Comply With SCF Controls:\n- Service accounts prohibit interactive login - users cannot log into systems with those accounts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.1",
+    "id_raw": "IAC-15.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 541,
+    "title": "Automated System Account Management ",
+    "description": "Automated mechanisms exist to support the management of system accounts. \n\nMethods To Comply With SCF Controls:\n- Service accounts prohibit interactive login - users cannot log into systems with those accounts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.2",
+    "id_raw": "IAC-15.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 542,
+    "title": "Removal of Temporary / Emergency Accounts",
+    "description": "Automated mechanisms exist to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.3",
+    "id_raw": "IAC-15.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 543,
+    "title": "Disable Inactive Accounts",
+    "description": "Automated mechanisms exist to disable inactive accounts after an organization-defined time period. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.4",
+    "id_raw": "IAC-15.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 544,
+    "title": "Automated Audit Actions",
+    "description": "Automated mechanisms exist to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.5",
+    "id_raw": "IAC-15.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 545,
+    "title": "Restrictions on Shared Groups / Accounts",
+    "description": "Mechanisms exist to authorize the use of shared/group accounts only under certain organization-defined conditions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.6",
+    "id_raw": "IAC-15.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 546,
+    "title": "Account Disabling for High Risk Individuals",
+    "description": "Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.7",
+    "id_raw": "IAC-15.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 547,
+    "title": "System Accounts",
+    "description": "Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.8",
+    "id_raw": "IAC-15.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 548,
+    "title": "Usage Conditions",
+    "description": "Automated mechanisms exist to enforce usage conditions for users and/or roles."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-15.9",
+    "id_raw": "IAC-15.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 549,
+    "title": "Emergency Accounts",
+    "description": "Mechanisms exist to establish and control \"emergency access only\" accounts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-16",
+    "id_raw": "IAC-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 550,
+    "title": "Privileged Account Management (PAM) ",
+    "description": "Mechanisms exist to restrict and control privileged access rights for users and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-16.1",
+    "id_raw": "IAC-16.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 551,
+    "title": "Privileged Account Inventories ",
+    "description": "Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-16.2",
+    "id_raw": "IAC-16.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 552,
+    "title": "Privileged Account Separation ",
+    "description": "Mechanisms exist to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-17",
+    "id_raw": "IAC-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 553,
+    "title": "Periodic Review of Account Privileges",
+    "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-18",
+    "id_raw": "IAC-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 554,
+    "title": "User Responsibilities for Account Management",
+    "description": "Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.). \n\nMethods To Comply With SCF Controls:\n- Employment contract\n- Rules of Behavior\n- Formalized password policy"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-19",
+    "id_raw": "IAC-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 555,
+    "title": "Credential Sharing ",
+    "description": "Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication methods."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20",
+    "id_raw": "IAC-20",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 556,
+    "title": "Access Enforcement",
+    "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\""
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.1",
+    "id_raw": "IAC-20.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 557,
+    "title": "Access To Sensitive Data",
+    "description": "Mechanisms exist to limit access to sensitive data to only those individuals whose job requires such access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.2",
+    "id_raw": "IAC-20.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 558,
+    "title": "Database Access",
+    "description": "Mechanisms exist to restrict access to database containing sensitive data to only necessary services or those individuals whose job requires such access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.3",
+    "id_raw": "IAC-20.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 559,
+    "title": "Use of Privileged Utility Programs",
+    "description": "Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.4",
+    "id_raw": "IAC-20.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 560,
+    "title": "Dedicated Administrative Machines",
+    "description": "Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.\n\nMethods To Comply With SCF Controls:\n- Jump hosts"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.5",
+    "id_raw": "IAC-20.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 561,
+    "title": "Dual Authorization for Privileged Commands",
+    "description": "Automated mechanisms exist to enforce dual authorization for privileged commands."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-20.6",
+    "id_raw": "IAC-20.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 562,
+    "title": "Revocation of Access Authorizations",
+    "description": "Mechanisms exist to revoke logical and physical access authorizations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21",
+    "id_raw": "IAC-21",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 563,
+    "title": "Least Privilege ",
+    "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.1",
+    "id_raw": "IAC-21.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 564,
+    "title": "Authorize Access to Security Functions ",
+    "description": "Mechanisms exist to limit access to security functions to explicitly-authorized privileged users."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.2",
+    "id_raw": "IAC-21.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 565,
+    "title": "Non-Privileged Access for Non-Security Functions ",
+    "description": "Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.3",
+    "id_raw": "IAC-21.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 566,
+    "title": "Privileged Accounts ",
+    "description": "Mechanisms exist to restrict the assignment of privileged accounts to organization-defined personnel or roles without management approval."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.4",
+    "id_raw": "IAC-21.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 567,
+    "title": "Auditing Use of Privileged Functions ",
+    "description": "Mechanisms exist to audit the execution of privileged functions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.5",
+    "id_raw": "IAC-21.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 568,
+    "title": "Prohibit Non-Privileged Users from Executing Privileged Functions ",
+    "description": "Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.6",
+    "id_raw": "IAC-21.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 569,
+    "title": "Network Access to Privileged Commands",
+    "description": "Mechanisms exist to authorize remote access to perform privileged commands on critical systems or where sensitive data is stored, transmitted and/or processed only for compelling operational needs."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-21.7",
+    "id_raw": "IAC-21.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 570,
+    "title": "Privilege Levels for Code Execution",
+    "description": "Automated mechanisms exist to prevent applications from executing at higher privilege levels than the user's privileges. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-22",
+    "id_raw": "IAC-22",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 571,
+    "title": "Account Lockout ",
+    "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-23",
+    "id_raw": "IAC-23",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 572,
+    "title": "Concurrent Session Control",
+    "description": "Mechanisms exist to limit the number of concurrent sessions for each system account. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-24",
+    "id_raw": "IAC-24",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 573,
+    "title": "Session Lock ",
+    "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-24.1",
+    "id_raw": "IAC-24.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 574,
+    "title": "Pattern-Hiding Displays ",
+    "description": "Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-25",
+    "id_raw": "IAC-25",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 575,
+    "title": "Session Termination ",
+    "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-25.1",
+    "id_raw": "IAC-25.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 576,
+    "title": "User-Initiated Logouts / Message Displays",
+    "description": "Mechanisms exist to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-26",
+    "id_raw": "IAC-26",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 577,
+    "title": "Permitted Actions Without Identification or Authorization",
+    "description": "Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-27",
+    "id_raw": "IAC-27",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 578,
+    "title": "Reference Monitor",
+    "description": "Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28",
+    "id_raw": "IAC-28",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 579,
+    "title": "Identity Proofing (Identity Verification)",
+    "description": "Mechanisms exist to verify the identity of a user before modifying any permissions or authentication factor.\n\nMethods To Comply With SCF Controls:\n- Professional references\n- Education / certification transcripts\n- Driver's license\n- Passport"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28.1",
+    "id_raw": "IAC-28.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 580,
+    "title": "Management Approval For New or Changed Accounts",
+    "description": "Mechanisms exist to ensure management approvals are required for new accounts or changes in permissions to existing accounts."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28.2",
+    "id_raw": "IAC-28.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 581,
+    "title": "Identity Evidence",
+    "description": "Mechanisms exist to require evidence of individual identification to be presented to the registration authority.\n\nMethods To Comply With SCF Controls:\n- Driver's license\n- Passport"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28.3",
+    "id_raw": "IAC-28.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 582,
+    "title": "Identity Evidence Validation & Verification",
+    "description": "Mechanisms exist to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.\n\nMethods To Comply With SCF Controls:\n- Employment verification\n- Credit check\n- Criminal history check\n- Education verification"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28.4",
+    "id_raw": "IAC-28.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 583,
+    "title": "In-Person Validation & Verification",
+    "description": "Mechanisms exist to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.\n\nMethods To Comply With SCF Controls:\n- In-person validation of government-issued photograph identification"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-28.5",
+    "id_raw": "IAC-28.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 584,
+    "title": "Address Confirmation",
+    "description": "Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iac-29",
+    "id_raw": "IAC-29",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 585,
+    "title": "Attribute-Based Access Control (ABAC) ",
+    "description": "Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.\n\nMethods To Comply With SCF Controls:\n- NIST Special Publication 800-162 "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-01",
+    "id_raw": "IRO-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 586,
+    "title": "Incident Response Operations",
+    "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for security and privacy-related incidents."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02",
+    "id_raw": "IRO-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 587,
+    "title": "Incident Handling ",
+    "description": "Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.\n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.1",
+    "id_raw": "IRO-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 588,
+    "title": "Automated Incident Handling Processes",
+    "description": "Automated mechanisms exist to support the incident handling process. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.2",
+    "id_raw": "IRO-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 589,
+    "title": "Insider Threat Response Capability",
+    "description": "Mechanisms exist to implement and govern an insider threat program. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.3",
+    "id_raw": "IRO-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 590,
+    "title": "Dynamic Reconfiguration",
+    "description": "Automated mechanisms exist to dynamically reconfigure information system components as part of the incident response capability. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.4",
+    "id_raw": "IRO-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 591,
+    "title": "Continuity of Operations",
+    "description": "Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.5",
+    "id_raw": "IRO-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 592,
+    "title": "Correlation with External Organizations",
+    "description": "Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-02.6",
+    "id_raw": "IRO-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 593,
+    "title": "Automatic Disabling of System",
+    "description": "Mechanisms exist to automatically disable systems, upon detection of a possible incident that meets organizational criteria, that allows for forensic analysis to be performed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-03",
+    "id_raw": "IRO-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 594,
+    "title": "Indicators of Compromise (IOC)",
+    "description": "Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.\n\nMethods To Comply With SCF Controls:\n- Indicators of Compromise (IoC)\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-04",
+    "id_raw": "IRO-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 595,
+    "title": "Incident Response Plan (IRP) ",
+    "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.\n\nMethods To Comply With SCF Controls:\n- Incident Response Plan (IRP)\n- Hard copy of IRP"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-04.1",
+    "id_raw": "IRO-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 596,
+    "title": "Data Breach",
+    "description": "Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-04.2",
+    "id_raw": "IRO-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 597,
+    "title": "IRP Update",
+    "description": "Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-04.3",
+    "id_raw": "IRO-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 598,
+    "title": "Continuous Incident Response Improvements",
+    "description": "Mechanisms exist to use qualitative and quantitative data from incident response testing to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-05",
+    "id_raw": "IRO-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 599,
+    "title": "Incident Response Training ",
+    "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.\n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-05.1",
+    "id_raw": "IRO-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 600,
+    "title": "Simulated Incidents",
+    "description": "Mechanisms exist to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-05.2",
+    "id_raw": "IRO-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 601,
+    "title": "Automated Incident Response Training Environments",
+    "description": "Automated mechanisms exist to provide a more thorough and realistic incident response training environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-06",
+    "id_raw": "IRO-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 602,
+    "title": "Incident Response Testing",
+    "description": "Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)\n- \"Table Top\" incident response exercises (rock drills)\n- \"Red team vs blue team\" exercises\n- EICAR test file antimalware detection and response exercises"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-06.1",
+    "id_raw": "IRO-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 603,
+    "title": "Coordination with Related Plans ",
+    "description": "Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-07",
+    "id_raw": "IRO-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 604,
+    "title": "Integrated Security Incident Response Team (ISIRT)",
+    "description": "Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.\n\nMethods To Comply With SCF Controls:\n- Full-time employees only"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-08",
+    "id_raw": "IRO-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 605,
+    "title": "Chain of Custody & Forensics",
+    "description": "Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.\n\nMethods To Comply With SCF Controls:\n- Chain of custody procedures\n- Encase\n- Forensic Tool Kit (FTK)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-09",
+    "id_raw": "IRO-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 606,
+    "title": "Situational Awareness For Incidents",
+    "description": "Mechanisms exist to document, monitor and report the status of cybersecurity and privacy incidents to internal stakeholders all the way through the resolution of the incident.\n\nMethods To Comply With SCF Controls:\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-09.1",
+    "id_raw": "IRO-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 607,
+    "title": "Automated Tracking, Data Collection & Analysis",
+    "description": "Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential security and privacy incidents.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-10",
+    "id_raw": "IRO-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 608,
+    "title": "Incident Stakeholder Reporting ",
+    "description": "Mechanisms exist to timely-report incidents to applicable:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-10.1",
+    "id_raw": "IRO-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 609,
+    "title": "Automated Reporting",
+    "description": "Automated mechanisms exist to assist in the reporting of security and privacy incidents.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-10.2",
+    "id_raw": "IRO-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 610,
+    "title": "Cyber Incident Reporting for Sensitive Data",
+    "description": "Mechanisms exist to report sensitive data incidents in a timely manner."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-10.3",
+    "id_raw": "IRO-10.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 611,
+    "title": "Vulnerabilities Related To Incidents",
+    "description": "Mechanisms exist to report system vulnerabilities associated with reported security and privacy incidents to organization-defined personnel or roles."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-10.4",
+    "id_raw": "IRO-10.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 612,
+    "title": "Supply Chain Coordination",
+    "description": "Mechanisms exist to provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-11",
+    "id_raw": "IRO-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 613,
+    "title": "Incident Reporting Assistance ",
+    "description": "Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential security and privacy incidents. \n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-11.1",
+    "id_raw": "IRO-11.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 614,
+    "title": "Automation Support of Availability of Information / Support ",
+    "description": "Automated mechanisms exist to increase the availability of incident response-related information and support. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-11.2",
+    "id_raw": "IRO-11.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 615,
+    "title": "Coordination With External Providers",
+    "description": "Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-12",
+    "id_raw": "IRO-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 616,
+    "title": "Information Spillage Response",
+    "description": "Mechanisms exist to respond to sensitive information spills."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-12.1",
+    "id_raw": "IRO-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 617,
+    "title": "Responsible Personnel",
+    "description": "Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive information spills. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-12.2",
+    "id_raw": "IRO-12.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 618,
+    "title": "Training",
+    "description": "Mechanisms exist to ensure incident response training material provides coverage for sensitive information spillage response."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-12.3",
+    "id_raw": "IRO-12.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 619,
+    "title": "Post-Spill Operations",
+    "description": "Mechanisms exist to ensure that organizational personnel impacted by sensitive information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-12.4",
+    "id_raw": "IRO-12.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 620,
+    "title": "Exposure to Unauthorized Personnel",
+    "description": "Mechanisms exist to address security safeguards for personnel exposed to sensitive information that is not within their assigned access authorizations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-13",
+    "id_raw": "IRO-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 621,
+    "title": "Root Cause Analysis (RCA) & Lessons Learned",
+    "description": "Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and privacy incidents to reduce the likelihood or impact of future incidents. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-14",
+    "id_raw": "IRO-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 622,
+    "title": "Regulatory & Law Enforcement Contacts ",
+    "description": "Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-15",
+    "id_raw": "IRO-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 623,
+    "title": "Detonation Chambers (Sandboxes)",
+    "description": "Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.\n\nMethods To Comply With SCF Controls:\n- Separate network with \"sacrificial\" systems where potential malware can be evaluated without impacting the production network."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iro-16",
+    "id_raw": "IRO-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 624,
+    "title": "Public Relations & Reputation Repair",
+    "description": "Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-01",
+    "id_raw": "IAO-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 625,
+    "title": "Information Assurance (IA) Operations",
+    "description": "Mechanisms exist to facilitate the implementation of cybersecurity and privacy assessment and authorization controls. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-01.1",
+    "id_raw": "IAO-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 626,
+    "title": "Assessment Boundaries",
+    "description": "Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-02",
+    "id_raw": "IAO-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 627,
+    "title": "Assessments ",
+    "description": "Mechanisms exist to formally assess the cybersecurity and privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-02.1",
+    "id_raw": "IAO-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 628,
+    "title": "Assessor Independence",
+    "description": "Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity and privacy control assessments. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-02.2",
+    "id_raw": "IAO-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 629,
+    "title": "Specialized Assessments",
+    "description": "Mechanisms exist to conduct specialized assessments for: \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-02.3",
+    "id_raw": "IAO-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 630,
+    "title": "Third-Party Assessments",
+    "description": "Mechanisms exist to accept and respond to the results of external assessments that are performed by impartial, external organizations. \n\nMethods To Comply With SCF Controls:\n- Audit steering committee\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-02.4",
+    "id_raw": "IAO-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 631,
+    "title": "Security Assessment Report (SAR)",
+    "description": "Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-03",
+    "id_raw": "IAO-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 632,
+    "title": "System Security & Privacy Plan (SSPP)",
+    "description": "Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical system, application or service, as well as influence inputs, entities, systems, applications and processes, providing a historical record of the data and its origins.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-03.1",
+    "id_raw": "IAO-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 633,
+    "title": "Plan / Coordinate with Other Organizational Entities",
+    "description": "Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations. \n\nMethods To Comply With SCF Controls:\n- Audit steering committee\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-03.2",
+    "id_raw": "IAO-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 634,
+    "title": "Adequate Security for Sensitive / Regulated Data In Support of Contracts",
+    "description": "Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-04",
+    "id_raw": "IAO-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 635,
+    "title": "Threat Analysis & Flaw Remediation During Development",
+    "description": "Mechanisms exist to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Security Test & Evaluation (ST&E)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-05",
+    "id_raw": "IAO-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 636,
+    "title": "Plan of Action & Milestones (POA&M)",
+    "description": "Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Plan of Action & Milestones (POA&M)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-05.1",
+    "id_raw": "IAO-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 637,
+    "title": "Plan of Action & Milestones (POA&M) Automation",
+    "description": "Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk & Compliance (GRC)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-06",
+    "id_raw": "IAO-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 638,
+    "title": "Technical Verification",
+    "description": "Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "
+  },
+  {
+    "source": "scf",
+    "id": "scf:iao-07",
+    "id_raw": "IAO-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 639,
+    "title": "Security Authorization ",
+    "description": "Mechanisms exist to ensure systems, projects and services are officially authorized prior to \"go live\" in a production environment.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-01",
+    "id_raw": "MNT-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 640,
+    "title": "Maintenance Operations ",
+    "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-02",
+    "id_raw": "MNT-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 641,
+    "title": "Controlled Maintenance ",
+    "description": "Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the system, application or service.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-02.1",
+    "id_raw": "MNT-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 642,
+    "title": "Automated Maintenance Activities",
+    "description": "Automated mechanisms exist to schedule, conduct and document maintenance and repairs."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-03",
+    "id_raw": "MNT-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 643,
+    "title": "Timely Maintenance",
+    "description": "Mechanisms exist to obtain maintenance support and/or spare parts for systems within a defined Recovery Time Objective (RTO)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-03.1",
+    "id_raw": "MNT-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 644,
+    "title": "Preventative Maintenance",
+    "description": "Mechanisms exist to perform preventive maintenance on critical systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-03.2",
+    "id_raw": "MNT-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 645,
+    "title": "Predictive Maintenance",
+    "description": "Mechanisms exist to perform predictive maintenance on critical systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-03.3",
+    "id_raw": "MNT-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 646,
+    "title": "Automated Support For Predictive Maintenance",
+    "description": "Automated mechanisms exist to transfer predictive maintenance data to a computerized maintenance management system."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-04",
+    "id_raw": "MNT-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 647,
+    "title": "Maintenance Tools",
+    "description": "Mechanisms exist to control and monitor the use of system maintenance tools. \n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-04.1",
+    "id_raw": "MNT-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 648,
+    "title": "Inspect Tools ",
+    "description": "Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-04.2",
+    "id_raw": "MNT-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 649,
+    "title": "Inspect Media ",
+    "description": "Mechanisms exist to check media containing diagnostic and test programs for malicious code before the media are used. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-04.3",
+    "id_raw": "MNT-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 650,
+    "title": "Prevent Unauthorized Removal ",
+    "description": "Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that containing organizational information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-04.4",
+    "id_raw": "MNT-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 651,
+    "title": "Restrict Tool Usage",
+    "description": "Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance personnel and/or roles."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05",
+    "id_raw": "MNT-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 652,
+    "title": "Remote Maintenance",
+    "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.1",
+    "id_raw": "MNT-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 653,
+    "title": "Auditing Remote Maintenance",
+    "description": "Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.2",
+    "id_raw": "MNT-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 654,
+    "title": "Remote Maintenance Notifications",
+    "description": "Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.3",
+    "id_raw": "MNT-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 655,
+    "title": "Remote Maintenance Cryptographic Protection",
+    "description": "Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.4",
+    "id_raw": "MNT-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 656,
+    "title": "Remote Maintenance Disconnect Verification",
+    "description": "Mechanisms exist to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.5",
+    "id_raw": "MNT-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 657,
+    "title": "Remote Maintenance Pre-Approval",
+    "description": "Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.6",
+    "id_raw": "MNT-05.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 658,
+    "title": "Remote Maintenance Comparable Security & Sanitization",
+    "description": "Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-05.7",
+    "id_raw": "MNT-05.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 659,
+    "title": "Separation of Maintenance Sessions",
+    "description": "Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-06",
+    "id_raw": "MNT-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 660,
+    "title": "Authorized Maintenance Personnel",
+    "description": "Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-06.1",
+    "id_raw": "MNT-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 661,
+    "title": "Maintenance Personnel Without Appropriate Access ",
+    "description": "Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-06.2",
+    "id_raw": "MNT-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 662,
+    "title": "Non-System Related Maintenance",
+    "description": "Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of IT systems have required access authorizations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-07",
+    "id_raw": "MNT-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 663,
+    "title": "Maintain Configuration Control During Maintenance",
+    "description": "Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-08",
+    "id_raw": "MNT-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 664,
+    "title": "Field Maintenance",
+    "description": "Mechanisms exist to securely conduct field maintenance on geographically deployed assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-09",
+    "id_raw": "MNT-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 665,
+    "title": "Off-Site Maintenance",
+    "description": "Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-10",
+    "id_raw": "MNT-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 666,
+    "title": "Maintenance Validation",
+    "description": "Mechanisms exist to validate maintenance activities were appropriately performed according to the work order and that security controls are operational."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mnt-11",
+    "id_raw": "MNT-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 667,
+    "title": "Maintenance Monitoring",
+    "description": "Mechanisms exist to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-01",
+    "id_raw": "MDM-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 668,
+    "title": "Centralized Management Of Mobile Devices ",
+    "description": "Mechanisms exist to develop, govern & update procedures to facilitate the implementation of mobile device management controls."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-02",
+    "id_raw": "MDM-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 669,
+    "title": "Access Control For Mobile Devices",
+    "description": "Mechanisms exist to enforce access control requirements for the connection of mobile devices to organizational systems. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-03",
+    "id_raw": "MDM-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 670,
+    "title": "Full Device & Container-Based Encryption ",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-04",
+    "id_raw": "MDM-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 671,
+    "title": "Mobile Device Tampering",
+    "description": "Mechanisms exist to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization’s network."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-05",
+    "id_raw": "MDM-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 672,
+    "title": "Remote Purging",
+    "description": "Mechanisms exist to remotely purge selected information from mobile devices. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-06",
+    "id_raw": "MDM-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 673,
+    "title": "Personally-Owned Mobile Devices ",
+    "description": "Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational systems and networks. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-07",
+    "id_raw": "MDM-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 674,
+    "title": "Organization-Owned Mobile Devices ",
+    "description": "Mechanisms exist to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-08",
+    "id_raw": "MDM-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 675,
+    "title": "Mobile Device Data Retention Limitations",
+    "description": "Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and timeframe."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-09",
+    "id_raw": "MDM-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 676,
+    "title": "Mobile Device Geofencing",
+    "description": "Mechanisms exist to restrict the functionality of mobile devices based on geographic location."
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-10",
+    "id_raw": "MDM-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 677,
+    "title": "Separate Mobile Device Profiles",
+    "description": "Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:mdm-11",
+    "id_raw": "MDM-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 678,
+    "title": "Restricting Access To Authorized Devices",
+    "description": "Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-01",
+    "id_raw": "NET-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 679,
+    "title": "Network Security Controls (NSC)",
+    "description": "Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-01.1",
+    "id_raw": "NET-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 680,
+    "title": "Zero Trust Architecture (ZTA)",
+    "description": "Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-02",
+    "id_raw": "NET-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 681,
+    "title": "Layered Network Defenses ",
+    "description": "Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-02.1",
+    "id_raw": "NET-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 682,
+    "title": "Denial of Service (DoS) Protection",
+    "description": "Automated mechanisms exist to protect against or limit the effects of denial of service attacks. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-02.2",
+    "id_raw": "NET-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 683,
+    "title": "Guest Networks",
+    "description": "Mechanisms exist to implement and manage a secure guest network. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-02.3",
+    "id_raw": "NET-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 684,
+    "title": "Cross Domain Solution (CDS)",
+    "description": "Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03",
+    "id_raw": "NET-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 685,
+    "title": "Boundary Protection ",
+    "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.1",
+    "id_raw": "NET-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 686,
+    "title": "Limit Network Connections",
+    "description": "Mechanisms exist to limit the number of concurrent external network connections to its systems. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.2",
+    "id_raw": "NET-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 687,
+    "title": "External Telecommunications Services ",
+    "description": "Mechanisms exist to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.\n\nMethods To Comply With SCF Controls:\n- Outbound content filtering"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.3",
+    "id_raw": "NET-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 688,
+    "title": "Prevent Discovery of Internal Information",
+    "description": "Mechanisms exist to prevent the public disclosure of internal network information. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.4",
+    "id_raw": "NET-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 689,
+    "title": "Personal Data (PD)",
+    "description": "Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.5",
+    "id_raw": "NET-03.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 690,
+    "title": "Prevent Unauthorized Exfiltration",
+    "description": "Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive data across managed interfaces. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.6",
+    "id_raw": "NET-03.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 691,
+    "title": "Dynamic Isolation & Segregation (Sandboxing)",
+    "description": "Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.7",
+    "id_raw": "NET-03.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 692,
+    "title": "Isolation of Information System Components",
+    "description": "Mechanisms exist to employ boundary protections to isolate systems, services and processes that support critical missions and/or business functions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-03.8",
+    "id_raw": "NET-03.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 693,
+    "title": "Separate Subnet for Connecting to Different Security Domains",
+    "description": "Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04",
+    "id_raw": "NET-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 694,
+    "title": "Data Flow Enforcement – Access Control Lists (ACLs)",
+    "description": "Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.1",
+    "id_raw": "NET-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 695,
+    "title": "Deny Traffic by Default & Allow Traffic by Exception",
+    "description": "Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.2",
+    "id_raw": "NET-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 696,
+    "title": "Object Security Attributes ",
+    "description": "Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions. \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.3",
+    "id_raw": "NET-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 697,
+    "title": "Content Check for Encrypted Data",
+    "description": "Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.4",
+    "id_raw": "NET-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 698,
+    "title": "Embedded Data Types",
+    "description": "Mechanisms exist to enforce limitations on embedding data within other data types. \n\nMethods To Comply With SCF Controls:\n- Prevent exfiltration through steganography"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.5",
+    "id_raw": "NET-04.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 699,
+    "title": "Metadata ",
+    "description": "Mechanisms exist to enforce information flow controls based on metadata. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.6",
+    "id_raw": "NET-04.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 700,
+    "title": "Human Reviews",
+    "description": "Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.7",
+    "id_raw": "NET-04.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 701,
+    "title": "Security Policy Filters",
+    "description": "Automated mechanisms exist to enforce information flow control using security policy filters as a basis for flow control decisions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.8",
+    "id_raw": "NET-04.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 702,
+    "title": "Data Type Identifiers",
+    "description": "Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.9",
+    "id_raw": "NET-04.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 703,
+    "title": "Decomposition Into Policy-Related Subcomponents",
+    "description": "Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.10",
+    "id_raw": "NET-04.10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 704,
+    "title": "Detection of Unsanctioned Information",
+    "description": "Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.11",
+    "id_raw": "NET-04.11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 705,
+    "title": "Approved Solutions",
+    "description": "Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.12",
+    "id_raw": "NET-04.12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 706,
+    "title": "Cross Domain Authentication",
+    "description": "Automated mechanisms exist to uniquely identify and authenticate source and destination points for information transfer."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-04.13",
+    "id_raw": "NET-04.13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 707,
+    "title": "Metadata Validation",
+    "description": "Automated mechanisms exist to apply security and/or privacy filters on metadata."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-05",
+    "id_raw": "NET-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 708,
+    "title": "System Interconnections",
+    "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs) that document, for each interconnection, the interface characteristics, security and privacy requirements and the nature of the information communicated.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-05.1",
+    "id_raw": "NET-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 709,
+    "title": "External System Connections",
+    "description": "Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-05.2",
+    "id_raw": "NET-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 710,
+    "title": "Internal System Connections",
+    "description": "Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06",
+    "id_raw": "NET-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 711,
+    "title": "Network Segmentation",
+    "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, applications and services that protections from other network resources.\n\nMethods To Comply With SCF Controls:\n- Subnetting\n- VLANs"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06.1",
+    "id_raw": "NET-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 712,
+    "title": "Security Management Subnets",
+    "description": "Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06.2",
+    "id_raw": "NET-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 713,
+    "title": "Virtual Local Area Network (VLAN) Separation",
+    "description": "Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems. \n\nMethods To Comply With SCF Controls:\n- Virtual Local Area Network (VLAN)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06.3",
+    "id_raw": "NET-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 714,
+    "title": "Sensitive / Regulated Data Enclave (Secure Zone)",
+    "description": "Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06.4",
+    "id_raw": "NET-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 715,
+    "title": "Segregation From Enterprise Services",
+    "description": "Mechanisms exist to isolate sensitive / regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-06.5",
+    "id_raw": "NET-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 716,
+    "title": "Direct Internet Access Restrictions",
+    "description": "Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive / regulated data enclaves (secure zones)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-07",
+    "id_raw": "NET-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 717,
+    "title": "Remote Session Termination",
+    "description": "Mechanisms exist to terminate remote sessions at the end of the session or after an organization-defined time period of inactivity. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-08",
+    "id_raw": "NET-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 718,
+    "title": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)",
+    "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-08.1",
+    "id_raw": "NET-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 719,
+    "title": "DMZ Networks",
+    "description": "Mechanisms exist to require De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.\n\nMethods To Comply With SCF Controls:\n- Architectural review board\n- System Security Plan (SSP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-08.2",
+    "id_raw": "NET-08.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 720,
+    "title": "Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)",
+    "description": "Mechanisms exist to require wireless network segments to implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-09",
+    "id_raw": "NET-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 721,
+    "title": "Session Integrity ",
+    "description": "Mechanisms exist to protect the authenticity and integrity of communications sessions. \n\nMethods To Comply With SCF Controls:\n- PKI for non-repudiation"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-09.1",
+    "id_raw": "NET-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 722,
+    "title": "Invalidate Session Identifiers at Logout",
+    "description": "Automated mechanisms exist to invalidate session identifiers upon user logout or other session termination. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-09.2",
+    "id_raw": "NET-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 723,
+    "title": "Unique System-Generated Session Identifiers",
+    "description": "Automated mechanisms exist to generate and recognize unique session identifiers for each session."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-10",
+    "id_raw": "NET-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 724,
+    "title": "Domain Name Service (DNS) Resolution ",
+    "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-10.1",
+    "id_raw": "NET-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 725,
+    "title": "Architecture & Provisioning for Name / Address Resolution Service",
+    "description": "Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) resolution service for are fault-tolerant and implement internal/external role separation. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-10.2",
+    "id_raw": "NET-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 726,
+    "title": "Secure Name / Address Resolution Service (Recursive or Caching Resolver)",
+    "description": "Mechanisms exist to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-10.3",
+    "id_raw": "NET-10.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 727,
+    "title": "Sender Policy Framework (SPF)",
+    "description": "Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-10.4",
+    "id_raw": "NET-10.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 728,
+    "title": "Domain Registrar Security",
+    "description": "Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-11",
+    "id_raw": "NET-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 729,
+    "title": "Out-of-Band Channels ",
+    "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals. \n\nMethods To Comply With SCF Controls:\n- Signature delivery (courier service)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-12",
+    "id_raw": "NET-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 730,
+    "title": "Safeguarding Data Over Open Networks ",
+    "description": "Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-12.1",
+    "id_raw": "NET-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 731,
+    "title": "Wireless Link Protection",
+    "description": "Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-12.2",
+    "id_raw": "NET-12.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 732,
+    "title": "End-User Messaging Technologies",
+    "description": "Mechanisms exist to prohibit the transmission of unprotected sensitive data by end-user messaging technologies. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Data Loss Prevention (DLP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-13",
+    "id_raw": "NET-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 733,
+    "title": "Electronic Messaging",
+    "description": "Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14",
+    "id_raw": "NET-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 734,
+    "title": "Remote Access ",
+    "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.1",
+    "id_raw": "NET-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 735,
+    "title": "Automated Monitoring & Control ",
+    "description": "Automated mechanisms exist to monitor and control remote access sessions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.2",
+    "id_raw": "NET-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 736,
+    "title": "Protection of Confidentiality / Integrity Using Encryption",
+    "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.3",
+    "id_raw": "NET-14.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 737,
+    "title": "Managed Access Control Points",
+    "description": "Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.4",
+    "id_raw": "NET-14.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 738,
+    "title": "Remote Privileged Commands & Sensitive Data Access",
+    "description": "Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.5",
+    "id_raw": "NET-14.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 739,
+    "title": "Work From Anywhere (WFA) - Telecommuting Security",
+    "description": "Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.6",
+    "id_raw": "NET-14.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 740,
+    "title": "Third-Party Remote Access Governance",
+    "description": "Mechanisms exist to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.7",
+    "id_raw": "NET-14.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 741,
+    "title": "Endpoint Security Validation ",
+    "description": "Mechanisms exist to validate software versions/patch levels and control remote devices connecting to corporate networks or storing and accessing organization information. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-14.8",
+    "id_raw": "NET-14.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 742,
+    "title": "Expeditious Disconnect / Disable Capability ",
+    "description": "Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote access session."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15",
+    "id_raw": "NET-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 743,
+    "title": "Wireless Networking ",
+    "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15.1",
+    "id_raw": "NET-15.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 744,
+    "title": "Authentication & Encryption",
+    "description": "Mechanisms exist to exist to protect wireless access through authentication and strong encryption. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15.2",
+    "id_raw": "NET-15.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 745,
+    "title": "Disable Wireless Networking",
+    "description": "Mechanisms exist to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15.3",
+    "id_raw": "NET-15.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 746,
+    "title": "Restrict Configuration By Users",
+    "description": "Mechanisms exist to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15.4",
+    "id_raw": "NET-15.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 747,
+    "title": "Wireless Boundaries",
+    "description": "Mechanisms exist to confine wireless communications to organization-controlled boundaries. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-15.5",
+    "id_raw": "NET-15.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 748,
+    "title": "Rogue Wireless Detection",
+    "description": "Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-16",
+    "id_raw": "NET-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 749,
+    "title": "Intranets",
+    "description": "Mechanisms exist to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-17",
+    "id_raw": "NET-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 750,
+    "title": "Data Loss Prevention (DLP) ",
+    "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.\n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-18",
+    "id_raw": "NET-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 751,
+    "title": "DNS & Content Filtering ",
+    "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-18.1",
+    "id_raw": "NET-18.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 752,
+    "title": "Route Traffic to Proxy Servers",
+    "description": "Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-18.2",
+    "id_raw": "NET-18.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 753,
+    "title": "Visibility of Encrypted Communications",
+    "description": "Mechanisms exist to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms."
+  },
+  {
+    "source": "scf",
+    "id": "scf:net-18.3",
+    "id_raw": "NET-18.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 754,
+    "title": "Route Privileged Network Access",
+    "description": "Automated mechanisms exist to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-01",
+    "id_raw": "PES-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 755,
+    "title": "Physical & Environmental Protections",
+    "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-01.1",
+    "id_raw": "PES-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 756,
+    "title": "Site Security Plan (SitePlan)",
+    "description": "Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-02",
+    "id_raw": "PES-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 757,
+    "title": "Physical Access Authorizations ",
+    "description": "Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-02.1",
+    "id_raw": "PES-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 758,
+    "title": "Role-Based Physical Access",
+    "description": "Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-02.2",
+    "id_raw": "PES-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 759,
+    "title": "Dual Authorization for Physical Access",
+    "description": "Mechanisms exist to enforce a \"two-person rule\" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-03",
+    "id_raw": "PES-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 760,
+    "title": "Physical Access Control ",
+    "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).\n\nMethods To Comply With SCF Controls:\n- Security guards\n- Verify individual access authorizations before granting access to the facility.\n- Control entry to the facility containing the system using physical access devices and/or guards.\n- Control access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk.\n- Secure keys, combinations and other physical access devices.\n- Change combinations and keys and when keys are lost, combinations are compromised or individuals are transferred or terminated."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-03.1",
+    "id_raw": "PES-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 761,
+    "title": "Controlled Ingress & Egress Points",
+    "description": "Physical access control mechanisms exist to limit and monitor physical access through controlled ingress and egress points."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-03.2",
+    "id_raw": "PES-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 762,
+    "title": "Lockable Physical Casings",
+    "description": "Physical access control mechanisms exist to protect system components from unauthorized physical access (e.g., lockable physical casings). \n\nMethods To Comply With SCF Controls:\n- CCTV\n- Lockable server/network racks\n- Logged access badges to access server rooms"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-03.3",
+    "id_raw": "PES-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 763,
+    "title": "Physical Access Logs ",
+    "description": "Physical access control mechanisms exist to generate a log entry for each access through controlled ingress and egress points.\n\nMethods To Comply With SCF Controls:\n- Visitor logbook\n- iLobby (https://goilobby.com/)\n- The Receptionist (https://thereceptionist.com/)\n- LobbyGuard (http://lobbyguard.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-03.4",
+    "id_raw": "PES-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 764,
+    "title": "Access To Information Systems",
+    "description": "Physical access control mechanisms exist to enforce physical access to critical information systems or sensitive data, in addition to the physical access controls for the facility."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-04",
+    "id_raw": "PES-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 765,
+    "title": "Physical Security of Offices, Rooms & Facilities",
+    "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities. \n\nMethods To Comply With SCF Controls:\n- \"clean desk\" policy\n- Management spot checks"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-04.1",
+    "id_raw": "PES-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 766,
+    "title": "Working in Secure Areas",
+    "description": "Physical security mechanisms exist to allow only authorized personnel access to secure areas. \n\nMethods To Comply With SCF Controls:\n- Visitor escorts"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-04.2",
+    "id_raw": "PES-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 767,
+    "title": "Searches",
+    "description": "Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-04.3",
+    "id_raw": "PES-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 768,
+    "title": "Temporary Storage",
+    "description": "Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-05",
+    "id_raw": "PES-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 769,
+    "title": "Monitoring Physical Access",
+    "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-05.1",
+    "id_raw": "PES-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 770,
+    "title": "Intrusion Alarms / Surveillance Equipment ",
+    "description": "Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance equipment. \n\nMethods To Comply With SCF Controls:\n- CCTV"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-05.2",
+    "id_raw": "PES-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 771,
+    "title": "Monitoring Physical Access To Information Systems",
+    "description": "Facility security mechanisms exist to monitor physical access to critical information systems or sensitive data, in addition to the physical access monitoring of the facility."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06",
+    "id_raw": "PES-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 772,
+    "title": "Visitor Control",
+    "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible). \n\nMethods To Comply With SCF Controls:\n- Visitor logbook\n- iLobby (https://goilobby.com/)\n- The Receptionist (https://thereceptionist.com/)\n- LobbyGuard (http://lobbyguard.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.1",
+    "id_raw": "PES-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 773,
+    "title": "Distinguish Visitors from On-Site Personnel",
+    "description": "Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive data is accessible. \n\nMethods To Comply With SCF Controls:\n- Visible badges for visitors that are different from organizational personnel\n"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.2",
+    "id_raw": "PES-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 774,
+    "title": "Identification Requirement",
+    "description": "Physical access control mechanisms exist to requires at least one (1) form of government-issued photo identification to authenticate individuals before they can gain access to the facility."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.3",
+    "id_raw": "PES-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 775,
+    "title": "Restrict Unescorted Access",
+    "description": "Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.4",
+    "id_raw": "PES-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 776,
+    "title": "Automated Records Management & Review",
+    "description": "Automated mechanisms exist to facilitate the maintenance and review of visitor access records."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.5",
+    "id_raw": "PES-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 777,
+    "title": "Minimize Visitor Personal Data (PD)",
+    "description": "Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access records."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-06.6",
+    "id_raw": "PES-06.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 778,
+    "title": "Visitor Access Revocation",
+    "description": "Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07",
+    "id_raw": "PES-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 779,
+    "title": "Supporting Utilities ",
+    "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.1",
+    "id_raw": "PES-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 780,
+    "title": "Automatic Voltage Controls",
+    "description": "Facility security mechanisms exist to utilize automatic voltage controls for critical system components. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.2",
+    "id_raw": "PES-07.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 781,
+    "title": "Emergency Shutoff",
+    "description": "Facility security mechanisms exist to shut off power in emergency situations by:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.3",
+    "id_raw": "PES-07.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 782,
+    "title": "Emergency Power",
+    "description": "Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.4",
+    "id_raw": "PES-07.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 783,
+    "title": "Emergency Lighting",
+    "description": "Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.5",
+    "id_raw": "PES-07.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 784,
+    "title": "Water Damage Protection",
+    "description": "Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel. \n\nMethods To Comply With SCF Controls:\n- Water leak sensors\n- Humidity sensors"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.6",
+    "id_raw": "PES-07.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 785,
+    "title": "Automation Support for Water Damage Protection",
+    "description": "Facility security mechanisms exist to detect the presence of water in the vicinity of critical information systems and alert facility maintenance and IT personnel. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-07.7",
+    "id_raw": "PES-07.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 786,
+    "title": "Redundant Cabling",
+    "description": "Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-08",
+    "id_raw": "PES-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 787,
+    "title": "Fire Protection",
+    "description": "Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-08.1",
+    "id_raw": "PES-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 788,
+    "title": "Fire Detection Devices",
+    "description": "Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-08.2",
+    "id_raw": "PES-08.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 789,
+    "title": "Fire Suppression Devices",
+    "description": "Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-08.3",
+    "id_raw": "PES-08.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 790,
+    "title": "Automatic Fire Suppression",
+    "description": "Facility security mechanisms exist to employ an automatic fire suppression capability for critical information systems when the facility is not staffed on a continuous basis."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-09",
+    "id_raw": "PES-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 791,
+    "title": "Temperature & Humidity Controls",
+    "description": "Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-09.1",
+    "id_raw": "PES-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 792,
+    "title": "Monitoring with Alarms / Notifications",
+    "description": "Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-10",
+    "id_raw": "PES-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 793,
+    "title": "Delivery & Removal ",
+    "description": "Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-11",
+    "id_raw": "PES-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 794,
+    "title": "Alternate Work Site",
+    "description": "Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-12",
+    "id_raw": "PES-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 795,
+    "title": "Equipment Siting & Protection ",
+    "description": "Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-12.1",
+    "id_raw": "PES-12.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 796,
+    "title": "Transmission Medium Security",
+    "description": "Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-12.2",
+    "id_raw": "PES-12.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 797,
+    "title": "Access Control for Output Devices",
+    "description": "Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output. \n\nMethods To Comply With SCF Controls:\n- Printer management (print only when at the printer with proximity card or code)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-13",
+    "id_raw": "PES-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 798,
+    "title": "Information Leakage Due To Electromagnetic Signals Emanations",
+    "description": "Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-14",
+    "id_raw": "PES-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 799,
+    "title": "Asset Monitoring and Tracking",
+    "description": "Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.\n\nMethods To Comply With SCF Controls:\n- RFID tagging"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-15",
+    "id_raw": "PES-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 800,
+    "title": "Electromagnetic Pulse (EMP) Protection",
+    "description": "Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.\n\nMethods To Comply With SCF Controls:\n- EMP shielding (Faraday cages)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-16",
+    "id_raw": "PES-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 801,
+    "title": "Component Marking",
+    "description": "Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-17",
+    "id_raw": "PES-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 802,
+    "title": "Proximity Sensor ",
+    "description": "Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pes-18",
+    "id_raw": "PES-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 803,
+    "title": "On-Site Client Segregation",
+    "description": "Mechanisms exist to ensure client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client work spaces."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01",
+    "id_raw": "PRI-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 804,
+    "title": "Privacy Program",
+    "description": "Mechanisms exist to facilitate the implementation and operation of privacy controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.1",
+    "id_raw": "PRI-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 805,
+    "title": "Chief Privacy Officer (CPO)",
+    "description": "Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.2",
+    "id_raw": "PRI-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 806,
+    "title": "Privacy Act Statements",
+    "description": "Mechanisms exist to provide additional formal notice to individuals from whom the information is being collected that includes:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.3",
+    "id_raw": "PRI-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 807,
+    "title": "Dissemination of Privacy Program Information ",
+    "description": "Mechanisms exist to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.4",
+    "id_raw": "PRI-01.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 808,
+    "title": "Data Protection Officer (DPO)",
+    "description": "Mechanisms exist to appoint a Data Protection Officer (DPO):"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.5",
+    "id_raw": "PRI-01.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 809,
+    "title": "Binding Corporate Rules (BCR)",
+    "description": "Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.6",
+    "id_raw": "PRI-01.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 810,
+    "title": "Security of Personal Data",
+    "description": "Mechanisms exist to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-01.7",
+    "id_raw": "PRI-01.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 811,
+    "title": "Limiting Personal Data Disclosures",
+    "description": "Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02",
+    "id_raw": "PRI-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 812,
+    "title": "Privacy Notice",
+    "description": "Mechanisms exist to:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.1",
+    "id_raw": "PRI-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 813,
+    "title": "Purpose Specification",
+    "description": "Mechanisms exist to identify and document the purpose(s) for which Personal Data (PD) is collected, used, maintained and shared in its privacy notices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.2",
+    "id_raw": "PRI-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 814,
+    "title": "Automated Data Management Processes",
+    "description": "Automated mechanisms exist to adjust data that is able to be collected, created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s).\n\nMethods To Comply With SCF Controls:\nThe organization should identify and address obligations, including legal obligations, to the PD principals resulting from decisions made by the organization which are related to the PD principal based solely on automated processing of PD."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.3",
+    "id_raw": "PRI-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 815,
+    "title": "Computer Matching Agreements (CMA) ",
+    "description": "Mechanisms exist to publish Computer Matching Agreements (CMA) on the public website of the organization."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.4",
+    "id_raw": "PRI-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 816,
+    "title": "System of Records Notice (SORN)",
+    "description": "Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.5",
+    "id_raw": "PRI-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 817,
+    "title": "System of Records Notice (SORN) Review Process",
+    "description": "Mechanisms exist to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.6",
+    "id_raw": "PRI-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 818,
+    "title": "Privacy Act Exemptions",
+    "description": "Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-02.7",
+    "id_raw": "PRI-02.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 819,
+    "title": "Real-Time or Layered Notice",
+    "description": "Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's privacy notice."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03",
+    "id_raw": "PRI-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 820,
+    "title": "Choice & Consent",
+    "description": "Mechanisms exist to authorize the processing of their Personal Data (PD) prior to its collection that:\n\nMethods To Comply With SCF Controls:\n- \"opt in\" vs \"opt out\" user selections"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.1",
+    "id_raw": "PRI-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 821,
+    "title": "Tailored Consent",
+    "description": "Mechanisms exist to allow data subjects to modify the use permissions to selected attributes of their Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.2",
+    "id_raw": "PRI-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 822,
+    "title": "Just-In-Time Notice & Updated Consent",
+    "description": "Mechanisms exist to present authorizations to process Personal Data (PD) in conjunction with the data action, when:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.3",
+    "id_raw": "PRI-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 823,
+    "title": "Prohibition Of Selling or Sharing Personal Data (PD)",
+    "description": "Mechanisms exist to prevent the sale or sharing of Personal Data (PD) when instructed by the data subject."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.4",
+    "id_raw": "PRI-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 824,
+    "title": "Revoke Consent",
+    "description": "Mechanisms exist to allow data subjects to revoke consent to the processing of their Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.5",
+    "id_raw": "PRI-03.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 825,
+    "title": "Product or Service Delivery Restrictions",
+    "description": "Mechanisms exist to prohibit the refusal or products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent.\n\nMethods To Comply With SCF Controls:\n- Privacy Program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.6",
+    "id_raw": "PRI-03.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 826,
+    "title": "Authorized Agent",
+    "description": "Mechanisms exist to allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.7",
+    "id_raw": "PRI-03.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 827,
+    "title": "Active Participation By Data Subjects",
+    "description": "Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-03.8",
+    "id_raw": "PRI-03.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 828,
+    "title": "Global Privacy Control (GPC)",
+    "description": "Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04",
+    "id_raw": "PRI-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 829,
+    "title": "Restrict Collection To Identified Purpose",
+    "description": "Mechanisms exist to collect Personal Data (PD) only for the purposes identified in the privacy notice and includes protections against collecting PD from minors without appropriate parental, or legal guardian, consent."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.1",
+    "id_raw": "PRI-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 830,
+    "title": "Authority To Collect, Use, Maintain & Share Personal Data (PD)",
+    "description": "Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Data (PD), either generally or in support of a specific program or system need."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.2",
+    "id_raw": "PRI-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 831,
+    "title": "Primary Sources",
+    "description": "Mechanisms exist to ensure information is directly collected from the data subject, whenever possible."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.3",
+    "id_raw": "PRI-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 832,
+    "title": "Identifiable Image Collection",
+    "description": "Mechanisms exist to restrict the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.\n\nMethods To Comply With SCF Controls:\n- Privacy Program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.4",
+    "id_raw": "PRI-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 833,
+    "title": "Acquired Personal Data (PD)",
+    "description": "Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.5",
+    "id_raw": "PRI-04.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 834,
+    "title": "Validate Collected Personal Data",
+    "description": "Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-04.6",
+    "id_raw": "PRI-04.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 835,
+    "title": "Re-Validate Collected Personal Data",
+    "description": "Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05",
+    "id_raw": "PRI-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 836,
+    "title": "Personal Data Retention & Disposal",
+    "description": "Mechanisms exist to: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.1",
+    "id_raw": "PRI-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 837,
+    "title": "Internal Use of Personal Data For Testing, Training and Research",
+    "description": "Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.2",
+    "id_raw": "PRI-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 838,
+    "title": "Personal Data Accuracy & Integrity",
+    "description": "Mechanisms exist to confirm the accuracy and relevance of Personal Data (PD) throughout the information lifecycle."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.3",
+    "id_raw": "PRI-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 839,
+    "title": "Data Masking",
+    "description": "Mechanisms exist to mask sensitive information through data anonymization, pseudonymization, redaction or de-identification."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.4",
+    "id_raw": "PRI-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 840,
+    "title": "Usage Restrictions of Sensitive Personal Data",
+    "description": "Mechanisms exist to restrict the use of Personal Data (PD) to only the authorized purpose(s) consistent with applicable laws, regulations and in privacy notices. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.5",
+    "id_raw": "PRI-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 841,
+    "title": "Inventory of Personal Data (PD)",
+    "description": "Mechanisms exist to establish, maintain and update an inventory that contains a listing of all programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.6",
+    "id_raw": "PRI-05.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 842,
+    "title": "Personal Data (PD) Inventory Automation Support",
+    "description": "Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-05.7",
+    "id_raw": "PRI-05.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 843,
+    "title": "Personal Data (PD) Categories",
+    "description": "Mechanisms exist to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06",
+    "id_raw": "PRI-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 844,
+    "title": "Data Subject Access",
+    "description": "Mechanisms exist to provide individuals the ability to access their Personal Data (PD) maintained in organizational systems of records."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.1",
+    "id_raw": "PRI-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 845,
+    "title": "Correcting Inaccurate Personal Data",
+    "description": "Mechanisms exist to establish and implement a process for:\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.2",
+    "id_raw": "PRI-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 846,
+    "title": "Notice of Correction or Processing Change",
+    "description": "Mechanisms exist to notify affected individuals if their Personal Data (PD) has been corrected or amended.\n\nMethods To Comply With SCF Controls:\nThe organization should, in the case of having general written authorization, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PD, thereby giving the customer the opportunity to object to such changes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.3",
+    "id_raw": "PRI-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 847,
+    "title": "Appeal Adverse Decision",
+    "description": "Mechanisms exist to provide an organization-defined process for individuals to appeal an adverse decision and have incorrect information amended."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.4",
+    "id_raw": "PRI-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 848,
+    "title": "User Feedback Management",
+    "description": "Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.5",
+    "id_raw": "PRI-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 849,
+    "title": "Right to Erasure",
+    "description": "Mechanisms exist to erase personal data of an individual, without delay."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.6",
+    "id_raw": "PRI-06.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 850,
+    "title": "Data Portability",
+    "description": "Mechanisms exist to export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-06.7",
+    "id_raw": "PRI-06.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 851,
+    "title": "Personal Data Exportability",
+    "description": "Mechanisms exist to digitally export Personal Data (PD) in a secure manner upon request by the data subject."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-07",
+    "id_raw": "PRI-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 852,
+    "title": "Information Sharing With Third Parties",
+    "description": "Mechanisms exist to discloses Personal Data (PD) to third-parties only for the purposes identified in the privacy notice and with the implicit or explicit consent of the data subject. \n\nMethods To Comply With SCF Controls:\n- Veris (incident sharing) (http://veriscommunity.net)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-07.1",
+    "id_raw": "PRI-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 853,
+    "title": "Privacy Requirements for Contractors & Service Providers ",
+    "description": "Mechanisms exist to includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-07.2",
+    "id_raw": "PRI-07.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 854,
+    "title": "Joint Processing of Personal Data",
+    "description": "Mechanisms exist to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-07.3",
+    "id_raw": "PRI-07.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 855,
+    "title": "Obligation To Inform Third-Parties",
+    "description": "Mechanisms exist to inform applicable third-parties to any modification, deletion or other change that affects shared Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-07.4",
+    "id_raw": "PRI-07.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 856,
+    "title": "Reject Unauthorized Disclosure Requests",
+    "description": "Mechanisms exist to reject unauthorized disclosure requests.\n\nMethods To Comply With SCF Controls:\n- Authorized Agent"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-08",
+    "id_raw": "PRI-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 857,
+    "title": "Testing, Training & Monitoring",
+    "description": "Mechanisms exist to conduct security and privacy testing, training and monitoring activities"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-09",
+    "id_raw": "PRI-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 858,
+    "title": "Personal Data Lineage",
+    "description": "Mechanisms exist to utilize a record of processing activities to maintain a record of Personal Data (PD) that is stored, transmitted and/or processed under the organization's responsibility.\n\nMethods To Comply With SCF Controls:\nThe organization should determine and securely maintain the necessary records in support of its obligations for the processing of PD."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-10",
+    "id_raw": "PRI-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 859,
+    "title": "Data Quality Management",
+    "description": "Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Data (PD) across the information lifecycle."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-10.1",
+    "id_raw": "PRI-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 860,
+    "title": "Automation",
+    "description": "Automated mechanisms exist to support the evaluation of data quality across the information lifecycle."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-10.2",
+    "id_raw": "PRI-10.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 861,
+    "title": "Data Analytics Bias",
+    "description": "Mechanisms exist to evaluate its analytical processes for potential bias."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-11",
+    "id_raw": "PRI-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 862,
+    "title": "Data Tagging",
+    "description": "Mechanisms exist to issue data modeling guidelines to support tagging of sensitive data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-12",
+    "id_raw": "PRI-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 863,
+    "title": "Updating Personal Data (PD)",
+    "description": "Mechanisms exist to develop processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-13",
+    "id_raw": "PRI-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 864,
+    "title": "Data Management Board",
+    "description": "Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.\n\nMethods To Comply With SCF Controls:\n- Data Management Board (DMB)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-14",
+    "id_raw": "PRI-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 865,
+    "title": "Privacy Records & Reporting",
+    "description": "Mechanisms exist to maintain privacy-related records and develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-14.1",
+    "id_raw": "PRI-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 866,
+    "title": "Accounting of Disclosures",
+    "description": "Mechanisms exist to develop and maintain an accounting of disclosures of Personal Data (PD) held by the organization and make the accounting of disclosures available to the person named in the record, upon request."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-14.2",
+    "id_raw": "PRI-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 867,
+    "title": "Notification of Disclosure Request To Data Subject",
+    "description": "Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-15",
+    "id_raw": "PRI-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 868,
+    "title": "Register Database",
+    "description": "Mechanisms exist to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-16",
+    "id_raw": "PRI-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 869,
+    "title": "Potential Human Rights Abuses",
+    "description": "Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-17",
+    "id_raw": "PRI-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 870,
+    "title": "Data Subject Communications",
+    "description": "Mechanisms exist to craft disclosures and communications to data subjects such that the material is readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-17.1",
+    "id_raw": "PRI-17.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 871,
+    "title": "Conspicuous Link To Privacy Notice",
+    "description": "Mechanisms exist to include a conspicuous link to the organization's privacy notice on all consumer-facing websites and mobile applications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:pri-17.2",
+    "id_raw": "PRI-17.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 872,
+    "title": "Notice of Financial Incentive",
+    "description": "Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-01",
+    "id_raw": "PRM-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 873,
+    "title": "Security Portfolio Management",
+    "description": "Mechanisms exist to facilitate the implementation of security and privacy-related resource planning controls that define a viable plan for achieving cybersecurity & privacy objectives."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-01.1",
+    "id_raw": "PRM-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 874,
+    "title": "Strategic Plan & Objectives",
+    "description": "Mechanisms exist to establish a strategic cybersecurity and privacy-specific business plan and set of objectives to achieve that plan."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-01.2",
+    "id_raw": "PRM-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 875,
+    "title": "Targeted Capability Maturity Levels",
+    "description": "Mechanisms exist to define and identify targeted capability maturity levels."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-02",
+    "id_raw": "PRM-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 876,
+    "title": "Security & Privacy Resource Management",
+    "description": "Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and documents all exceptions to this requirement. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-03",
+    "id_raw": "PRM-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 877,
+    "title": "Allocation of Resources ",
+    "description": "Mechanisms exist to identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-04",
+    "id_raw": "PRM-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 878,
+    "title": "Security & Privacy In Project Management ",
+    "description": "Mechanisms exist to assess security and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-05",
+    "id_raw": "PRM-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 879,
+    "title": "Security & Privacy Requirements Definition",
+    "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). \n\nMethods To Comply With SCF Controls:\n- Secure Development Life Cycle (SDLC)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-06",
+    "id_raw": "PRM-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 880,
+    "title": "Business Process Definition ",
+    "description": "Mechanisms exist to define business processes with consideration for cybersecurity and privacy that determines: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-07",
+    "id_raw": "PRM-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 881,
+    "title": "Secure Development Life Cycle (SDLC) Management",
+    "description": "Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:prm-08",
+    "id_raw": "PRM-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 882,
+    "title": "Manage Organizational Knowledge",
+    "description": "Mechanisms exist to manage the organizational knowledge of the cybersecurity and privacy staff."
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-01",
+    "id_raw": "RSK-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 883,
+    "title": "Risk Management Program ",
+    "description": "Mechanisms exist to facilitate the implementation of risk management controls.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-01.1",
+    "id_raw": "RSK-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 884,
+    "title": "Risk Framing",
+    "description": "Mechanisms exist to identify:\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-02",
+    "id_raw": "RSK-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 885,
+    "title": "Risk-Based Security Categorization ",
+    "description": "Mechanisms exist to categorizes systems and data in accordance with applicable local, state and Federal laws that:\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-02.1",
+    "id_raw": "RSK-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 886,
+    "title": "Impact-Level Prioritization",
+    "description": "Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent potential disruptions."
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-03",
+    "id_raw": "RSK-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 887,
+    "title": "Risk Identification",
+    "description": "Mechanisms exist to identify and document risks, both internal and external. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-04",
+    "id_raw": "RSK-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 888,
+    "title": "Risk Assessment ",
+    "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Risk assessment\n- Business Impact Analysis (BIA)\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-04.1",
+    "id_raw": "RSK-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 889,
+    "title": "Risk Register",
+    "description": "Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Risk register\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-05",
+    "id_raw": "RSK-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 890,
+    "title": "Risk Ranking ",
+    "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-06",
+    "id_raw": "RSK-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 891,
+    "title": "Risk Remediation ",
+    "description": "Mechanisms exist to remediate risks to an acceptable level. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-06.1",
+    "id_raw": "RSK-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 892,
+    "title": "Risk Response",
+    "description": "Mechanisms exist to respond to findings from security and privacy assessments, incidents and audits to ensure proper remediation has been performed.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-06.2",
+    "id_raw": "RSK-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 893,
+    "title": "Compensating Countermeasures",
+    "description": "Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats."
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-07",
+    "id_raw": "RSK-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 894,
+    "title": "Risk Assessment Update",
+    "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-08",
+    "id_raw": "RSK-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 895,
+    "title": "Business Impact Analysis (BIA) ",
+    "description": "Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)\n- Business Impact Analysis (BIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-09",
+    "id_raw": "RSK-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 896,
+    "title": "Supply Chain Risk Management (SCRM) Plan",
+    "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-09.1",
+    "id_raw": "RSK-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 897,
+    "title": "Supply Chain Risk Assessment",
+    "description": "Mechanisms exist to periodically assess supply chain risks associated with systems, system components and services.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-10",
+    "id_raw": "RSK-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 898,
+    "title": "Data Protection Impact Assessment (DPIA) ",
+    "description": "Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)\n- Privacy Impact Assessment (PIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:rsk-11",
+    "id_raw": "RSK-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 899,
+    "title": "Risk Monitoring",
+    "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security & privacy controls, compliance and change management."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-01",
+    "id_raw": "SEA-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 900,
+    "title": "Secure Engineering Principles ",
+    "description": "Mechanisms exist to facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-01.1",
+    "id_raw": "SEA-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 901,
+    "title": "Centralized Management of Cybersecurity & Privacy Controls",
+    "description": "Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity and privacy controls and related processes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-02",
+    "id_raw": "SEA-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 902,
+    "title": "Alignment With Enterprise Architecture ",
+    "description": "Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity and privacy principles that addresses risk to organizational operations, assets, individuals, other organizations. \n\nMethods To Comply With SCF Controls:\n- Administrative controls through corporate policies, standards & procedures.\n- NIST 800-160\n- Enterprise architecture committee"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-02.1",
+    "id_raw": "SEA-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 903,
+    "title": "Standardized Terminology",
+    "description": "Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-02.2",
+    "id_raw": "SEA-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 904,
+    "title": "Outsourcing Non-Essential Functions or Services",
+    "description": "Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to third-party service providers and align with the organization's enterprise architecture and security standards."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-02.3",
+    "id_raw": "SEA-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 905,
+    "title": "Technical Debt Reviews",
+    "description": "Mechanisms exist to conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-03",
+    "id_raw": "SEA-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 906,
+    "title": "Defense-In-Depth (DiD) Architecture",
+    "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-03.1",
+    "id_raw": "SEA-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 907,
+    "title": "System Partitioning ",
+    "description": "Mechanisms exist to partition systems so that partitions reside in separate physical domains or environments. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-03.2",
+    "id_raw": "SEA-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 908,
+    "title": "Application Partitioning",
+    "description": "Mechanisms exist to separate user functionality from system management functionality. \n\nMethods To Comply With SCF Controls:\n- Separate interface for non-privileged users."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-04",
+    "id_raw": "SEA-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 909,
+    "title": "Process Isolation ",
+    "description": "Mechanisms exist to implement a separate execution domain for each executing process. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-04.1",
+    "id_raw": "SEA-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 910,
+    "title": "Security Function Isolation",
+    "description": "Mechanisms exist to isolate security functions from non-security functions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-04.2",
+    "id_raw": "SEA-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 911,
+    "title": "Hardware Separation",
+    "description": "Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process separation. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-04.3",
+    "id_raw": "SEA-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 912,
+    "title": "Thread Separation",
+    "description": "Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded processing. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-05",
+    "id_raw": "SEA-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 913,
+    "title": "Information In Shared Resources ",
+    "description": "Mechanisms exist to prevent unauthorized and unintended information transfer via shared system resources. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-06",
+    "id_raw": "SEA-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 914,
+    "title": "Prevent Program Execution",
+    "description": "Automated mechanisms exist to prevent the execution of unauthorized software programs. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-07",
+    "id_raw": "SEA-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 915,
+    "title": "Predictable Failure Analysis ",
+    "description": "Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.\n\nMethods To Comply With SCF Controls:\n- Mean Time to Failure (MTTF)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-07.1",
+    "id_raw": "SEA-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 916,
+    "title": "Technology Lifecycle Management",
+    "description": "Mechanisms exist to manage the usable lifecycles of systems. \n\nMethods To Comply With SCF Controls:\n- Computer Lifecycle Program (CLP)\n- Technology Asset Management (TAM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-07.2",
+    "id_raw": "SEA-07.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 917,
+    "title": "Fail Secure",
+    "description": "Mechanisms exist to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-07.3",
+    "id_raw": "SEA-07.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 918,
+    "title": "Fail Safe",
+    "description": "Mechanisms exist to implement fail-safe procedures when failure conditions occur. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-08",
+    "id_raw": "SEA-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 919,
+    "title": "Non-Persistence ",
+    "description": "Mechanisms exist to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-08.1",
+    "id_raw": "SEA-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 920,
+    "title": "Refresh from Trusted Sources",
+    "description": "Mechanisms exist to ensures that software and data needed for information system component and service refreshes are obtained from trusted sources.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-09",
+    "id_raw": "SEA-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 921,
+    "title": "Information Output Filtering ",
+    "description": "Mechanisms exist to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-09.1",
+    "id_raw": "SEA-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 922,
+    "title": "Limit Personal Data (PD) Dissemination",
+    "description": "Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-10",
+    "id_raw": "SEA-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 923,
+    "title": "Memory Protection ",
+    "description": "Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution. \n\nMethods To Comply With SCF Controls:\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-11",
+    "id_raw": "SEA-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 924,
+    "title": "Honeypots ",
+    "description": "Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-12",
+    "id_raw": "SEA-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 925,
+    "title": "Honeyclients ",
+    "description": "Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-13",
+    "id_raw": "SEA-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 926,
+    "title": "Heterogeneity ",
+    "description": "Mechanisms exist to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM). "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-13.1",
+    "id_raw": "SEA-13.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 927,
+    "title": "Virtualization Techniques ",
+    "description": "Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of operating systems and applications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-14",
+    "id_raw": "SEA-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 928,
+    "title": "Concealment & Misdirection ",
+    "description": "Mechanisms exist to utilize concealment and misdirection techniques for systems to confuse and mislead adversaries. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-14.1",
+    "id_raw": "SEA-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 929,
+    "title": "Randomness",
+    "description": "Automated mechanisms exist to introduce randomness into organizational operations and assets."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-14.2",
+    "id_raw": "SEA-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 930,
+    "title": "Change Processing & Storage Locations",
+    "description": "Automated mechanisms exist to change the location of processing and/or storage at random time intervals."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-15",
+    "id_raw": "SEA-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 931,
+    "title": "Distributed Processing & Storage ",
+    "description": "Mechanisms exist to distribute processing and storage across multiple physical locations. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-16",
+    "id_raw": "SEA-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 932,
+    "title": "Non-Modifiable Executable Programs ",
+    "description": "Mechanisms exist to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-17",
+    "id_raw": "SEA-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 933,
+    "title": "Secure Log-On Procedures ",
+    "description": "Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-18",
+    "id_raw": "SEA-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 934,
+    "title": "System Use Notification (Logon Banner)",
+    "description": "Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides privacy and security notices.\n\nMethods To Comply With SCF Controls:\n- Logon banner\n- System use notifications\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-18.1",
+    "id_raw": "SEA-18.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 935,
+    "title": "Standardized Microsoft Windows Banner",
+    "description": "Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system that provides privacy and security notices.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-18.2",
+    "id_raw": "SEA-18.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 936,
+    "title": "Truncated Banner",
+    "description": "Mechanisms exist to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source, such as Active Directory.\n\nMethods To Comply With SCF Controls:\n- Logon banner\n- System use notifications\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-19",
+    "id_raw": "SEA-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 937,
+    "title": "Previous Logon Notification",
+    "description": "Mechanisms exist to configure systems that process, store or transmit sensitive data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.\n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:sea-20",
+    "id_raw": "SEA-20",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 938,
+    "title": "Clock Synchronization",
+    "description": "Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks. \n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-01",
+    "id_raw": "OPS-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 939,
+    "title": "Operations Security ",
+    "description": "Mechanisms exist to facilitate the implementation of operational security controls.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)\n- ITIL v4 \n- COBIT 5"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-01.1",
+    "id_raw": "OPS-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 940,
+    "title": "Standardized Operating Procedures (SOP)",
+    "description": "Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-02",
+    "id_raw": "OPS-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 941,
+    "title": "Security Concept Of Operations (CONOPS) ",
+    "description": "Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-03",
+    "id_raw": "OPS-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 942,
+    "title": "Service Delivery",
+    "description": "Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.\n\nMethods To Comply With SCF Controls:\n- ITIL v4 \n- COBIT 5"
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-04",
+    "id_raw": "OPS-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 943,
+    "title": "Security Operations Center (SOC)",
+    "description": "Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability."
+  },
+  {
+    "source": "scf",
+    "id": "scf:ops-05",
+    "id_raw": "OPS-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 944,
+    "title": "Secure Practices Guidelines",
+    "description": "Mechanisms exist to provide guidelines and recommendations for the secure use of products and/or services to assist in the configuration, installation and use of the product and/or service."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-01",
+    "id_raw": "SAT-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 945,
+    "title": "Security & Privacy-Minded Workforce ",
+    "description": "Mechanisms exist to facilitate the implementation of security workforce development and awareness controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-02",
+    "id_raw": "SAT-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 946,
+    "title": "Security & Privacy Awareness ",
+    "description": "Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-02.1",
+    "id_raw": "SAT-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 947,
+    "title": "Simulated Cyber Attack Scenario Training",
+    "description": "Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-02.2",
+    "id_raw": "SAT-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 948,
+    "title": "Social Engineering & Mining",
+    "description": "Mechanisms exist to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03",
+    "id_raw": "SAT-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 949,
+    "title": "Role-Based Security & Privacy Training ",
+    "description": "Mechanisms exist to provide role-based security-related training: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.1",
+    "id_raw": "SAT-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 950,
+    "title": "Practical Exercises ",
+    "description": "Mechanisms exist to include practical exercises in security and privacy training that reinforce training objectives."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.2",
+    "id_raw": "SAT-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 951,
+    "title": "Suspicious Communications & Anomalous System Behavior",
+    "description": "Mechanisms exist to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.3",
+    "id_raw": "SAT-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 952,
+    "title": "Sensitive Information Storage, Handling & Processing",
+    "description": "Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.4",
+    "id_raw": "SAT-03.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 953,
+    "title": "Vendor Security & Privacy Training",
+    "description": "Mechanisms exist to incorporate vendor-specific security training in support of new technology initiatives. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.5",
+    "id_raw": "SAT-03.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 954,
+    "title": "Privileged Users",
+    "description": "Mechanisms exist to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities "
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.6",
+    "id_raw": "SAT-03.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 955,
+    "title": "Cyber Threat Environment",
+    "description": "Mechanisms exist to provide role-based security and privacy awareness training that is specific to the cyber threats that the user might encounter the user's specific day-to-day business operations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.7",
+    "id_raw": "SAT-03.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 956,
+    "title": "Continuing Professional Education (CPE) - Cybersecurity & Privacy Personnel",
+    "description": "Mechanisms exist to ensure cybersecurity and privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-03.8",
+    "id_raw": "SAT-03.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 957,
+    "title": "Continuing Professional Education (CPE) - DevOps Personnel",
+    "description": "Mechanisms exist to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats."
+  },
+  {
+    "source": "scf",
+    "id": "scf:sat-04",
+    "id_raw": "SAT-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 958,
+    "title": "Security & Privacy Training Records ",
+    "description": "Mechanisms exist to document, retain and monitor individual training activities, including basic security awareness training, ongoing awareness training and specific-system training.\n\nMethods To Comply With SCF Controls:\n- KnowB4 (https://www.knowbe4.com/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-01",
+    "id_raw": "TDA-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 959,
+    "title": "Technology Development & Acquisition",
+    "description": "Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-01.1",
+    "id_raw": "TDA-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 960,
+    "title": "Product Management",
+    "description": "Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-01.2",
+    "id_raw": "TDA-01.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 961,
+    "title": "Integrity Mechanisms for Software / Firmware Updates ",
+    "description": "Mechanisms exist to utilize integrity validation mechanisms for security updates.\n\nMethods To Comply With SCF Controls:\n- Checksum comparison\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-01.3",
+    "id_raw": "TDA-01.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 962,
+    "title": "Malware Testing Prior to Release ",
+    "description": "Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02",
+    "id_raw": "TDA-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 963,
+    "title": "Minimum Viable Product (MVP) Security Requirements ",
+    "description": "Mechanisms exist to ensure risk-based technical and functional specifications are established to define a Minimum Viable Product (MVP)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.1",
+    "id_raw": "TDA-02.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 964,
+    "title": "Ports, Protocols & Services In Use",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use. \n\nMethods To Comply With SCF Controls:\n- Ports, Protocols & Services (PPS)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.2",
+    "id_raw": "TDA-02.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 965,
+    "title": "Information Assurance Enabled Products",
+    "description": "Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.\n\nMethods To Comply With SCF Controls:\n- FIPS 201"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.3",
+    "id_raw": "TDA-02.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 966,
+    "title": "Development Methods, Techniques & Processes",
+    "description": "Mechanisms exist to require software vendors / manufacturers to demonstrate that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed or malformed software."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.4",
+    "id_raw": "TDA-02.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 967,
+    "title": "Pre-Established Security Configurations",
+    "description": "Mechanisms exist to ensure software vendors / manufacturers:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.5",
+    "id_raw": "TDA-02.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 968,
+    "title": "Identification & Justification of Ports, Protocols & Services",
+    "description": "Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.6",
+    "id_raw": "TDA-02.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 969,
+    "title": "Insecure Ports, Protocols & Services",
+    "description": "Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-02.7",
+    "id_raw": "TDA-02.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 970,
+    "title": "Security & Privacy Representatives For Product Changes",
+    "description": "Mechanisms exist to include appropriate cybersecurity and privacy representatives in the product feature and/or functionality change control review process."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-03",
+    "id_raw": "TDA-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 971,
+    "title": "Commercial Off-The-Shelf (COTS) Security Solutions ",
+    "description": "Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-03.1",
+    "id_raw": "TDA-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 972,
+    "title": "Supplier Diversity",
+    "description": "Mechanisms exist to obtain security and privacy technologies from different suppliers to minimize supply chain risk.\n\nMethods To Comply With SCF Controls:\n- Supplier diversity"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-04",
+    "id_raw": "TDA-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 973,
+    "title": "Documentation Requirements",
+    "description": "Mechanisms exist to obtain, protect and distribute administrator documentation for systems that describe:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-04.1",
+    "id_raw": "TDA-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 974,
+    "title": "Functional Properties ",
+    "description": "Mechanisms exist to require vendors/contractors to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls. \n\nMethods To Comply With SCF Controls:\n- SSAE-16 SOC2 report"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-04.2",
+    "id_raw": "TDA-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 975,
+    "title": "Software Bill of Materials (SBOM)",
+    "description": "Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and services that lists software packages in use, including versions and applicable licenses."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-05",
+    "id_raw": "TDA-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 976,
+    "title": "Developer Architecture & Design ",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-05.1",
+    "id_raw": "TDA-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 977,
+    "title": "Physical Diagnostic & Test Interfaces",
+    "description": "Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-05.2",
+    "id_raw": "TDA-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 978,
+    "title": "Diagnostic & Test Interface Monitoring",
+    "description": "Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06",
+    "id_raw": "TDA-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 979,
+    "title": "Secure Coding ",
+    "description": "Mechanisms exist to develop applications based on secure coding principles. \n\nMethods To Comply With SCF Controls:\n- OWASP's Application Security Verification Standard (ASVS) \n- Mobile Application Security Verification Standard (MASVS)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06.1",
+    "id_raw": "TDA-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 980,
+    "title": "Criticality Analysis",
+    "description": "Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).\n\nMethods To Comply With SCF Controls:\n- Secure Development Life Cycle (SDLC)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06.2",
+    "id_raw": "TDA-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 981,
+    "title": "Threat Modeling",
+    "description": "Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06.3",
+    "id_raw": "TDA-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 982,
+    "title": "Software Assurance Maturity Model (SAMM)",
+    "description": "Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06.4",
+    "id_raw": "TDA-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 983,
+    "title": "Supporting Toolchain",
+    "description": "Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-06.5",
+    "id_raw": "TDA-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 984,
+    "title": "Software Design Review",
+    "description": "Mechanisms exist to have an independent review of the software design to confirm that all security and privacy requirements are met and that any identified risks are satisfactorily addressed."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-07",
+    "id_raw": "TDA-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 985,
+    "title": "Secure Development Environments ",
+    "description": "Mechanisms exist to maintain a segmented development network to ensure a secure development environment. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-08",
+    "id_raw": "TDA-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 986,
+    "title": "Separation of Development, Testing and Operational Environments ",
+    "description": "Mechanisms exist to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-08.1",
+    "id_raw": "TDA-08.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 987,
+    "title": "Secure Migration Practices",
+    "description": "Mechanisms exist to ensure secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09",
+    "id_raw": "TDA-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 988,
+    "title": "Security & Privacy Testing Throughout Development ",
+    "description": "Mechanisms exist to require system developers/integrators consult with cybersecurity and privacy personnel to: \n\nMethods To Comply With SCF Controls:\n- Security Test & Evaluation (ST&E)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.1",
+    "id_raw": "TDA-09.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 989,
+    "title": "Continuous Monitoring Plan",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to produce a plan for the continuous monitoring of security & privacy control effectiveness. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.2",
+    "id_raw": "TDA-09.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 990,
+    "title": "Static Code Analysis",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.3",
+    "id_raw": "TDA-09.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 991,
+    "title": "Dynamic Code Analysis ",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.4",
+    "id_raw": "TDA-09.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 992,
+    "title": "Malformed Input Testing",
+    "description": "Mechanisms exist to utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.5",
+    "id_raw": "TDA-09.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 993,
+    "title": "Application Penetration Testing",
+    "description": "Mechanisms exist to perform application-level penetration testing of custom-made applications and services.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.6",
+    "id_raw": "TDA-09.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 994,
+    "title": "Secure Settings By Default",
+    "description": "Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-09.7",
+    "id_raw": "TDA-09.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 995,
+    "title": "Manual Code Review",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-10",
+    "id_raw": "TDA-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 996,
+    "title": "Use of Live Data ",
+    "description": "Mechanisms exist to approve, document and control the use of live data in development and test environments."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-10.1",
+    "id_raw": "TDA-10.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 997,
+    "title": "Test Data Integrity",
+    "description": "Mechanisms exist to ensure the integrity of test data through existing security & privacy controls.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-11",
+    "id_raw": "TDA-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 998,
+    "title": "Product Tampering and Counterfeiting (PTC)",
+    "description": "Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-11.1",
+    "id_raw": "TDA-11.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 999,
+    "title": "Anti-Counterfeit Training",
+    "description": "Mechanisms exist to train personnel to detect counterfeit system components, including hardware, software and firmware. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-11.2",
+    "id_raw": "TDA-11.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1000,
+    "title": "Component Disposal",
+    "description": "[deprecated - incorporated into AST-09]"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-12",
+    "id_raw": "TDA-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1001,
+    "title": "Customized Development of Critical Components ",
+    "description": "Mechanisms exist to custom-develop critical system components, when COTS solutions are unavailable.\n\nMethods To Comply With SCF Controls:\n- OWASP"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-13",
+    "id_raw": "TDA-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1002,
+    "title": "Developer Screening ",
+    "description": "Mechanisms exist to ensure that the developers of systems, applications and/or services have the requisite skillset and appropriate access authorizations."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-14",
+    "id_raw": "TDA-14",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1003,
+    "title": "Developer Configuration Management ",
+    "description": "Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-14.1",
+    "id_raw": "TDA-14.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1004,
+    "title": "Software / Firmware Integrity Verification",
+    "description": "Mechanisms exist to require developer of systems, system components or services to enable integrity verification of software and firmware components. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-14.2",
+    "id_raw": "TDA-14.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1005,
+    "title": "Hardware Integrity Verification",
+    "description": "Mechanisms exist to require developer of systems, system components or services to enable integrity verification of hardware components."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-15",
+    "id_raw": "TDA-15",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1006,
+    "title": "Developer Threat Analysis & Flaw Remediation",
+    "description": "Mechanisms exist to require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party. \n\nMethods To Comply With SCF Controls:\n- Security Test and Evaluation (ST&E) plan"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-16",
+    "id_raw": "TDA-16",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1007,
+    "title": "Developer-Provided Training ",
+    "description": "Mechanisms exist to require the developers of systems, system components or services to provide training on the correct use and operation of the system, system component or service."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-17",
+    "id_raw": "TDA-17",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1008,
+    "title": "Unsupported Systems ",
+    "description": "Mechanisms exist to prevent unsupported systems by:"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-17.1",
+    "id_raw": "TDA-17.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1009,
+    "title": "Alternate Sources for Continued Support",
+    "description": "Mechanisms exist to provide in-house support or contract external providers for support with unsupported system components. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-18",
+    "id_raw": "TDA-18",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1010,
+    "title": "Input Data Validation ",
+    "description": "Mechanisms exist to check the validity of information inputs. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-19",
+    "id_raw": "TDA-19",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1011,
+    "title": "Error Handling ",
+    "description": "Mechanisms exist to handle error conditions by: "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-20",
+    "id_raw": "TDA-20",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1012,
+    "title": "Access to Program Source Code ",
+    "description": "Mechanisms exist to limit privileges to change software resident within software libraries. \n\nMethods To Comply With SCF Controls:\n- Source code escrow"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-20.1",
+    "id_raw": "TDA-20.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1013,
+    "title": "Software Release Integrity Verification",
+    "description": "Mechanisms exist to publish integrity verification information for software releases."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-20.2",
+    "id_raw": "TDA-20.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1014,
+    "title": "Archiving Software Releases",
+    "description": "Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tda-20.3",
+    "id_raw": "TDA-20.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1015,
+    "title": "Software Escrow",
+    "description": "Mechanisms exist to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-01",
+    "id_raw": "TPM-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1016,
+    "title": "Third-Party Management ",
+    "description": "Mechanisms exist to facilitate the implementation of third-party management controls.\n\nMethods To Comply With SCF Controls:\n- Procurement program\n- Contract reviews"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-01.1",
+    "id_raw": "TPM-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1017,
+    "title": "Third-Party Inventories ",
+    "description": "Mechanisms exist to maintain a current, accurate and complete list of Third-Party Service Providers (TSP) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-02",
+    "id_raw": "TPM-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1018,
+    "title": "Third-Party Criticality Assessments",
+    "description": "Mechanisms exist to identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-03",
+    "id_raw": "TPM-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1019,
+    "title": "Supply Chain Protection",
+    "description": "Mechanisms exist to evaluate security risks associated with the services and product supply chain. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-03.1",
+    "id_raw": "TPM-03.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1020,
+    "title": "Acquisition Strategies, Tools & Methods",
+    "description": "Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-03.2",
+    "id_raw": "TPM-03.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1021,
+    "title": "Limit Potential Harm",
+    "description": "Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Liability clause in contracts"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-03.3",
+    "id_raw": "TPM-03.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1022,
+    "title": "Processes To Address Weaknesses or Deficiencies",
+    "description": "Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-04",
+    "id_raw": "TPM-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1023,
+    "title": "Third-Party Services ",
+    "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization’s systems and data.\n\nMethods To Comply With SCF Controls:\n- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.\n- Maintain and implement policies and procedures to manage service providers (e.g., Software-as-a-Service (SaaS), web hosting companies, collocation providers, or email providers), through observation, review of policies and procedures and review of supporting documentation. \n- Maintain a program to monitor service providers’ control compliance status at least annually.\n- Require providers of external system services to comply with organizational security requirements and employ appropriate security controls in accordance with applicable statutory, regulatory and contractual obligations.\n- Define and document oversight and user roles and responsibilities with regard to external system services.\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-04.1",
+    "id_raw": "TPM-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1024,
+    "title": "Third-Party Risk Assessments & Approvals",
+    "description": "Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of technology-related services.\n\nMethods To Comply With SCF Controls:\n- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.\n- Maintain a list of service providers.\n- Maintain and implement controls to manage security providers (e.g., backup tape storage facilities or security service providers), through observation, review of policies and procedures and review of supporting documentation.\n- Maintain a written agreement that includes an acknowledgment that service providers are responsible for the security of data the service providers possess.\n- Maintain a program to monitor service providers’ control compliance status, at least annually.\n- Require that providers of external services comply with organizational digital security requirements and utilize appropriate security controls in accordance with all applicable laws and regulatory requirements."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-04.2",
+    "id_raw": "TPM-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1025,
+    "title": "External Connectivity Requirements - Identification of Ports, Protocols & Services",
+    "description": "Mechanisms exist to require Third-Party Service Providers (TSP) to identify and document the business need for ports, protocols and other services it requires to operate its processes and technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-04.3",
+    "id_raw": "TPM-04.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1026,
+    "title": "Conflict of Interests",
+    "description": "Mechanisms exist to ensure that the interests of third-party service providers are consistent with and reflect organizational interests.\n\nMethods To Comply With SCF Controls:\n- Third-party contract requirements for cybersecurity controls"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-04.4",
+    "id_raw": "TPM-04.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1027,
+    "title": "Third-Party Processing, Storage and Service Locations",
+    "description": "Mechanisms exist to restrict the location of information processing/storage based on business requirements. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05",
+    "id_raw": "TPM-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1028,
+    "title": "Third-Party Contract Requirements",
+    "description": "Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.1",
+    "id_raw": "TPM-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1029,
+    "title": "Security Compromise Notification Agreements",
+    "description": "Mechanisms exist to compel Third-Party Service Providers (TSP) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.2",
+    "id_raw": "TPM-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1030,
+    "title": "Contract Flow-Down Requirements",
+    "description": "Mechanisms exist to ensure cybersecurity and privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.3",
+    "id_raw": "TPM-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1031,
+    "title": "Third-Party Authentication Practices",
+    "description": "Mechanisms exist to ensure Third-Party Service Providers (TSP) use unique authentication factors for each of its customers."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.4",
+    "id_raw": "TPM-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1032,
+    "title": "Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix",
+    "description": "Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity and privacy controls between internal stakeholders and Third-Party Service Providers (TSP). \n\nMethods To Comply With SCF Controls:\n- Customer Responsibility Matrix (CRM)\n- Shared Responsibility Matrix (SRM)\n- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.5",
+    "id_raw": "TPM-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1033,
+    "title": "Third-Party Scope Review",
+    "description": "Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity and privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-05.6",
+    "id_raw": "TPM-05.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1034,
+    "title": "First-Party Declaration (1PD)",
+    "description": "Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable Third-Party Service Providers (TSP) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and privacy controls, including any flow-down requirements to subcontractors. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-06",
+    "id_raw": "TPM-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1035,
+    "title": "Third-Party Personnel Security ",
+    "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers."
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-07",
+    "id_raw": "TPM-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1036,
+    "title": "Monitoring for Third-Party Information Disclosure ",
+    "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of organizational information. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-08",
+    "id_raw": "TPM-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1037,
+    "title": "Review of Third-Party Services",
+    "description": "Mechanisms exist to monitor, regularly review and audit Third-Party Service Providers (TSP) for compliance with established contractual requirements for cybersecurity and privacy controls. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-09",
+    "id_raw": "TPM-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1038,
+    "title": "Third-Party Deficiency Remediation ",
+    "description": "Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-10",
+    "id_raw": "TPM-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1039,
+    "title": "Managing Changes To Third-Party Services",
+    "description": "Mechanisms exist to control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party.\n\nMethods To Comply With SCF Controls:\n- Contact requirement to report changes to service offerings that may impact the contract.\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:tpm-11",
+    "id_raw": "TPM-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1040,
+    "title": "Third-Party Incident Response & Recovery Capabilities",
+    "description": "Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-01",
+    "id_raw": "THR-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1041,
+    "title": "Threat Intelligence Program",
+    "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-02",
+    "id_raw": "THR-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1042,
+    "title": "Indicators of Exposure (IOE)",
+    "description": "Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization. \n\nMethods To Comply With SCF Controls:\n- Indicators of Exposure (IoE)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-03",
+    "id_raw": "THR-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1043,
+    "title": "Threat Intelligence Feeds",
+    "description": "Mechanisms exist to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.\n\nMethods To Comply With SCF Controls:\n- US-CERT mailing lists & feeds\n- InfraGard\n- Internal newsletters"
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-04",
+    "id_raw": "THR-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1044,
+    "title": "Insider Threat Program ",
+    "description": "Mechanisms exist to implement an insider threat program that includes a cross-discipline insider threat incident handling team. \n\nMethods To Comply With SCF Controls:\n- Insider threat program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-05",
+    "id_raw": "THR-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1045,
+    "title": "Insider Threat Awareness",
+    "description": "Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat."
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-06",
+    "id_raw": "THR-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1046,
+    "title": "Vulnerability Disclosure Program (VDP)",
+    "description": "Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of products and services that receives unsolicited input from the public about vulnerabilities in organizational systems, services and processes.\n\nMethods To Comply With SCF Controls:\n- \"bug bounty\" program"
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-07",
+    "id_raw": "THR-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1047,
+    "title": "Threat Hunting",
+    "description": "Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls."
+  },
+  {
+    "source": "scf",
+    "id": "scf:thr-08",
+    "id_raw": "THR-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1048,
+    "title": "Tainting",
+    "description": "Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-01",
+    "id_raw": "VPM-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1049,
+    "title": "Vulnerability & Patch Management Program (VPMP)",
+    "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.\n\nMethods To Comply With SCF Controls:\n- Vulnerability & Patch Management Program (ComplianceForge)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-01.1",
+    "id_raw": "VPM-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1050,
+    "title": "Attack Surface Scope",
+    "description": "Mechanisms exist to define and manage the scope for its attack surface management activities."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-02",
+    "id_raw": "VPM-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1051,
+    "title": "Vulnerability Remediation Process ",
+    "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-03",
+    "id_raw": "VPM-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1052,
+    "title": "Vulnerability Ranking ",
+    "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information. \n\nMethods To Comply With SCF Controls:\n- US-CERT "
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-04",
+    "id_raw": "VPM-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1053,
+    "title": "Continuous Vulnerability Remediation Activities",
+    "description": "Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks. \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-04.1",
+    "id_raw": "VPM-04.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1054,
+    "title": "Stable Versions",
+    "description": "Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-04.2",
+    "id_raw": "VPM-04.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1055,
+    "title": "Flaw Remediation with Personal Data (PD)",
+    "description": "Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05",
+    "id_raw": "VPM-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1056,
+    "title": "Software & Firmware Patching",
+    "description": "Mechanisms exist to conduct software patching for all deployed operating systems, applications and firmware.\n\nMethods To Comply With SCF Controls:\n- Patch management tools"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05.1",
+    "id_raw": "VPM-05.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1057,
+    "title": "Centralized Management of Flaw Remediation Processes",
+    "description": "Mechanisms exist to centrally-manage the flaw remediation process. \n\nMethods To Comply With SCF Controls:\n- Patch management tools"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05.2",
+    "id_raw": "VPM-05.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1058,
+    "title": "Automated Remediation Status",
+    "description": "Automated mechanisms exist to determine the state of system components with regard to flaw remediation. \n\nMethods To Comply With SCF Controls:\n- Vulnerability scanning tools\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05.3",
+    "id_raw": "VPM-05.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1059,
+    "title": "Time To Remediate / Benchmarks For Corrective Action",
+    "description": "Mechanisms exist to track the effectiveness of remediation operations through metrics reporting.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05.4",
+    "id_raw": "VPM-05.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1060,
+    "title": "Automated Software & Firmware Updates",
+    "description": "Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-05.5",
+    "id_raw": "VPM-05.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1061,
+    "title": "Removal of Previous Versions",
+    "description": "Mechanisms exist to remove old versions of software and firmware components after updated versions have been installed. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06",
+    "id_raw": "VPM-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1062,
+    "title": "Vulnerability Scanning ",
+    "description": "Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications.\n\nMethods To Comply With SCF Controls:\n- External vulnerability scans (unauthenticated)\n- Internal vulnerability scans (authenticated)\n- Nessus (https://www.tenable.com/products/nessus/nessus-professional)\n- Qualys (https://www.qualys.com/)\n- Rapid7 (https://www.rapid7.com/)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.1",
+    "id_raw": "VPM-06.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1063,
+    "title": "Update Tool Capability",
+    "description": "Mechanisms exist to update vulnerability scanning tools."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.2",
+    "id_raw": "VPM-06.2",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1064,
+    "title": "Breadth / Depth of Coverage ",
+    "description": "Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.3",
+    "id_raw": "VPM-06.3",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1065,
+    "title": "Privileged Access",
+    "description": "Mechanisms exist to implement privileged access authorization for selected vulnerability scanning activities. \n\nMethods To Comply With SCF Controls:\n- Authenticated scans"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.4",
+    "id_raw": "VPM-06.4",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1066,
+    "title": "Trend Analysis",
+    "description": "Automated mechanisms exist to compare the results of vulnerability scans over time to determine trends in system vulnerabilities. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.5",
+    "id_raw": "VPM-06.5",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1067,
+    "title": "Review Historical Audit Logs",
+    "description": "Mechanisms exist to review historical audit logs to determine if identified vulnerabilities have been previously exploited. "
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.6",
+    "id_raw": "VPM-06.6",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1068,
+    "title": "External Vulnerability Assessment Scans",
+    "description": "Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.7",
+    "id_raw": "VPM-06.7",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1069,
+    "title": "Internal Vulnerability Assessment Scans",
+    "description": "Mechanisms exist to perform quarterly internal vulnerability scans, that includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.8",
+    "id_raw": "VPM-06.8",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1070,
+    "title": "Acceptable Discoverable Information",
+    "description": "Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediated non-compliant systems."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-06.9",
+    "id_raw": "VPM-06.9",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1071,
+    "title": "Correlate Scanning Information",
+    "description": "Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-07",
+    "id_raw": "VPM-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1072,
+    "title": "Penetration Testing ",
+    "description": "Mechanisms exist to conduct penetration testing on systems and web applications."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-07.1",
+    "id_raw": "VPM-07.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1073,
+    "title": "Independent Penetration Agent or Team",
+    "description": "Mechanisms exist to utilize an independent assessor or penetration team to perform penetration testing."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-08",
+    "id_raw": "VPM-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1074,
+    "title": "Technical Surveillance Countermeasures Security ",
+    "description": "Mechanisms exist to utilize a technical surveillance countermeasures survey.\n\nMethods To Comply With SCF Controls:\n- Facility sweeping for \"bugs\" or other unauthorized surveillance technologies."
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-09",
+    "id_raw": "VPM-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1075,
+    "title": "Reviewing Vulnerability Scanner Usage",
+    "description": "Mechanisms exist to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans. \n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:vpm-10",
+    "id_raw": "VPM-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1076,
+    "title": "Red Team Exercises",
+    "description": "Mechanisms exist to utilize \"red team\" exercises to simulate attempts by adversaries to compromise systems and applications in accordance with organization-defined rules of engagement. \n\nMethods To Comply With SCF Controls:\n- \"red team\" exercises"
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-01",
+    "id_raw": "WEB-01",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1077,
+    "title": "Web Security",
+    "description": "Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-01.1",
+    "id_raw": "WEB-01.1",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1078,
+    "title": "Unauthorized Code",
+    "description": "Mechanisms exist to prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-02",
+    "id_raw": "WEB-02",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1079,
+    "title": "Use of Demilitarized Zones (DMZ)",
+    "description": "Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-03",
+    "id_raw": "WEB-03",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1080,
+    "title": "Web Application Firewall (WAF)",
+    "description": "Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. \n\nMethods To Comply With SCF Controls:\n- Web Application Firewall (WAF)"
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-04",
+    "id_raw": "WEB-04",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1081,
+    "title": "Client-Facing Web Services",
+    "description": "Mechanisms exist to deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.\n\nMethods To Comply With SCF Controls:\n- OWASP"
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-05",
+    "id_raw": "WEB-05",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1082,
+    "title": "Cookie Management",
+    "description": "Mechanisms exist to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-06",
+    "id_raw": "WEB-06",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1083,
+    "title": "Strong Customer Authentication (SCA)",
+    "description": "Mechanisms exist to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-07",
+    "id_raw": "WEB-07",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1084,
+    "title": "Web Security Standard",
+    "description": "Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-08",
+    "id_raw": "WEB-08",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1085,
+    "title": "Web Application Framework",
+    "description": "Mechanisms exist to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-09",
+    "id_raw": "WEB-09",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1086,
+    "title": "Validation & Sanitization",
+    "description": "Mechanisms exist to ensure all input handled by a web application is validated and/or sanitized."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-10",
+    "id_raw": "WEB-10",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1087,
+    "title": "Secure Web Traffic",
+    "description": "Mechanisms exist to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS)."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-11",
+    "id_raw": "WEB-11",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1088,
+    "title": "Output Encoding",
+    "description": "Mechanisms exist to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-12",
+    "id_raw": "WEB-12",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1089,
+    "title": "Web Browser Security",
+    "description": "Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users."
+  },
+  {
+    "source": "scf",
+    "id": "scf:web-13",
+    "id_raw": "WEB-13",
+    "tier_raw": "Controls",
+    "tier": 1,
+    "seq": 1090,
+    "title": "Website Change Detection",
+    "description": "Mechanisms exist to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data. "
   }
 ]
diff --git a/data/controls.jsonl b/data/controls.jsonl
index 31d99e5..98c5033 100644
--- a/data/controls.jsonl
+++ b/data/controls.jsonl
@@ -317,1284 +317,1284 @@
 {"source":"nist_800_171_v1","id":"nist_800_171_v1:3.9.1","id_raw":"3.9.1","tier_raw":"Requirement","tier":1,"seq":73,"title":null,"description":"Screen individuals prior to authorizing access to organizational systems containing CUI."}
 {"source":"nist_800_171_v1","id":"nist_800_171_v1:3.9.2","id_raw":"3.9.2","tier_raw":"Requirement","tier":1,"seq":74,"title":null,"description":"Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ac","id_raw":"AC","tier_raw":"Family","tier":0,"seq":1,"title":"Access Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1","id_raw":"AC-1","tier_raw":"Control","tier":1,"seq":null,"title":"Access Control Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-10","id_raw":"AC-10","tier_raw":"Control","tier":1,"seq":null,"title":"Concurrent Session Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11","id_raw":"AC-11","tier_raw":"Control","tier":1,"seq":null,"title":"Session Lock","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11(1)","id_raw":"AC-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Pattern-Hiding Displays","description":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11a.","id_raw":"AC-11a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11b.","id_raw":"AC-11b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Retains the session lock until the user reestablishes access using established identification and authentication procedures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-12","id_raw":"AC-12","tier_raw":"Control","tier":1,"seq":null,"title":"Session Termination","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-12(1)","id_raw":"AC-12 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"User-Initiated Logouts / Message Displays","description":"The information system: Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-13","id_raw":"AC-13","tier_raw":"Control","tier":1,"seq":null,"title":"Supervision and Review - Access Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14","id_raw":"AC-14","tier_raw":"Control","tier":1,"seq":null,"title":"Permitted Actions Without Identification Or Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14a.","id_raw":"AC-14a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14b.","id_raw":"AC-14b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-15","id_raw":"AC-15","tier_raw":"Control","tier":1,"seq":null,"title":"Automated Marking","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16","id_raw":"AC-16","tier_raw":"Control","tier":1,"seq":null,"title":"Security Attributes","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(1)","id_raw":"AC-16 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Attribute Association","description":"The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(10)","id_raw":"AC-16 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attribute Configuration By Authorized Individuals","description":"The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(2)","id_raw":"AC-16 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attribute Value Changes By Authorized Individuals","description":"The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(3)","id_raw":"AC-16 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Maintenance Of Attribute Associations By Information System","description":"The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(4)","id_raw":"AC-16 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Association Of Attributes By Authorized Individuals","description":"The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(5)","id_raw":"AC-16 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attribute Displays For Output Devices","description":"The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(6)","id_raw":"AC-16 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Maintenance Of Attribute Association By Organization","description":"The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(7)","id_raw":"AC-16 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Consistent Attribute Interpretation","description":"The organization provides a consistent interpretation of security attributes transmitted between distributed information system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(8)","id_raw":"AC-16 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Association Techniques / Technologies","description":"The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(9)","id_raw":"AC-16 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attribute Reassignment","description":"The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16a.","id_raw":"AC-16a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16b.","id_raw":"AC-16b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the security attribute associations are made and retained with the information;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16c.","id_raw":"AC-16c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16d.","id_raw":"AC-16d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17","id_raw":"AC-17","tier_raw":"Control","tier":1,"seq":null,"title":"Remote Access","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(1)","id_raw":"AC-17 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Monitoring / Control","description":"The information system monitors and controls remote access methods."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(2)","id_raw":"AC-17 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Protection Of Confidentiality / Integrity Using Encryption","description":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(3)","id_raw":"AC-17 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Managed Access Control Points","description":"The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(4)","id_raw":"AC-17 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privileged Commands / Access","description":"The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(6)","id_raw":"AC-17 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Protection Of Information","description":"The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(9)","id_raw":"AC-17 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disconnect / Disable Access","description":"The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17a.","id_raw":"AC-17a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17b.","id_raw":"AC-17b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes remote access to the information system prior to allowing such connections."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18","id_raw":"AC-18","tier_raw":"Control","tier":1,"seq":null,"title":"Wireless Access","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(1)","id_raw":"AC-18 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authentication And Encryption","description":"The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(3)","id_raw":"AC-18 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disable Wireless Networking","description":"The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(4)","id_raw":"AC-18 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Configurations By Users","description":"The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(5)","id_raw":"AC-18 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Antennas / Transmission Power Levels","description":"The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18a.","id_raw":"AC-18a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18b.","id_raw":"AC-18b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes wireless access to the information system prior to allowing such connections."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19","id_raw":"AC-19","tier_raw":"Control","tier":1,"seq":null,"title":"Access Control For Mobile Devices","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19(4)","id_raw":"AC-19 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrictions For Classified Information","description":"The organization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified information systems is prohibited; Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19(5)","id_raw":"AC-19 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Full Device / Container-Based  Encryption","description":"The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19a.","id_raw":"AC-19a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19b.","id_raw":"AC-19b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes the connection of mobile devices to organizational information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1a.","id_raw":"AC-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1b.","id_raw":"AC-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Access control policy [Assignment: organization-defined frequency]; and Access control procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2","id_raw":"AC-2","tier_raw":"Control","tier":1,"seq":null,"title":"Account Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(1)","id_raw":"AC-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated System Account Management","description":"The organization employs automated mechanisms to support the management of information system accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(10)","id_raw":"AC-2 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Shared / Group Account Credential Termination","description":"The information system terminates shared/group account credentials when members leave the group."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(11)","id_raw":"AC-2 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Usage Conditions","description":"The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(12)","id_raw":"AC-2 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Account Monitoring / Atypical Usage","description":"The organization: Monitors information system accounts for [Assignment: organization-defined atypical usage]; and Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(13)","id_raw":"AC-2 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disable Accounts For High-Risk Individuals","description":"The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(2)","id_raw":"AC-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Removal Of Temporary / Emergency Accounts","description":"The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(3)","id_raw":"AC-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disable Inactive Accounts","description":"The information system automatically disables inactive accounts after [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(4)","id_raw":"AC-2 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Audit Actions","description":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(5)","id_raw":"AC-2 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inactivity Logout","description":"The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(6)","id_raw":"AC-2 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Privilege Management","description":"The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(7)","id_raw":"AC-2 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Role-Based Schemes","description":"The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(8)","id_raw":"AC-2 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Account Creation","description":"The information system creates [Assignment: organization-defined information system accounts] dynamically."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(9)","id_raw":"AC-2 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrictions On Use Of Shared / Group Accounts","description":"The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20","id_raw":"AC-20","tier_raw":"Control","tier":1,"seq":null,"title":"Use Of External Information Systems","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(1)","id_raw":"AC-20 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Limits On Authorized Use","description":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(2)","id_raw":"AC-20 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Portable Storage Devices","description":"The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(3)","id_raw":"AC-20 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Non-Organizationally Owned Systems / Components / Devices","description":"The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(4)","id_raw":"AC-20 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Accessible Storage Devices","description":"The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20a.","id_raw":"AC-20a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20b.","id_raw":"AC-20b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Process, store, or transmit organization-controlled information using external information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21","id_raw":"AC-21","tier_raw":"Control","tier":1,"seq":null,"title":"Information Sharing","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21(1)","id_raw":"AC-21 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Decision Support","description":"The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21(2)","id_raw":"AC-21 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Information Search And Retrieval","description":"The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21a.","id_raw":"AC-21a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21b.","id_raw":"AC-21b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22","id_raw":"AC-22","tier_raw":"Control","tier":1,"seq":null,"title":"Publicly Accessible Content","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22a.","id_raw":"AC-22a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Designates individuals authorized to post information onto a publicly accessible information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22b.","id_raw":"AC-22b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22c.","id_raw":"AC-22c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22d.","id_raw":"AC-22d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-23","id_raw":"AC-23","tier_raw":"Control","tier":1,"seq":null,"title":"Data Mining Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24","id_raw":"AC-24","tier_raw":"Control","tier":1,"seq":null,"title":"Access Control Decisions","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24(1)","id_raw":"AC-24 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transmit Access Authorization Information","description":"The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24(2)","id_raw":"AC-24 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"No User Or Process Identity","description":"The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-25","id_raw":"AC-25","tier_raw":"Control","tier":1,"seq":null,"title":"Reference Monitor","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2a.","id_raw":"AC-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2b.","id_raw":"AC-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Assigns account managers for information system accounts;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2c.","id_raw":"AC-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes conditions for group and role membership;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2d.","id_raw":"AC-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2e.","id_raw":"AC-2e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2f.","id_raw":"AC-2f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2g.","id_raw":"AC-2g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors the use of information system accounts;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2h.","id_raw":"AC-2h.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2i.","id_raw":"AC-2i.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes access to the information system based on: A valid access authorization; Intended system usage; and Other attributes as required by the organization or associated missions/business functions;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2j.","id_raw":"AC-2j.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2k.","id_raw":"AC-2k.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3","id_raw":"AC-3","tier_raw":"Control","tier":1,"seq":null,"title":"Access Enforcement","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(10)","id_raw":"AC-3 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Audited Override Of Access Control Mechanisms","description":"The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(2)","id_raw":"AC-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dual Authorization","description":"The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(3)","id_raw":"AC-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Mandatory Access Control","description":"The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes on subjects, objects, the information system, or information system components; Choosing the security attributes and attribute values to be associated with newly created or modified objects; or Changing the rules governing access control; and Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(4)","id_raw":"AC-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Discretionary Access Control","description":"The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the information system, or the information system's components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(5)","id_raw":"AC-3 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security-Relevant Information","description":"The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(7)","id_raw":"AC-3 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Role-Based Access Control","description":"The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(8)","id_raw":"AC-3 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Revocation Of Access Authorizations","description":"The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(9)","id_raw":"AC-3 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Controlled Release","description":"The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4","id_raw":"AC-4","tier_raw":"Control","tier":1,"seq":null,"title":"Information Flow Enforcement","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(1)","id_raw":"AC-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Object Security Attributes","description":"The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(10)","id_raw":"AC-4 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Enable / Disable Security Policy Filters","description":"The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(11)","id_raw":"AC-4 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Configuration Of Security Policy Filters","description":"The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(12)","id_raw":"AC-4 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Data Type Identifiers","description":"The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(13)","id_raw":"AC-4 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Decomposition Into Policy-Relevant Subcomponents","description":"The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(14)","id_raw":"AC-4 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Policy Filter Constraints","description":"The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(15)","id_raw":"AC-4 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Detection Of Unsanctioned Information","description":"The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(17)","id_raw":"AC-4 (17)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Domain Authentication","description":"The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(18)","id_raw":"AC-4 (18)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Attribute Binding","description":"The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(19)","id_raw":"AC-4 (19)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Validation Of Metadata","description":"The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(2)","id_raw":"AC-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Processing Domains","description":"The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(20)","id_raw":"AC-4 (20)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Approved Solutions","description":"The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(21)","id_raw":"AC-4 (21)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Physical / Logical Separation Of Information Flows","description":"The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(22)","id_raw":"AC-4 (22)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access Only","description":"The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(3)","id_raw":"AC-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Information Flow Control","description":"The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(4)","id_raw":"AC-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Content Check Encrypted Information","description":"The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(5)","id_raw":"AC-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Embedded Data Types","description":"The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(6)","id_raw":"AC-4 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Metadata","description":"The information system enforces information flow control based on [Assignment: organization-defined metadata]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(7)","id_raw":"AC-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"One-Way Flow Mechanisms","description":"The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(8)","id_raw":"AC-4 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Policy Filters","description":"The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(9)","id_raw":"AC-4 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Human Reviews","description":"The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5","id_raw":"AC-5","tier_raw":"Control","tier":1,"seq":null,"title":"Separation Of Duties","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5a.","id_raw":"AC-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Separates [Assignment: organization-defined duties of individuals];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5b.","id_raw":"AC-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents separation of duties of individuals; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5c.","id_raw":"AC-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Defines information system access authorizations to support separation of duties."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6","id_raw":"AC-6","tier_raw":"Control","tier":1,"seq":null,"title":"Least Privilege","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(1)","id_raw":"AC-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authorize Access To Security Functions","description":"The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(10)","id_raw":"AC-6 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Non-Privileged Users From Executing Privileged Functions","description":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(2)","id_raw":"AC-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Non-Privileged Access For Nonsecurity Functions","description":"The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(3)","id_raw":"AC-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Privileged Commands","description":"The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(4)","id_raw":"AC-6 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separate Processing Domains","description":"The information system provides separate processing domains to enable finer-grained allocation of user privileges."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(5)","id_raw":"AC-6 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privileged Accounts","description":"The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(6)","id_raw":"AC-6 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privileged Access By Non-Organizational Users","description":"The organization prohibits privileged access to the information system by non-organizational users."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(7)","id_raw":"AC-6 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review Of User Privileges","description":"The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(8)","id_raw":"AC-6 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privilege Levels For Code Execution","description":"The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(9)","id_raw":"AC-6 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Auditing Use Of Privileged Functions","description":"The information system audits the execution of privileged functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7","id_raw":"AC-7","tier_raw":"Control","tier":1,"seq":null,"title":"Unsuccessful Logon Attempts","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7(2)","id_raw":"AC-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Purge / Wipe Mobile Device","description":"The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7a.","id_raw":"AC-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7b.","id_raw":"AC-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8","id_raw":"AC-8","tier_raw":"Control","tier":1,"seq":null,"title":"System Use Notification","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8a.","id_raw":"AC-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8b.","id_raw":"AC-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8c.","id_raw":"AC-8c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: For publicly accessible systems: Displays system use information [Assignment: organization-defined conditions], before granting further access; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9","id_raw":"AC-9","tier_raw":"Control","tier":1,"seq":null,"title":"Previous Logon (Access) Notification","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(1)","id_raw":"AC-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unsuccessful Logons","description":"The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(2)","id_raw":"AC-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Successful / Unsuccessful Logons","description":"The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(3)","id_raw":"AC-9 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Notification Of Account Changes","description":"The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(4)","id_raw":"AC-9 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Additional Logon Information","description":"The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1","id_raw":"AC-1","tier_raw":"Control","tier":1,"seq":1,"title":"Access Control Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-10","id_raw":"AC-10","tier_raw":"Control","tier":1,"seq":10,"title":"Concurrent Session Control","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11","id_raw":"AC-11","tier_raw":"Control","tier":1,"seq":11,"title":"Session Lock","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11(1)","id_raw":"AC-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Pattern-Hiding Displays","description":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11a.","id_raw":"AC-11a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-11b.","id_raw":"AC-11b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Retains the session lock until the user reestablishes access using established identification and authentication procedures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-12","id_raw":"AC-12","tier_raw":"Control","tier":1,"seq":12,"title":"Session Termination","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-12(1)","id_raw":"AC-12 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"User-Initiated Logouts / Message Displays","description":"The information system: Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-13","id_raw":"AC-13","tier_raw":"Control","tier":1,"seq":13,"title":"Supervision and Review - Access Control","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14","id_raw":"AC-14","tier_raw":"Control","tier":1,"seq":14,"title":"Permitted Actions Without Identification Or Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14a.","id_raw":"AC-14a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-14b.","id_raw":"AC-14b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-15","id_raw":"AC-15","tier_raw":"Control","tier":1,"seq":15,"title":"Automated Marking","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16","id_raw":"AC-16","tier_raw":"Control","tier":1,"seq":16,"title":"Security Attributes","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(1)","id_raw":"AC-16 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Dynamic Attribute Association","description":"The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(10)","id_raw":"AC-16 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Attribute Configuration By Authorized Individuals","description":"The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(2)","id_raw":"AC-16 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Attribute Value Changes By Authorized Individuals","description":"The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(3)","id_raw":"AC-16 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Maintenance Of Attribute Associations By Information System","description":"The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(4)","id_raw":"AC-16 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Association Of Attributes By Authorized Individuals","description":"The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(5)","id_raw":"AC-16 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Attribute Displays For Output Devices","description":"The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(6)","id_raw":"AC-16 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Maintenance Of Attribute Association By Organization","description":"The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(7)","id_raw":"AC-16 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Consistent Attribute Interpretation","description":"The organization provides a consistent interpretation of security attributes transmitted between distributed information system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(8)","id_raw":"AC-16 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Association Techniques / Technologies","description":"The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16(9)","id_raw":"AC-16 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Attribute Reassignment","description":"The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16a.","id_raw":"AC-16a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16b.","id_raw":"AC-16b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that the security attribute associations are made and retained with the information;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16c.","id_raw":"AC-16c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-16d.","id_raw":"AC-16d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17","id_raw":"AC-17","tier_raw":"Control","tier":1,"seq":17,"title":"Remote Access","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(1)","id_raw":"AC-17 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Monitoring / Control","description":"The information system monitors and controls remote access methods."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(2)","id_raw":"AC-17 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Protection Of Confidentiality / Integrity Using Encryption","description":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(3)","id_raw":"AC-17 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Managed Access Control Points","description":"The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(4)","id_raw":"AC-17 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Privileged Commands / Access","description":"The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(6)","id_raw":"AC-17 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Protection Of Information","description":"The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17(9)","id_raw":"AC-17 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Disconnect / Disable Access","description":"The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17a.","id_raw":"AC-17a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-17b.","id_raw":"AC-17b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Authorizes remote access to the information system prior to allowing such connections."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18","id_raw":"AC-18","tier_raw":"Control","tier":1,"seq":18,"title":"Wireless Access","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(1)","id_raw":"AC-18 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Authentication And Encryption","description":"The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(3)","id_raw":"AC-18 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Disable Wireless Networking","description":"The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(4)","id_raw":"AC-18 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Restrict Configurations By Users","description":"The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18(5)","id_raw":"AC-18 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Antennas / Transmission Power Levels","description":"The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18a.","id_raw":"AC-18a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-18b.","id_raw":"AC-18b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Authorizes wireless access to the information system prior to allowing such connections."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19","id_raw":"AC-19","tier_raw":"Control","tier":1,"seq":19,"title":"Access Control For Mobile Devices","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19(4)","id_raw":"AC-19 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Restrictions For Classified Information","description":"The organization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified information systems is prohibited; Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19(5)","id_raw":"AC-19 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Full Device / Container-Based  Encryption","description":"The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19a.","id_raw":"AC-19a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-19b.","id_raw":"AC-19b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Authorizes the connection of mobile devices to organizational information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1a.","id_raw":"AC-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-1b.","id_raw":"AC-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Access control policy [Assignment: organization-defined frequency]; and Access control procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2","id_raw":"AC-2","tier_raw":"Control","tier":1,"seq":2,"title":"Account Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(1)","id_raw":"AC-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated System Account Management","description":"The organization employs automated mechanisms to support the management of information system accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(10)","id_raw":"AC-2 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Shared / Group Account Credential Termination","description":"The information system terminates shared/group account credentials when members leave the group."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(11)","id_raw":"AC-2 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Usage Conditions","description":"The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(12)","id_raw":"AC-2 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Account Monitoring / Atypical Usage","description":"The organization: Monitors information system accounts for [Assignment: organization-defined atypical usage]; and Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(13)","id_raw":"AC-2 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Disable Accounts For High-Risk Individuals","description":"The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(2)","id_raw":"AC-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Removal Of Temporary / Emergency Accounts","description":"The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(3)","id_raw":"AC-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Disable Inactive Accounts","description":"The information system automatically disables inactive accounts after [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(4)","id_raw":"AC-2 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Automated Audit Actions","description":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(5)","id_raw":"AC-2 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Inactivity Logout","description":"The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(6)","id_raw":"AC-2 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Dynamic Privilege Management","description":"The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(7)","id_raw":"AC-2 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Role-Based Schemes","description":"The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(8)","id_raw":"AC-2 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Dynamic Account Creation","description":"The information system creates [Assignment: organization-defined information system accounts] dynamically."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2(9)","id_raw":"AC-2 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Restrictions On Use Of Shared / Group Accounts","description":"The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20","id_raw":"AC-20","tier_raw":"Control","tier":1,"seq":20,"title":"Use Of External Information Systems","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(1)","id_raw":"AC-20 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Limits On Authorized Use","description":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(2)","id_raw":"AC-20 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Portable Storage Devices","description":"The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(3)","id_raw":"AC-20 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Non-Organizationally Owned Systems / Components / Devices","description":"The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20(4)","id_raw":"AC-20 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Network Accessible Storage Devices","description":"The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20a.","id_raw":"AC-20a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-20b.","id_raw":"AC-20b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Process, store, or transmit organization-controlled information using external information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21","id_raw":"AC-21","tier_raw":"Control","tier":1,"seq":21,"title":"Information Sharing","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21(1)","id_raw":"AC-21 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Decision Support","description":"The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21(2)","id_raw":"AC-21 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Information Search And Retrieval","description":"The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21a.","id_raw":"AC-21a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-21b.","id_raw":"AC-21b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22","id_raw":"AC-22","tier_raw":"Control","tier":1,"seq":22,"title":"Publicly Accessible Content","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22a.","id_raw":"AC-22a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Designates individuals authorized to post information onto a publicly accessible information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22b.","id_raw":"AC-22b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22c.","id_raw":"AC-22c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-22d.","id_raw":"AC-22d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-23","id_raw":"AC-23","tier_raw":"Control","tier":1,"seq":23,"title":"Data Mining Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24","id_raw":"AC-24","tier_raw":"Control","tier":1,"seq":24,"title":"Access Control Decisions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24(1)","id_raw":"AC-24 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Transmit Access Authorization Information","description":"The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-24(2)","id_raw":"AC-24 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"No User Or Process Identity","description":"The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-25","id_raw":"AC-25","tier_raw":"Control","tier":1,"seq":25,"title":"Reference Monitor","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2a.","id_raw":"AC-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2b.","id_raw":"AC-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Assigns account managers for information system accounts;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2c.","id_raw":"AC-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Establishes conditions for group and role membership;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2d.","id_raw":"AC-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2e.","id_raw":"AC-2e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2f.","id_raw":"AC-2f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2g.","id_raw":"AC-2g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization: Monitors the use of information system accounts;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2h.","id_raw":"AC-2h.","tier_raw":"Statement","tier":2,"seq":8,"title":null,"description":"The organization: Notifies account managers: When accounts are no longer required; When users are terminated or transferred; and When individual information system usage or need-to-know changes;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2i.","id_raw":"AC-2i.","tier_raw":"Statement","tier":2,"seq":9,"title":null,"description":"The organization: Authorizes access to the information system based on: A valid access authorization; Intended system usage; and Other attributes as required by the organization or associated missions/business functions;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2j.","id_raw":"AC-2j.","tier_raw":"Statement","tier":2,"seq":10,"title":null,"description":"The organization: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-2k.","id_raw":"AC-2k.","tier_raw":"Statement","tier":2,"seq":11,"title":null,"description":"The organization: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3","id_raw":"AC-3","tier_raw":"Control","tier":1,"seq":3,"title":"Access Enforcement","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(10)","id_raw":"AC-3 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Audited Override Of Access Control Mechanisms","description":"The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(2)","id_raw":"AC-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Dual Authorization","description":"The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(3)","id_raw":"AC-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Mandatory Access Control","description":"The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes on subjects, objects, the information system, or information system components; Choosing the security attributes and attribute values to be associated with newly created or modified objects; or Changing the rules governing access control; and Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(4)","id_raw":"AC-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Discretionary Access Control","description":"The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the information system, or the information system's components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(5)","id_raw":"AC-3 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Security-Relevant Information","description":"The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(7)","id_raw":"AC-3 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Role-Based Access Control","description":"The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(8)","id_raw":"AC-3 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Revocation Of Access Authorizations","description":"The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-3(9)","id_raw":"AC-3 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Controlled Release","description":"The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4","id_raw":"AC-4","tier_raw":"Control","tier":1,"seq":4,"title":"Information Flow Enforcement","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(1)","id_raw":"AC-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Object Security Attributes","description":"The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(10)","id_raw":"AC-4 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Enable / Disable Security Policy Filters","description":"The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(11)","id_raw":"AC-4 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Configuration Of Security Policy Filters","description":"The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(12)","id_raw":"AC-4 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Data Type Identifiers","description":"The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(13)","id_raw":"AC-4 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Decomposition Into Policy-Relevant Subcomponents","description":"The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(14)","id_raw":"AC-4 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Security Policy Filter Constraints","description":"The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(15)","id_raw":"AC-4 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Detection Of Unsanctioned Information","description":"The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(17)","id_raw":"AC-4 (17)","tier_raw":"Enhancement","tier":2,"seq":17,"title":"Domain Authentication","description":"The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(18)","id_raw":"AC-4 (18)","tier_raw":"Enhancement","tier":2,"seq":18,"title":"Security Attribute Binding","description":"The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(19)","id_raw":"AC-4 (19)","tier_raw":"Enhancement","tier":2,"seq":19,"title":"Validation Of Metadata","description":"The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(2)","id_raw":"AC-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Processing Domains","description":"The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(20)","id_raw":"AC-4 (20)","tier_raw":"Enhancement","tier":2,"seq":20,"title":"Approved Solutions","description":"The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(21)","id_raw":"AC-4 (21)","tier_raw":"Enhancement","tier":2,"seq":21,"title":"Physical / Logical Separation Of Information Flows","description":"The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(22)","id_raw":"AC-4 (22)","tier_raw":"Enhancement","tier":2,"seq":22,"title":"Access Only","description":"The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(3)","id_raw":"AC-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Dynamic Information Flow Control","description":"The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(4)","id_raw":"AC-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Content Check Encrypted Information","description":"The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(5)","id_raw":"AC-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Embedded Data Types","description":"The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(6)","id_raw":"AC-4 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Metadata","description":"The information system enforces information flow control based on [Assignment: organization-defined metadata]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(7)","id_raw":"AC-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"One-Way Flow Mechanisms","description":"The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(8)","id_raw":"AC-4 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Security Policy Filters","description":"The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-4(9)","id_raw":"AC-4 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Human Reviews","description":"The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5","id_raw":"AC-5","tier_raw":"Control","tier":1,"seq":5,"title":"Separation Of Duties","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5a.","id_raw":"AC-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Separates [Assignment: organization-defined duties of individuals];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5b.","id_raw":"AC-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents separation of duties of individuals; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-5c.","id_raw":"AC-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Defines information system access authorizations to support separation of duties."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6","id_raw":"AC-6","tier_raw":"Control","tier":1,"seq":6,"title":"Least Privilege","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(1)","id_raw":"AC-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Authorize Access To Security Functions","description":"The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(10)","id_raw":"AC-6 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Prohibit Non-Privileged Users From Executing Privileged Functions","description":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(2)","id_raw":"AC-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Non-Privileged Access For Nonsecurity Functions","description":"The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(3)","id_raw":"AC-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Network Access To Privileged Commands","description":"The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(4)","id_raw":"AC-6 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Separate Processing Domains","description":"The information system provides separate processing domains to enable finer-grained allocation of user privileges."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(5)","id_raw":"AC-6 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Privileged Accounts","description":"The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(6)","id_raw":"AC-6 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Privileged Access By Non-Organizational Users","description":"The organization prohibits privileged access to the information system by non-organizational users."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(7)","id_raw":"AC-6 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Review Of User Privileges","description":"The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(8)","id_raw":"AC-6 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Privilege Levels For Code Execution","description":"The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-6(9)","id_raw":"AC-6 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Auditing Use Of Privileged Functions","description":"The information system audits the execution of privileged functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7","id_raw":"AC-7","tier_raw":"Control","tier":1,"seq":7,"title":"Unsuccessful Logon Attempts","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7(2)","id_raw":"AC-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Purge / Wipe Mobile Device","description":"The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7a.","id_raw":"AC-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-7b.","id_raw":"AC-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8","id_raw":"AC-8","tier_raw":"Control","tier":1,"seq":8,"title":"System Use Notification","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8a.","id_raw":"AC-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8b.","id_raw":"AC-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-8c.","id_raw":"AC-8c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The information system: For publicly accessible systems: Displays system use information [Assignment: organization-defined conditions], before granting further access; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9","id_raw":"AC-9","tier_raw":"Control","tier":1,"seq":9,"title":"Previous Logon (Access) Notification","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(1)","id_raw":"AC-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Unsuccessful Logons","description":"The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(2)","id_raw":"AC-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Successful / Unsuccessful Logons","description":"The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(3)","id_raw":"AC-9 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Notification Of Account Changes","description":"The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ac-9(4)","id_raw":"AC-9 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Additional Logon Information","description":"The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:at","id_raw":"AT","tier_raw":"Family","tier":0,"seq":2,"title":"Awareness and Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1","id_raw":"AT-1","tier_raw":"Control","tier":1,"seq":null,"title":"Security Awareness and Training Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1a.","id_raw":"AT-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1b.","id_raw":"AT-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Security awareness and training policy [Assignment: organization-defined frequency]; and Security awareness and training procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2","id_raw":"AT-2","tier_raw":"Control","tier":1,"seq":null,"title":"Security Awareness Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2(1)","id_raw":"AT-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Practical Exercises","description":"The organization includes practical exercises in security awareness training that simulate actual cyber attacks."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2(2)","id_raw":"AT-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Insider Threat","description":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2a.","id_raw":"AT-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2b.","id_raw":"AT-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2c.","id_raw":"AT-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [Assignment: organization-defined frequency] thereafter."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3","id_raw":"AT-3","tier_raw":"Control","tier":1,"seq":null,"title":"Role-Based Security Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(1)","id_raw":"AT-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Environmental Controls","description":"The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(2)","id_raw":"AT-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Physical Security Controls","description":"The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(3)","id_raw":"AT-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Practical Exercises","description":"The organization includes practical exercises in security training that reinforce training objectives."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(4)","id_raw":"AT-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Suspicious Communications And Anomalous System Behavior","description":"The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3a.","id_raw":"AT-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3b.","id_raw":"AT-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3c.","id_raw":"AT-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4","id_raw":"AT-4","tier_raw":"Control","tier":1,"seq":null,"title":"Security Training Records","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4a.","id_raw":"AT-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4b.","id_raw":"AT-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Retains individual training records for [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-5","id_raw":"AT-5","tier_raw":"Control","tier":1,"seq":null,"title":"Contacts With Security Groups and Associations","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1","id_raw":"AT-1","tier_raw":"Control","tier":1,"seq":1,"title":"Security Awareness and Training Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1a.","id_raw":"AT-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-1b.","id_raw":"AT-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Security awareness and training policy [Assignment: organization-defined frequency]; and Security awareness and training procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2","id_raw":"AT-2","tier_raw":"Control","tier":1,"seq":2,"title":"Security Awareness Training","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2(1)","id_raw":"AT-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Practical Exercises","description":"The organization includes practical exercises in security awareness training that simulate actual cyber attacks."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2(2)","id_raw":"AT-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Insider Threat","description":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2a.","id_raw":"AT-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2b.","id_raw":"AT-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-2c.","id_raw":"AT-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [Assignment: organization-defined frequency] thereafter."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3","id_raw":"AT-3","tier_raw":"Control","tier":1,"seq":3,"title":"Role-Based Security Training","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(1)","id_raw":"AT-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Environmental Controls","description":"The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(2)","id_raw":"AT-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Physical Security Controls","description":"The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(3)","id_raw":"AT-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Practical Exercises","description":"The organization includes practical exercises in security training that reinforce training objectives."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3(4)","id_raw":"AT-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Suspicious Communications And Anomalous System Behavior","description":"The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3a.","id_raw":"AT-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3b.","id_raw":"AT-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-3c.","id_raw":"AT-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization provides role-based security training to personnel with assigned security roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4","id_raw":"AT-4","tier_raw":"Control","tier":1,"seq":4,"title":"Security Training Records","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4a.","id_raw":"AT-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-4b.","id_raw":"AT-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Retains individual training records for [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:at-5","id_raw":"AT-5","tier_raw":"Control","tier":1,"seq":5,"title":"Contacts With Security Groups and Associations","description":null}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:au","id_raw":"AU","tier_raw":"Family","tier":0,"seq":3,"title":"Audit and Accountability","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1","id_raw":"AU-1","tier_raw":"Control","tier":1,"seq":null,"title":"Audit and Accountability Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10","id_raw":"AU-10","tier_raw":"Control","tier":1,"seq":null,"title":"Non-Repudiation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(1)","id_raw":"AU-10 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Association Of Identities","description":"The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(2)","id_raw":"AU-10 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Validate Binding Of Information Producer Identity","description":"The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(3)","id_raw":"AU-10 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Chain Of Custody","description":"The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(4)","id_raw":"AU-10 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Validate Binding Of Information Reviewer Identity","description":"The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-11","id_raw":"AU-11","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Record Retention","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-11(1)","id_raw":"AU-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Long-Term Retrieval Capability","description":"The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12","id_raw":"AU-12","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Generation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(1)","id_raw":"AU-12 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"System-Wide / Time-Correlated Audit Trail","description":"The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(2)","id_raw":"AU-12 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Standardized Formats","description":"The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(3)","id_raw":"AU-12 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Changes By Authorized Individuals","description":"The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12a.","id_raw":"AU-12a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12b.","id_raw":"AU-12b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12c.","id_raw":"AU-12c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13","id_raw":"AU-13","tier_raw":"Control","tier":1,"seq":null,"title":"Monitoring For Information Disclosure","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13(1)","id_raw":"AU-13 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Automated Tools","description":"The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13(2)","id_raw":"AU-13 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review Of Monitored Sites","description":"The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14","id_raw":"AU-14","tier_raw":"Control","tier":1,"seq":null,"title":"Session Audit","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(1)","id_raw":"AU-14 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"System Start-Up","description":"The information system initiates session audits at system start-up."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(2)","id_raw":"AU-14 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Capture/Record And Log Content","description":"The information system provides the capability for authorized users to capture/record and log content related to a user session."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(3)","id_raw":"AU-14 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Remote Viewing / Listening","description":"The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-15","id_raw":"AU-15","tier_raw":"Control","tier":1,"seq":null,"title":"Alternate Audit Capability","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16","id_raw":"AU-16","tier_raw":"Control","tier":1,"seq":null,"title":"Cross-Organizational Auditing","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16(1)","id_raw":"AU-16 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identity Preservation","description":"The organization requires that the identity of individuals be preserved in cross-organizational audit trails."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16(2)","id_raw":"AU-16 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Sharing Of Audit Information","description":"The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1a.","id_raw":"AU-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1b.","id_raw":"AU-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Audit and accountability policy [Assignment: organization-defined frequency]; and Audit and accountability procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2","id_raw":"AU-2","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Events","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2(3)","id_raw":"AU-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Reviews And Updates","description":"The organization reviews and updates the audited events [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2a.","id_raw":"AU-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2b.","id_raw":"AU-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2c.","id_raw":"AU-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2d.","id_raw":"AU-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3","id_raw":"AU-3","tier_raw":"Control","tier":1,"seq":null,"title":"Content Of Audit Records","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3(1)","id_raw":"AU-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Additional Audit Information","description":"The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3(2)","id_raw":"AU-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Centralized Management Of Planned Audit Record Content","description":"The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-4","id_raw":"AU-4","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Storage Capacity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-4(1)","id_raw":"AU-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transfer To Alternate Storage","description":"The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5","id_raw":"AU-5","tier_raw":"Control","tier":1,"seq":null,"title":"Response To Audit Processing Failures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(1)","id_raw":"AU-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Audit Storage Capacity","description":"The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(2)","id_raw":"AU-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Real-Time Alerts","description":"The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(3)","id_raw":"AU-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Configurable Traffic Volume Thresholds","description":"The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(4)","id_raw":"AU-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Shutdown On Failure","description":"The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5a.","id_raw":"AU-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5b.","id_raw":"AU-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6","id_raw":"AU-6","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Review, Analysis, and Reporting","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(1)","id_raw":"AU-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Process Integration","description":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(10)","id_raw":"AU-6 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Audit Level Adjustment","description":"The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(3)","id_raw":"AU-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlate Audit Repositories","description":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(4)","id_raw":"AU-6 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Central Review And Analysis","description":"The information system provides the capability to centrally review and analyze audit records from multiple components within the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(5)","id_raw":"AU-6 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integration / Scanning And Monitoring Capabilities","description":"The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(6)","id_raw":"AU-6 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlation With Physical Monitoring","description":"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(7)","id_raw":"AU-6 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Permitted Actions","description":"The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(8)","id_raw":"AU-6 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Full Text Analysis Of Privileged Commands","description":"The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(9)","id_raw":"AU-6 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlation With Information From Nontechnical Sources","description":"The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6a.","id_raw":"AU-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6b.","id_raw":"AU-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reports findings to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7","id_raw":"AU-7","tier_raw":"Control","tier":1,"seq":null,"title":"Audit Reduction and Report Generation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7(1)","id_raw":"AU-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Processing","description":"The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7(2)","id_raw":"AU-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Sort And Search","description":"The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7a.","id_raw":"AU-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7b.","id_raw":"AU-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8","id_raw":"AU-8","tier_raw":"Control","tier":1,"seq":null,"title":"Time Stamps","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8(1)","id_raw":"AU-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Synchronization With Authoritative Time Source","description":"The information system: Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8(2)","id_raw":"AU-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Secondary Authoritative Time Source","description":"The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8a.","id_raw":"AU-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Uses internal system clocks to generate time stamps for audit records; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8b.","id_raw":"AU-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9","id_raw":"AU-9","tier_raw":"Control","tier":1,"seq":null,"title":"Protection Of Audit Information","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(1)","id_raw":"AU-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware Write-Once Media","description":"The information system writes audit trails to hardware-enforced, write-once media."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(2)","id_raw":"AU-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Audit Backup On Separate Physical Systems / Components","description":"The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(3)","id_raw":"AU-9 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(4)","id_raw":"AU-9 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access By Subset Of Privileged Users","description":"The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(5)","id_raw":"AU-9 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dual Authorization","description":"The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(6)","id_raw":"AU-9 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Read Only Access","description":"The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1","id_raw":"AU-1","tier_raw":"Control","tier":1,"seq":1,"title":"Audit and Accountability Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10","id_raw":"AU-10","tier_raw":"Control","tier":1,"seq":10,"title":"Non-Repudiation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(1)","id_raw":"AU-10 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Association Of Identities","description":"The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(2)","id_raw":"AU-10 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Validate Binding Of Information Producer Identity","description":"The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(3)","id_raw":"AU-10 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Chain Of Custody","description":"The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-10(4)","id_raw":"AU-10 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Validate Binding Of Information Reviewer Identity","description":"The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-11","id_raw":"AU-11","tier_raw":"Control","tier":1,"seq":11,"title":"Audit Record Retention","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-11(1)","id_raw":"AU-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Long-Term Retrieval Capability","description":"The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12","id_raw":"AU-12","tier_raw":"Control","tier":1,"seq":12,"title":"Audit Generation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(1)","id_raw":"AU-12 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"System-Wide / Time-Correlated Audit Trail","description":"The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(2)","id_raw":"AU-12 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Standardized Formats","description":"The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12(3)","id_raw":"AU-12 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Changes By Authorized Individuals","description":"The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12a.","id_raw":"AU-12a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12b.","id_raw":"AU-12b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-12c.","id_raw":"AU-12c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The information system: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13","id_raw":"AU-13","tier_raw":"Control","tier":1,"seq":13,"title":"Monitoring For Information Disclosure","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13(1)","id_raw":"AU-13 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Use Of Automated Tools","description":"The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-13(2)","id_raw":"AU-13 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Review Of Monitored Sites","description":"The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14","id_raw":"AU-14","tier_raw":"Control","tier":1,"seq":14,"title":"Session Audit","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(1)","id_raw":"AU-14 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"System Start-Up","description":"The information system initiates session audits at system start-up."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(2)","id_raw":"AU-14 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Capture/Record And Log Content","description":"The information system provides the capability for authorized users to capture/record and log content related to a user session."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-14(3)","id_raw":"AU-14 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Remote Viewing / Listening","description":"The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-15","id_raw":"AU-15","tier_raw":"Control","tier":1,"seq":15,"title":"Alternate Audit Capability","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16","id_raw":"AU-16","tier_raw":"Control","tier":1,"seq":16,"title":"Cross-Organizational Auditing","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16(1)","id_raw":"AU-16 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Identity Preservation","description":"The organization requires that the identity of individuals be preserved in cross-organizational audit trails."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-16(2)","id_raw":"AU-16 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Sharing Of Audit Information","description":"The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1a.","id_raw":"AU-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-1b.","id_raw":"AU-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Audit and accountability policy [Assignment: organization-defined frequency]; and Audit and accountability procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2","id_raw":"AU-2","tier_raw":"Control","tier":1,"seq":2,"title":"Audit Events","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2(3)","id_raw":"AU-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Reviews And Updates","description":"The organization reviews and updates the audited events [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2a.","id_raw":"AU-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2b.","id_raw":"AU-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2c.","id_raw":"AU-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-2d.","id_raw":"AU-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3","id_raw":"AU-3","tier_raw":"Control","tier":1,"seq":3,"title":"Content Of Audit Records","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3(1)","id_raw":"AU-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Additional Audit Information","description":"The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-3(2)","id_raw":"AU-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Centralized Management Of Planned Audit Record Content","description":"The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-4","id_raw":"AU-4","tier_raw":"Control","tier":1,"seq":4,"title":"Audit Storage Capacity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-4(1)","id_raw":"AU-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Transfer To Alternate Storage","description":"The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5","id_raw":"AU-5","tier_raw":"Control","tier":1,"seq":5,"title":"Response To Audit Processing Failures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(1)","id_raw":"AU-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Audit Storage Capacity","description":"The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(2)","id_raw":"AU-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Real-Time Alerts","description":"The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(3)","id_raw":"AU-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Configurable Traffic Volume Thresholds","description":"The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5(4)","id_raw":"AU-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Shutdown On Failure","description":"The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5a.","id_raw":"AU-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-5b.","id_raw":"AU-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6","id_raw":"AU-6","tier_raw":"Control","tier":1,"seq":6,"title":"Audit Review, Analysis, and Reporting","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(1)","id_raw":"AU-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Process Integration","description":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(10)","id_raw":"AU-6 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Audit Level Adjustment","description":"The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(3)","id_raw":"AU-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Correlate Audit Repositories","description":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(4)","id_raw":"AU-6 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Central Review And Analysis","description":"The information system provides the capability to centrally review and analyze audit records from multiple components within the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(5)","id_raw":"AU-6 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Integration / Scanning And Monitoring Capabilities","description":"The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(6)","id_raw":"AU-6 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Correlation With Physical Monitoring","description":"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(7)","id_raw":"AU-6 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Permitted Actions","description":"The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(8)","id_raw":"AU-6 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Full Text Analysis Of Privileged Commands","description":"The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6(9)","id_raw":"AU-6 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Correlation With Information From Nontechnical Sources","description":"The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6a.","id_raw":"AU-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-6b.","id_raw":"AU-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reports findings to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7","id_raw":"AU-7","tier_raw":"Control","tier":1,"seq":7,"title":"Audit Reduction and Report Generation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7(1)","id_raw":"AU-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automatic Processing","description":"The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7(2)","id_raw":"AU-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automatic Sort And Search","description":"The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7a.","id_raw":"AU-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-7b.","id_raw":"AU-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8","id_raw":"AU-8","tier_raw":"Control","tier":1,"seq":8,"title":"Time Stamps","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8(1)","id_raw":"AU-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Synchronization With Authoritative Time Source","description":"The information system: Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8(2)","id_raw":"AU-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Secondary Authoritative Time Source","description":"The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8a.","id_raw":"AU-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Uses internal system clocks to generate time stamps for audit records; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-8b.","id_raw":"AU-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9","id_raw":"AU-9","tier_raw":"Control","tier":1,"seq":9,"title":"Protection Of Audit Information","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(1)","id_raw":"AU-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Hardware Write-Once Media","description":"The information system writes audit trails to hardware-enforced, write-once media."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(2)","id_raw":"AU-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Audit Backup On Separate Physical Systems / Components","description":"The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(3)","id_raw":"AU-9 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(4)","id_raw":"AU-9 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Access By Subset Of Privileged Users","description":"The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(5)","id_raw":"AU-9 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Dual Authorization","description":"The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:au-9(6)","id_raw":"AU-9 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Read Only Access","description":"The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users]."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ca","id_raw":"CA","tier_raw":"Family","tier":0,"seq":4,"title":"Security Assessment and Authorization","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1","id_raw":"CA-1","tier_raw":"Control","tier":1,"seq":null,"title":"Security Assessment and Authorization Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1a.","id_raw":"CA-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1b.","id_raw":"CA-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Security assessment and authorization policy [Assignment: organization-defined frequency]; and Security assessment and authorization procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2","id_raw":"CA-2","tier_raw":"Control","tier":1,"seq":null,"title":"Security Assessments","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(1)","id_raw":"CA-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Independent Assessors","description":"The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(2)","id_raw":"CA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Specialized Assessments","description":"The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(3)","id_raw":"CA-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"External Organizations","description":"The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2a.","id_raw":"CA-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2b.","id_raw":"CA-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2c.","id_raw":"CA-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Produces a security assessment report that documents the results of the assessment; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2d.","id_raw":"CA-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3","id_raw":"CA-3","tier_raw":"Control","tier":1,"seq":null,"title":"System Interconnections","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(1)","id_raw":"CA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unclassified National Security System Connections","description":"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(2)","id_raw":"CA-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Classified National Security System Connections","description":"The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(3)","id_raw":"CA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unclassified Non-National Security System Connections","description":"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(4)","id_raw":"CA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Connections To Public Networks","description":"The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(5)","id_raw":"CA-3 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrictions On External System Connections","description":"The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3a.","id_raw":"CA-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3b.","id_raw":"CA-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3c.","id_raw":"CA-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-4","id_raw":"CA-4","tier_raw":"Control","tier":1,"seq":null,"title":"Security Certification","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5","id_raw":"CA-5","tier_raw":"Control","tier":1,"seq":null,"title":"Plan Of Action and Milestones","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5(1)","id_raw":"CA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automation Support For Accuracy / Currency","description":"The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5a.","id_raw":"CA-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5b.","id_raw":"CA-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6","id_raw":"CA-6","tier_raw":"Control","tier":1,"seq":null,"title":"Security Authorization","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6a.","id_raw":"CA-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Assigns a senior-level executive or manager as the authorizing official for the information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6b.","id_raw":"CA-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6c.","id_raw":"CA-6c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the security authorization [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7","id_raw":"CA-7","tier_raw":"Control","tier":1,"seq":null,"title":"Continuous Monitoring","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7(1)","id_raw":"CA-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Independent Assessment","description":"The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7(3)","id_raw":"CA-7 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Trend Analyses","description":"The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7a.","id_raw":"CA-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7b.","id_raw":"CA-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7c.","id_raw":"CA-7c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7d.","id_raw":"CA-7d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7e.","id_raw":"CA-7e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7f.","id_raw":"CA-7f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7g.","id_raw":"CA-7g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8","id_raw":"CA-8","tier_raw":"Control","tier":1,"seq":null,"title":"Penetration Testing","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8(1)","id_raw":"CA-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Independent Penetration Agent Or Team","description":"The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8(2)","id_raw":"CA-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Red Team Exercises","description":"The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9","id_raw":"CA-9","tier_raw":"Control","tier":1,"seq":null,"title":"Internal System Connections","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9(1)","id_raw":"CA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Compliance Checks","description":"The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9a.","id_raw":"CA-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9b.","id_raw":"CA-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1","id_raw":"CA-1","tier_raw":"Control","tier":1,"seq":1,"title":"Security Assessment and Authorization Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1a.","id_raw":"CA-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-1b.","id_raw":"CA-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Security assessment and authorization policy [Assignment: organization-defined frequency]; and Security assessment and authorization procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2","id_raw":"CA-2","tier_raw":"Control","tier":1,"seq":2,"title":"Security Assessments","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(1)","id_raw":"CA-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Independent Assessors","description":"The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(2)","id_raw":"CA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Specialized Assessments","description":"The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2(3)","id_raw":"CA-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"External Organizations","description":"The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2a.","id_raw":"CA-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2b.","id_raw":"CA-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2c.","id_raw":"CA-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Produces a security assessment report that documents the results of the assessment; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-2d.","id_raw":"CA-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3","id_raw":"CA-3","tier_raw":"Control","tier":1,"seq":3,"title":"System Interconnections","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(1)","id_raw":"CA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Unclassified National Security System Connections","description":"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(2)","id_raw":"CA-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Classified National Security System Connections","description":"The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(3)","id_raw":"CA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Unclassified Non-National Security System Connections","description":"The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(4)","id_raw":"CA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Connections To Public Networks","description":"The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3(5)","id_raw":"CA-3 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Restrictions On External System Connections","description":"The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3a.","id_raw":"CA-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3b.","id_raw":"CA-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-3c.","id_raw":"CA-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-4","id_raw":"CA-4","tier_raw":"Control","tier":1,"seq":4,"title":"Security Certification","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5","id_raw":"CA-5","tier_raw":"Control","tier":1,"seq":5,"title":"Plan Of Action and Milestones","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5(1)","id_raw":"CA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automation Support For Accuracy / Currency","description":"The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5a.","id_raw":"CA-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-5b.","id_raw":"CA-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6","id_raw":"CA-6","tier_raw":"Control","tier":1,"seq":6,"title":"Security Authorization","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6a.","id_raw":"CA-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Assigns a senior-level executive or manager as the authorizing official for the information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6b.","id_raw":"CA-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-6c.","id_raw":"CA-6c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Updates the security authorization [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7","id_raw":"CA-7","tier_raw":"Control","tier":1,"seq":7,"title":"Continuous Monitoring","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7(1)","id_raw":"CA-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Independent Assessment","description":"The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7(3)","id_raw":"CA-7 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Trend Analyses","description":"The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7a.","id_raw":"CA-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7b.","id_raw":"CA-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7c.","id_raw":"CA-7c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7d.","id_raw":"CA-7d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7e.","id_raw":"CA-7e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7f.","id_raw":"CA-7f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-7g.","id_raw":"CA-7g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8","id_raw":"CA-8","tier_raw":"Control","tier":1,"seq":8,"title":"Penetration Testing","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8(1)","id_raw":"CA-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Independent Penetration Agent Or Team","description":"The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-8(2)","id_raw":"CA-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Red Team Exercises","description":"The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9","id_raw":"CA-9","tier_raw":"Control","tier":1,"seq":9,"title":"Internal System Connections","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9(1)","id_raw":"CA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Security Compliance Checks","description":"The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9a.","id_raw":"CA-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ca-9b.","id_raw":"CA-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:cm","id_raw":"CM","tier_raw":"Family","tier":0,"seq":5,"title":"Configuration Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1","id_raw":"CM-1","tier_raw":"Control","tier":1,"seq":null,"title":"Configuration Management Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10","id_raw":"CM-10","tier_raw":"Control","tier":1,"seq":null,"title":"Software Usage Restrictions","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10(1)","id_raw":"CM-10 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Open Source Software","description":"The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10a.","id_raw":"CM-10a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10b.","id_raw":"CM-10b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10c.","id_raw":"CM-10c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11","id_raw":"CM-11","tier_raw":"Control","tier":1,"seq":null,"title":"User-Installed Software","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11(1)","id_raw":"CM-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alerts For Unauthorized Installations","description":"The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11(2)","id_raw":"CM-11 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Installation Without Privileged Status","description":"The information system prohibits user installation of software without explicit privileged status."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11a.","id_raw":"CM-11a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11b.","id_raw":"CM-11b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11c.","id_raw":"CM-11c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors policy compliance at [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1a.","id_raw":"CM-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1b.","id_raw":"CM-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Configuration management policy [Assignment: organization-defined frequency]; and Configuration management procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2","id_raw":"CM-2","tier_raw":"Control","tier":1,"seq":null,"title":"Baseline Configuration","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(1)","id_raw":"CM-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Reviews And Updates","description":"The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(2)","id_raw":"CM-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automation Support For Accuracy / Currency","description":"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(3)","id_raw":"CM-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Retention Of Previous Configurations","description":"The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(6)","id_raw":"CM-2 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Development And Test Environments","description":"The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(7)","id_raw":"CM-2 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Configure Systems, Components, Or Devices For High-Risk Areas","description":"The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3","id_raw":"CM-3","tier_raw":"Control","tier":1,"seq":null,"title":"Configuration Change Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(1)","id_raw":"CM-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Document / Notification / Prohibition Of Changes","description":"The organization employs automated mechanisms to: Document proposed changes to the information system; Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(2)","id_raw":"CM-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Test / Validate / Document Changes","description":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(3)","id_raw":"CM-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Change Implementation","description":"The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(4)","id_raw":"CM-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Representative","description":"The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(5)","id_raw":"CM-3 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Security Response","description":"The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(6)","id_raw":"CM-3 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptography Management","description":"The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3a.","id_raw":"CM-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines the types of changes to the information system that are configuration-controlled;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3b.","id_raw":"CM-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3c.","id_raw":"CM-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents configuration change decisions associated with the information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3d.","id_raw":"CM-3d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements approved configuration-controlled changes to the information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3e.","id_raw":"CM-3e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3f.","id_raw":"CM-3f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Audits and reviews activities associated with configuration-controlled changes to the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3g.","id_raw":"CM-3g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4","id_raw":"CM-4","tier_raw":"Control","tier":1,"seq":null,"title":"Security Impact Analysis","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4(1)","id_raw":"CM-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separate Test Environments","description":"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4(2)","id_raw":"CM-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Verification Of Security Functions","description":"The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5","id_raw":"CM-5","tier_raw":"Control","tier":1,"seq":null,"title":"Access Restrictions For Change","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(1)","id_raw":"CM-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Access Enforcement / Auditing","description":"The information system enforces access restrictions and supports auditing of the enforcement actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(2)","id_raw":"CM-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review System Changes","description":"The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(3)","id_raw":"CM-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Signed Components","description":"The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(4)","id_raw":"CM-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dual Authorization","description":"The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(5)","id_raw":"CM-5 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Limit Production / Operational Privileges","description":"The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(6)","id_raw":"CM-5 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Limit Library Privileges","description":"The organization limits privileges to change software resident within software libraries."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6","id_raw":"CM-6","tier_raw":"Control","tier":1,"seq":null,"title":"Configuration Settings","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6(1)","id_raw":"CM-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Central Management / Application / Verification","description":"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6(2)","id_raw":"CM-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Respond To Unauthorized Changes","description":"The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6a.","id_raw":"CM-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6b.","id_raw":"CM-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements the configuration settings;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6c.","id_raw":"CM-6c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6d.","id_raw":"CM-6d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7","id_raw":"CM-7","tier_raw":"Control","tier":1,"seq":null,"title":"Least Functionality","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(1)","id_raw":"CM-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Periodic Review","description":"The organization: Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(2)","id_raw":"CM-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Program Execution","description":"The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(3)","id_raw":"CM-7 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Registration Compliance","description":"The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(4)","id_raw":"CM-7 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unauthorized Software / Blacklisting","description":"The organization: Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(5)","id_raw":"CM-7 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authorized Software / Whitelisting","description":"The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7a.","id_raw":"CM-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Configures the information system to provide only essential capabilities; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7b.","id_raw":"CM-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8","id_raw":"CM-8","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Component Inventory","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(1)","id_raw":"CM-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Updates During Installations / Removals","description":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(2)","id_raw":"CM-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Maintenance","description":"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(3)","id_raw":"CM-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Unauthorized Component Detection","description":"The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(4)","id_raw":"CM-8 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Accountability Information","description":"The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(5)","id_raw":"CM-8 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"No Duplicate Accounting Of Components","description":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(6)","id_raw":"CM-8 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Assessed Configurations / Approved Deviations","description":"The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(7)","id_raw":"CM-8 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Centralized Repository","description":"The organization provides a centralized repository for the inventory of information system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(8)","id_raw":"CM-8 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Location Tracking","description":"The organization employs automated mechanisms to support tracking of information system components by geographic location."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(9)","id_raw":"CM-8 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Assignment Of Components To Systems","description":"The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8a.","id_raw":"CM-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8b.","id_raw":"CM-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the information system component inventory [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9","id_raw":"CM-9","tier_raw":"Control","tier":1,"seq":null,"title":"Configuration Management Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9(1)","id_raw":"CM-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Assignment Of Responsibility","description":"The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9a.","id_raw":"CM-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9b.","id_raw":"CM-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9c.","id_raw":"CM-9c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Defines the configuration items for the information system and places the configuration items under configuration management; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9d.","id_raw":"CM-9d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1","id_raw":"CM-1","tier_raw":"Control","tier":1,"seq":1,"title":"Configuration Management Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10","id_raw":"CM-10","tier_raw":"Control","tier":1,"seq":10,"title":"Software Usage Restrictions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10(1)","id_raw":"CM-10 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Open Source Software","description":"The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10a.","id_raw":"CM-10a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10b.","id_raw":"CM-10b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-10c.","id_raw":"CM-10c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11","id_raw":"CM-11","tier_raw":"Control","tier":1,"seq":11,"title":"User-Installed Software","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11(1)","id_raw":"CM-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Alerts For Unauthorized Installations","description":"The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11(2)","id_raw":"CM-11 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Prohibit Installation Without Privileged Status","description":"The information system prohibits user installation of software without explicit privileged status."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11a.","id_raw":"CM-11a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11b.","id_raw":"CM-11b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-11c.","id_raw":"CM-11c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Monitors policy compliance at [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1a.","id_raw":"CM-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-1b.","id_raw":"CM-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Configuration management policy [Assignment: organization-defined frequency]; and Configuration management procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2","id_raw":"CM-2","tier_raw":"Control","tier":1,"seq":2,"title":"Baseline Configuration","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(1)","id_raw":"CM-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Reviews And Updates","description":"The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(2)","id_raw":"CM-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automation Support For Accuracy / Currency","description":"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(3)","id_raw":"CM-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Retention Of Previous Configurations","description":"The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(6)","id_raw":"CM-2 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Development And Test Environments","description":"The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-2(7)","id_raw":"CM-2 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Configure Systems, Components, Or Devices For High-Risk Areas","description":"The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3","id_raw":"CM-3","tier_raw":"Control","tier":1,"seq":3,"title":"Configuration Change Control","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(1)","id_raw":"CM-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Document / Notification / Prohibition Of Changes","description":"The organization employs automated mechanisms to: Document proposed changes to the information system; Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(2)","id_raw":"CM-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Test / Validate / Document Changes","description":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(3)","id_raw":"CM-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automated Change Implementation","description":"The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(4)","id_raw":"CM-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Security Representative","description":"The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(5)","id_raw":"CM-3 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Automated Security Response","description":"The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3(6)","id_raw":"CM-3 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Cryptography Management","description":"The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3a.","id_raw":"CM-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Determines the types of changes to the information system that are configuration-controlled;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3b.","id_raw":"CM-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3c.","id_raw":"CM-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Documents configuration change decisions associated with the information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3d.","id_raw":"CM-3d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Implements approved configuration-controlled changes to the information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3e.","id_raw":"CM-3e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3f.","id_raw":"CM-3f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Audits and reviews activities associated with configuration-controlled changes to the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-3g.","id_raw":"CM-3g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4","id_raw":"CM-4","tier_raw":"Control","tier":1,"seq":4,"title":"Security Impact Analysis","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4(1)","id_raw":"CM-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Separate Test Environments","description":"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-4(2)","id_raw":"CM-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Verification Of Security Functions","description":"The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5","id_raw":"CM-5","tier_raw":"Control","tier":1,"seq":5,"title":"Access Restrictions For Change","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(1)","id_raw":"CM-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Access Enforcement / Auditing","description":"The information system enforces access restrictions and supports auditing of the enforcement actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(2)","id_raw":"CM-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Review System Changes","description":"The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(3)","id_raw":"CM-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Signed Components","description":"The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(4)","id_raw":"CM-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Dual Authorization","description":"The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(5)","id_raw":"CM-5 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Limit Production / Operational Privileges","description":"The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-5(6)","id_raw":"CM-5 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Limit Library Privileges","description":"The organization limits privileges to change software resident within software libraries."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6","id_raw":"CM-6","tier_raw":"Control","tier":1,"seq":6,"title":"Configuration Settings","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6(1)","id_raw":"CM-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Central Management / Application / Verification","description":"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6(2)","id_raw":"CM-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Respond To Unauthorized Changes","description":"The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6a.","id_raw":"CM-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6b.","id_raw":"CM-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Implements the configuration settings;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6c.","id_raw":"CM-6c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-6d.","id_raw":"CM-6d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7","id_raw":"CM-7","tier_raw":"Control","tier":1,"seq":7,"title":"Least Functionality","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(1)","id_raw":"CM-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Periodic Review","description":"The organization: Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(2)","id_raw":"CM-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Prevent Program Execution","description":"The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(3)","id_raw":"CM-7 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Registration Compliance","description":"The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(4)","id_raw":"CM-7 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Unauthorized Software / Blacklisting","description":"The organization: Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7(5)","id_raw":"CM-7 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Authorized Software / Whitelisting","description":"The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7a.","id_raw":"CM-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Configures the information system to provide only essential capabilities; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-7b.","id_raw":"CM-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8","id_raw":"CM-8","tier_raw":"Control","tier":1,"seq":8,"title":"Information System Component Inventory","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(1)","id_raw":"CM-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Updates During Installations / Removals","description":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(2)","id_raw":"CM-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Maintenance","description":"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(3)","id_raw":"CM-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automated Unauthorized Component Detection","description":"The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(4)","id_raw":"CM-8 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Accountability Information","description":"The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(5)","id_raw":"CM-8 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"No Duplicate Accounting Of Components","description":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(6)","id_raw":"CM-8 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Assessed Configurations / Approved Deviations","description":"The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(7)","id_raw":"CM-8 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Centralized Repository","description":"The organization provides a centralized repository for the inventory of information system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(8)","id_raw":"CM-8 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Automated Location Tracking","description":"The organization employs automated mechanisms to support tracking of information system components by geographic location."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8(9)","id_raw":"CM-8 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Assignment Of Components To Systems","description":"The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8a.","id_raw":"CM-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-8b.","id_raw":"CM-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the information system component inventory [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9","id_raw":"CM-9","tier_raw":"Control","tier":1,"seq":9,"title":"Configuration Management Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9(1)","id_raw":"CM-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Assignment Of Responsibility","description":"The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9a.","id_raw":"CM-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9b.","id_raw":"CM-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9c.","id_raw":"CM-9c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Defines the configuration items for the information system and places the configuration items under configuration management; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cm-9d.","id_raw":"CM-9d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:cp","id_raw":"CP","tier_raw":"Family","tier":0,"seq":6,"title":"Contingency Planning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1","id_raw":"CP-1","tier_raw":"Control","tier":1,"seq":null,"title":"Contingency Planning Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10","id_raw":"CP-10","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Recovery and Reconstitution","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(2)","id_raw":"CP-10 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transaction Recovery","description":"The information system implements transaction recovery for systems that are transaction-based."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(4)","id_raw":"CP-10 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restore Within Time Period","description":"The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(6)","id_raw":"CP-10 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Component Protection","description":"The organization protects backup and restoration hardware, firmware, and software."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-11","id_raw":"CP-11","tier_raw":"Control","tier":1,"seq":null,"title":"Alternate Communications Protocols","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-12","id_raw":"CP-12","tier_raw":"Control","tier":1,"seq":null,"title":"Safe Mode","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-13","id_raw":"CP-13","tier_raw":"Control","tier":1,"seq":null,"title":"Alternative Security Mechanisms","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1a.","id_raw":"CP-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1b.","id_raw":"CP-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Contingency planning policy [Assignment: organization-defined frequency]; and Contingency planning procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2","id_raw":"CP-2","tier_raw":"Control","tier":1,"seq":null,"title":"Contingency Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(1)","id_raw":"CP-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordinate With Related Plans","description":"The organization coordinates contingency plan development with organizational elements responsible for related plans."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(2)","id_raw":"CP-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Capacity Planning","description":"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(3)","id_raw":"CP-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Resume Essential Missions / Business Functions","description":"The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(4)","id_raw":"CP-2 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Resume All Missions / Business Functions","description":"The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(5)","id_raw":"CP-2 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continue  Essential Missions / Business Functions","description":"The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(6)","id_raw":"CP-2 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alternate Processing / Storage Site","description":"The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(7)","id_raw":"CP-2 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordinate  With External Service Providers","description":"The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(8)","id_raw":"CP-2 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identify Critical Assets","description":"The organization identifies critical information system assets supporting essential missions and business functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2a.","id_raw":"CP-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2b.","id_raw":"CP-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2c.","id_raw":"CP-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Coordinates contingency planning activities with incident handling activities;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2d.","id_raw":"CP-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2e.","id_raw":"CP-2e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2f.","id_raw":"CP-2f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2g.","id_raw":"CP-2g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects the contingency plan from unauthorized disclosure and modification."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3","id_raw":"CP-3","tier_raw":"Control","tier":1,"seq":null,"title":"Contingency Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3(1)","id_raw":"CP-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Simulated Events","description":"The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3(2)","id_raw":"CP-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Training Environments","description":"The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3a.","id_raw":"CP-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3b.","id_raw":"CP-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3c.","id_raw":"CP-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4","id_raw":"CP-4","tier_raw":"Control","tier":1,"seq":null,"title":"Contingency Plan Testing","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(1)","id_raw":"CP-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordinate With Related Plans","description":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(2)","id_raw":"CP-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alternate Processing Site","description":"The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(3)","id_raw":"CP-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Testing","description":"The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(4)","id_raw":"CP-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Full Recovery / Reconstitution","description":"The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4a.","id_raw":"CP-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4b.","id_raw":"CP-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the contingency plan test results; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4c.","id_raw":"CP-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Initiates corrective actions, if needed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-5","id_raw":"CP-5","tier_raw":"Control","tier":1,"seq":null,"title":"Contingency Plan Update","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6","id_raw":"CP-6","tier_raw":"Control","tier":1,"seq":null,"title":"Alternate Storage Site","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(1)","id_raw":"CP-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separation From Primary Site","description":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(2)","id_raw":"CP-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Recovery Time / Point Objectives","description":"The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(3)","id_raw":"CP-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Accessibility","description":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6a.","id_raw":"CP-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6b.","id_raw":"CP-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7","id_raw":"CP-7","tier_raw":"Control","tier":1,"seq":null,"title":"Alternate Processing Site","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(1)","id_raw":"CP-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separation From Primary Site","description":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(2)","id_raw":"CP-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Accessibility","description":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(3)","id_raw":"CP-7 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Priority Of Service","description":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(4)","id_raw":"CP-7 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Preparation For Use","description":"The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(6)","id_raw":"CP-7 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inability To Return To Primary Site","description":"The organization plans and prepares for circumstances that preclude returning to the primary processing site."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7a.","id_raw":"CP-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7b.","id_raw":"CP-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7c.","id_raw":"CP-7c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8","id_raw":"CP-8","tier_raw":"Control","tier":1,"seq":null,"title":"Telecommunications Services","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(1)","id_raw":"CP-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Priority Of Service Provisions","description":"The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(2)","id_raw":"CP-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Single Points Of Failure","description":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(3)","id_raw":"CP-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separation Of Primary / Alternate Providers","description":"The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(4)","id_raw":"CP-8 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Provider Contingency Plan","description":"The organization: Requires primary and alternate telecommunications service providers to have contingency plans; Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(5)","id_raw":"CP-8 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alternate Telecommunication Service Testing","description":"The organization tests alternate telecommunication services [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9","id_raw":"CP-9","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Backup","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(1)","id_raw":"CP-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Testing For Reliability / Integrity","description":"The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(2)","id_raw":"CP-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Test Restoration Using Sampling","description":"The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(3)","id_raw":"CP-9 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separate Storage For Critical Information","description":"The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(5)","id_raw":"CP-9 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transfer To Alternate Storage Site","description":"The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(6)","id_raw":"CP-9 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Redundant Secondary System","description":"The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(7)","id_raw":"CP-9 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dual Authorization","description":"The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9a.","id_raw":"CP-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9b.","id_raw":"CP-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9c.","id_raw":"CP-9c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9d.","id_raw":"CP-9d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects the confidentiality, integrity, and availability of backup information at storage locations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1","id_raw":"CP-1","tier_raw":"Control","tier":1,"seq":1,"title":"Contingency Planning Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10","id_raw":"CP-10","tier_raw":"Control","tier":1,"seq":10,"title":"Information System Recovery and Reconstitution","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(2)","id_raw":"CP-10 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Transaction Recovery","description":"The information system implements transaction recovery for systems that are transaction-based."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(4)","id_raw":"CP-10 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Restore Within Time Period","description":"The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-10(6)","id_raw":"CP-10 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Component Protection","description":"The organization protects backup and restoration hardware, firmware, and software."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-11","id_raw":"CP-11","tier_raw":"Control","tier":1,"seq":11,"title":"Alternate Communications Protocols","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-12","id_raw":"CP-12","tier_raw":"Control","tier":1,"seq":12,"title":"Safe Mode","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-13","id_raw":"CP-13","tier_raw":"Control","tier":1,"seq":13,"title":"Alternative Security Mechanisms","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1a.","id_raw":"CP-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-1b.","id_raw":"CP-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Contingency planning policy [Assignment: organization-defined frequency]; and Contingency planning procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2","id_raw":"CP-2","tier_raw":"Control","tier":1,"seq":2,"title":"Contingency Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(1)","id_raw":"CP-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Coordinate With Related Plans","description":"The organization coordinates contingency plan development with organizational elements responsible for related plans."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(2)","id_raw":"CP-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Capacity Planning","description":"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(3)","id_raw":"CP-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Resume Essential Missions / Business Functions","description":"The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(4)","id_raw":"CP-2 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Resume All Missions / Business Functions","description":"The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(5)","id_raw":"CP-2 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Continue  Essential Missions / Business Functions","description":"The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(6)","id_raw":"CP-2 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Alternate Processing / Storage Site","description":"The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(7)","id_raw":"CP-2 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Coordinate  With External Service Providers","description":"The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2(8)","id_raw":"CP-2 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Identify Critical Assets","description":"The organization identifies critical information system assets supporting essential missions and business functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2a.","id_raw":"CP-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2b.","id_raw":"CP-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2c.","id_raw":"CP-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Coordinates contingency planning activities with incident handling activities;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2d.","id_raw":"CP-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2e.","id_raw":"CP-2e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2f.","id_raw":"CP-2f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-2g.","id_raw":"CP-2g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization: Protects the contingency plan from unauthorized disclosure and modification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3","id_raw":"CP-3","tier_raw":"Control","tier":1,"seq":3,"title":"Contingency Training","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3(1)","id_raw":"CP-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Simulated Events","description":"The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3(2)","id_raw":"CP-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Training Environments","description":"The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3a.","id_raw":"CP-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3b.","id_raw":"CP-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-3c.","id_raw":"CP-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4","id_raw":"CP-4","tier_raw":"Control","tier":1,"seq":4,"title":"Contingency Plan Testing","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(1)","id_raw":"CP-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Coordinate With Related Plans","description":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(2)","id_raw":"CP-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Alternate Processing Site","description":"The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(3)","id_raw":"CP-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automated Testing","description":"The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4(4)","id_raw":"CP-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Full Recovery / Reconstitution","description":"The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4a.","id_raw":"CP-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4b.","id_raw":"CP-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews the contingency plan test results; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-4c.","id_raw":"CP-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Initiates corrective actions, if needed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-5","id_raw":"CP-5","tier_raw":"Control","tier":1,"seq":5,"title":"Contingency Plan Update","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6","id_raw":"CP-6","tier_raw":"Control","tier":1,"seq":6,"title":"Alternate Storage Site","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(1)","id_raw":"CP-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Separation From Primary Site","description":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(2)","id_raw":"CP-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Recovery Time / Point Objectives","description":"The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6(3)","id_raw":"CP-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Accessibility","description":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6a.","id_raw":"CP-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-6b.","id_raw":"CP-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7","id_raw":"CP-7","tier_raw":"Control","tier":1,"seq":7,"title":"Alternate Processing Site","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(1)","id_raw":"CP-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Separation From Primary Site","description":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(2)","id_raw":"CP-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Accessibility","description":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(3)","id_raw":"CP-7 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Priority Of Service","description":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(4)","id_raw":"CP-7 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Preparation For Use","description":"The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7(6)","id_raw":"CP-7 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Inability To Return To Primary Site","description":"The organization plans and prepares for circumstances that preclude returning to the primary processing site."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7a.","id_raw":"CP-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7b.","id_raw":"CP-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-7c.","id_raw":"CP-7c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8","id_raw":"CP-8","tier_raw":"Control","tier":1,"seq":8,"title":"Telecommunications Services","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(1)","id_raw":"CP-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Priority Of Service Provisions","description":"The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(2)","id_raw":"CP-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Single Points Of Failure","description":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(3)","id_raw":"CP-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Separation Of Primary / Alternate Providers","description":"The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(4)","id_raw":"CP-8 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Provider Contingency Plan","description":"The organization: Requires primary and alternate telecommunications service providers to have contingency plans; Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-8(5)","id_raw":"CP-8 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Alternate Telecommunication Service Testing","description":"The organization tests alternate telecommunication services [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9","id_raw":"CP-9","tier_raw":"Control","tier":1,"seq":9,"title":"Information System Backup","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(1)","id_raw":"CP-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Testing For Reliability / Integrity","description":"The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(2)","id_raw":"CP-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Test Restoration Using Sampling","description":"The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(3)","id_raw":"CP-9 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Separate Storage For Critical Information","description":"The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(5)","id_raw":"CP-9 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Transfer To Alternate Storage Site","description":"The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(6)","id_raw":"CP-9 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Redundant Secondary System","description":"The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9(7)","id_raw":"CP-9 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Dual Authorization","description":"The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9a.","id_raw":"CP-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9b.","id_raw":"CP-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9c.","id_raw":"CP-9c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:cp-9d.","id_raw":"CP-9d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Protects the confidentiality, integrity, and availability of backup information at storage locations."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ia","id_raw":"IA","tier_raw":"Family","tier":0,"seq":7,"title":"Identification and Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1","id_raw":"IA-1","tier_raw":"Control","tier":1,"seq":null,"title":"Identification and Authentication Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-10","id_raw":"IA-10","tier_raw":"Control","tier":1,"seq":null,"title":"Adaptive Identification and Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-11","id_raw":"IA-11","tier_raw":"Control","tier":1,"seq":null,"title":"Re-Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1a.","id_raw":"IA-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1b.","id_raw":"IA-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Identification and authentication policy [Assignment: organization-defined frequency]; and Identification and authentication procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2","id_raw":"IA-2","tier_raw":"Control","tier":1,"seq":null,"title":"Identification and Authentication (Organizational Users)","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(1)","id_raw":"IA-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Privileged Accounts","description":"The information system implements multifactor authentication for network access to privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(10)","id_raw":"IA-2 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Single Sign-On","description":"The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(11)","id_raw":"IA-2 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Remote Access  - Separate Device","description":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(12)","id_raw":"IA-2 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acceptance Of Piv Credentials","description":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(13)","id_raw":"IA-2 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Out-Of-Band Authentication","description":"The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(2)","id_raw":"IA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Non-Privileged Accounts","description":"The information system implements multifactor authentication for network access to non-privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(3)","id_raw":"IA-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Local Access To Privileged Accounts","description":"The information system implements multifactor authentication for local access to privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(4)","id_raw":"IA-2 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Local Access To Non-Privileged Accounts","description":"The information system implements multifactor authentication for local access to non-privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(5)","id_raw":"IA-2 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Group Authentication","description":"The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(6)","id_raw":"IA-2 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Privileged Accounts - Separate Device","description":"The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(7)","id_raw":"IA-2 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Non-Privileged Accounts - Separate Device","description":"The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(8)","id_raw":"IA-2 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Privileged Accounts - Replay Resistant","description":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(9)","id_raw":"IA-2 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Network Access To Non-Privileged Accounts - Replay Resistant","description":"The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3","id_raw":"IA-3","tier_raw":"Control","tier":1,"seq":null,"title":"Device Identification and Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(1)","id_raw":"IA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Bidirectional Authentication","description":"The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(3)","id_raw":"IA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Address Allocation","description":"The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(4)","id_raw":"IA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Device Attestation","description":"The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4","id_raw":"IA-4","tier_raw":"Control","tier":1,"seq":null,"title":"Identifier Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(1)","id_raw":"IA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Account Identifiers As Public Identifiers","description":"The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(2)","id_raw":"IA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Supervisor Authorization","description":"The organization requires that the registration process to receive an individual identifier includes supervisor authorization."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(3)","id_raw":"IA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Multiple Forms Of Certification","description":"The organization requires multiple forms of certification of individual identification be presented to the registration authority."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(4)","id_raw":"IA-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identify User Status","description":"The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(5)","id_raw":"IA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Management","description":"The information system dynamically manages identifiers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(6)","id_raw":"IA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cross-Organization Management","description":"The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(7)","id_raw":"IA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"In-Person Registration","description":"The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4a.","id_raw":"IA-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4b.","id_raw":"IA-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system identifiers by: Selecting an identifier that identifies an individual, group, role, or device;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4c.","id_raw":"IA-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system identifiers by: Assigning the identifier to the intended individual, group, role, or device;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4d.","id_raw":"IA-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system identifiers by: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4e.","id_raw":"IA-4e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system identifiers by: Disabling the identifier after [Assignment: organization-defined time period of inactivity]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5","id_raw":"IA-5","tier_raw":"Control","tier":1,"seq":null,"title":"Authenticator Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(1)","id_raw":"IA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Password-Based Authentication","description":"The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and transmits only cryptographically-protected passwords; Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; Prohibits password reuse for [Assignment: organization-defined number] generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(10)","id_raw":"IA-5 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Credential Association","description":"The information system dynamically provisions identities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(11)","id_raw":"IA-5 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware Token-Based Authentication","description":"The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(12)","id_raw":"IA-5 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Biometric-Based Authentication","description":"The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(13)","id_raw":"IA-5 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Expiration Of Cached Authenticators","description":"The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(14)","id_raw":"IA-5 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Managing Content Of Pki Trust Stores","description":"The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(15)","id_raw":"IA-5 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Ficam-Approved Products And Services","description":"The organization uses only FICAM-approved path discovery and validation products and services."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(2)","id_raw":"IA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Pki-Based Authentication","description":"The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(3)","id_raw":"IA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"In-Person Or Trusted Third-Party Registration","description":"The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(4)","id_raw":"IA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Support  For Password Strength Determination","description":"The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(5)","id_raw":"IA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Change Authenticators Prior To Delivery","description":"The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(6)","id_raw":"IA-5 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Protection Of Authenticators","description":"The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(7)","id_raw":"IA-5 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"No Embedded Unencrypted Static Authenticators","description":"The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(8)","id_raw":"IA-5 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Multiple Information System Accounts","description":"The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(9)","id_raw":"IA-5 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cross-Organization Credential Management","description":"The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5a.","id_raw":"IA-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5b.","id_raw":"IA-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Establishing initial authenticator content for authenticators defined by the organization;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5c.","id_raw":"IA-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5d.","id_raw":"IA-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5e.","id_raw":"IA-5e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Changing default content of authenticators prior to information system installation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5f.","id_raw":"IA-5f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5g.","id_raw":"IA-5g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5h.","id_raw":"IA-5h.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5i.","id_raw":"IA-5i.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5j.","id_raw":"IA-5j.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization manages information system authenticators by: Changing authenticators for group/role accounts when membership to those accounts changes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-6","id_raw":"IA-6","tier_raw":"Control","tier":1,"seq":null,"title":"Authenticator Feedback","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-7","id_raw":"IA-7","tier_raw":"Control","tier":1,"seq":null,"title":"Cryptographic Module Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8","id_raw":"IA-8","tier_raw":"Control","tier":1,"seq":null,"title":"Identification and Authentication (Non-Organizational Users)","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(1)","id_raw":"IA-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acceptance Of Piv Credentials From Other Agencies","description":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(2)","id_raw":"IA-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acceptance Of Third-Party Credentials","description":"The information system accepts only FICAM-approved third-party credentials."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(3)","id_raw":"IA-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Ficam-Approved Products","description":"The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(4)","id_raw":"IA-8 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Ficam-Issued Profiles","description":"The information system conforms to FICAM-issued profiles."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(5)","id_raw":"IA-8 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acceptance Of Piv-I Credentials","description":"The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9","id_raw":"IA-9","tier_raw":"Control","tier":1,"seq":null,"title":"Service Identification and Authentication","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9(1)","id_raw":"IA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Information Exchange","description":"The organization ensures that service providers receive, validate, and transmit identification and authentication information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9(2)","id_raw":"IA-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transmission Of Decisions","description":"The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1","id_raw":"IA-1","tier_raw":"Control","tier":1,"seq":1,"title":"Identification and Authentication Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-10","id_raw":"IA-10","tier_raw":"Control","tier":1,"seq":10,"title":"Adaptive Identification and Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-11","id_raw":"IA-11","tier_raw":"Control","tier":1,"seq":11,"title":"Re-Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1a.","id_raw":"IA-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-1b.","id_raw":"IA-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Identification and authentication policy [Assignment: organization-defined frequency]; and Identification and authentication procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2","id_raw":"IA-2","tier_raw":"Control","tier":1,"seq":2,"title":"Identification and Authentication (Organizational Users)","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(1)","id_raw":"IA-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Network Access To Privileged Accounts","description":"The information system implements multifactor authentication for network access to privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(10)","id_raw":"IA-2 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Single Sign-On","description":"The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(11)","id_raw":"IA-2 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Remote Access  - Separate Device","description":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(12)","id_raw":"IA-2 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Acceptance Of Piv Credentials","description":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(13)","id_raw":"IA-2 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Out-Of-Band Authentication","description":"The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(2)","id_raw":"IA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Network Access To Non-Privileged Accounts","description":"The information system implements multifactor authentication for network access to non-privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(3)","id_raw":"IA-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Local Access To Privileged Accounts","description":"The information system implements multifactor authentication for local access to privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(4)","id_raw":"IA-2 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Local Access To Non-Privileged Accounts","description":"The information system implements multifactor authentication for local access to non-privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(5)","id_raw":"IA-2 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Group Authentication","description":"The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(6)","id_raw":"IA-2 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Network Access To Privileged Accounts - Separate Device","description":"The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(7)","id_raw":"IA-2 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Network Access To Non-Privileged Accounts - Separate Device","description":"The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(8)","id_raw":"IA-2 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Network Access To Privileged Accounts - Replay Resistant","description":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-2(9)","id_raw":"IA-2 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Network Access To Non-Privileged Accounts - Replay Resistant","description":"The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3","id_raw":"IA-3","tier_raw":"Control","tier":1,"seq":3,"title":"Device Identification and Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(1)","id_raw":"IA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Cryptographic Bidirectional Authentication","description":"The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(3)","id_raw":"IA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Dynamic Address Allocation","description":"The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-3(4)","id_raw":"IA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Device Attestation","description":"The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4","id_raw":"IA-4","tier_raw":"Control","tier":1,"seq":4,"title":"Identifier Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(1)","id_raw":"IA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Prohibit Account Identifiers As Public Identifiers","description":"The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(2)","id_raw":"IA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Supervisor Authorization","description":"The organization requires that the registration process to receive an individual identifier includes supervisor authorization."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(3)","id_raw":"IA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Multiple Forms Of Certification","description":"The organization requires multiple forms of certification of individual identification be presented to the registration authority."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(4)","id_raw":"IA-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Identify User Status","description":"The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(5)","id_raw":"IA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Dynamic Management","description":"The information system dynamically manages identifiers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(6)","id_raw":"IA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Cross-Organization Management","description":"The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4(7)","id_raw":"IA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"In-Person Registration","description":"The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4a.","id_raw":"IA-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4b.","id_raw":"IA-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization manages information system identifiers by: Selecting an identifier that identifies an individual, group, role, or device;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4c.","id_raw":"IA-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization manages information system identifiers by: Assigning the identifier to the intended individual, group, role, or device;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4d.","id_raw":"IA-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization manages information system identifiers by: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-4e.","id_raw":"IA-4e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization manages information system identifiers by: Disabling the identifier after [Assignment: organization-defined time period of inactivity]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5","id_raw":"IA-5","tier_raw":"Control","tier":1,"seq":5,"title":"Authenticator Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(1)","id_raw":"IA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Password-Based Authentication","description":"The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and transmits only cryptographically-protected passwords; Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; Prohibits password reuse for [Assignment: organization-defined number] generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(10)","id_raw":"IA-5 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Dynamic Credential Association","description":"The information system dynamically provisions identities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(11)","id_raw":"IA-5 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Hardware Token-Based Authentication","description":"The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(12)","id_raw":"IA-5 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Biometric-Based Authentication","description":"The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(13)","id_raw":"IA-5 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Expiration Of Cached Authenticators","description":"The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(14)","id_raw":"IA-5 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Managing Content Of Pki Trust Stores","description":"The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(15)","id_raw":"IA-5 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Ficam-Approved Products And Services","description":"The organization uses only FICAM-approved path discovery and validation products and services."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(2)","id_raw":"IA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Pki-Based Authentication","description":"The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(3)","id_raw":"IA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"In-Person Or Trusted Third-Party Registration","description":"The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(4)","id_raw":"IA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Automated Support  For Password Strength Determination","description":"The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(5)","id_raw":"IA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Change Authenticators Prior To Delivery","description":"The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(6)","id_raw":"IA-5 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Protection Of Authenticators","description":"The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(7)","id_raw":"IA-5 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"No Embedded Unencrypted Static Authenticators","description":"The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(8)","id_raw":"IA-5 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Multiple Information System Accounts","description":"The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5(9)","id_raw":"IA-5 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Cross-Organization Credential Management","description":"The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5a.","id_raw":"IA-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5b.","id_raw":"IA-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization manages information system authenticators by: Establishing initial authenticator content for authenticators defined by the organization;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5c.","id_raw":"IA-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization manages information system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5d.","id_raw":"IA-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization manages information system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5e.","id_raw":"IA-5e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization manages information system authenticators by: Changing default content of authenticators prior to information system installation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5f.","id_raw":"IA-5f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization manages information system authenticators by: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5g.","id_raw":"IA-5g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization manages information system authenticators by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5h.","id_raw":"IA-5h.","tier_raw":"Statement","tier":2,"seq":8,"title":null,"description":"The organization manages information system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5i.","id_raw":"IA-5i.","tier_raw":"Statement","tier":2,"seq":9,"title":null,"description":"The organization manages information system authenticators by: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-5j.","id_raw":"IA-5j.","tier_raw":"Statement","tier":2,"seq":10,"title":null,"description":"The organization manages information system authenticators by: Changing authenticators for group/role accounts when membership to those accounts changes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-6","id_raw":"IA-6","tier_raw":"Control","tier":1,"seq":6,"title":"Authenticator Feedback","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-7","id_raw":"IA-7","tier_raw":"Control","tier":1,"seq":7,"title":"Cryptographic Module Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8","id_raw":"IA-8","tier_raw":"Control","tier":1,"seq":8,"title":"Identification and Authentication (Non-Organizational Users)","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(1)","id_raw":"IA-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Acceptance Of Piv Credentials From Other Agencies","description":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(2)","id_raw":"IA-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Acceptance Of Third-Party Credentials","description":"The information system accepts only FICAM-approved third-party credentials."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(3)","id_raw":"IA-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Use Of Ficam-Approved Products","description":"The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(4)","id_raw":"IA-8 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Use Of Ficam-Issued Profiles","description":"The information system conforms to FICAM-issued profiles."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-8(5)","id_raw":"IA-8 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Acceptance Of Piv-I Credentials","description":"The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9","id_raw":"IA-9","tier_raw":"Control","tier":1,"seq":9,"title":"Service Identification and Authentication","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9(1)","id_raw":"IA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Information Exchange","description":"The organization ensures that service providers receive, validate, and transmit identification and authentication information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ia-9(2)","id_raw":"IA-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Transmission Of Decisions","description":"The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ir","id_raw":"IR","tier_raw":"Family","tier":0,"seq":8,"title":"Incident Response","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1","id_raw":"IR-1","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Response Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-10","id_raw":"IR-10","tier_raw":"Control","tier":1,"seq":null,"title":"Integrated Information Security Analysis Team","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1a.","id_raw":"IR-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1b.","id_raw":"IR-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Incident response policy [Assignment: organization-defined frequency]; and Incident response procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2","id_raw":"IR-2","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Response Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2(1)","id_raw":"IR-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Simulated Events","description":"The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2(2)","id_raw":"IR-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Training Environments","description":"The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2a.","id_raw":"IR-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2b.","id_raw":"IR-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2c.","id_raw":"IR-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3","id_raw":"IR-3","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Response Testing","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3(1)","id_raw":"IR-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Testing","description":"The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3(2)","id_raw":"IR-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordination With Related Plans","description":"The organization coordinates incident response testing with organizational elements responsible for related plans."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4","id_raw":"IR-4","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Handling","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(1)","id_raw":"IR-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Incident Handling Processes","description":"The organization employs automated mechanisms to support the incident handling process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(10)","id_raw":"IR-4 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Supply Chain Coordination","description":"The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(2)","id_raw":"IR-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Reconfiguration","description":"The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(3)","id_raw":"IR-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continuity Of Operations","description":"The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(4)","id_raw":"IR-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Information Correlation","description":"The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(5)","id_raw":"IR-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Disabling Of Information System","description":"The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(6)","id_raw":"IR-4 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Insider Threats - Specific Capabilities","description":"The organization implements incident handling capability for insider threats."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(7)","id_raw":"IR-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Insider Threats - Intra-Organization Coordination","description":"The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(8)","id_raw":"IR-4 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlation With External Organizations","description":"The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(9)","id_raw":"IR-4 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Response Capability","description":"The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4a.","id_raw":"IR-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4b.","id_raw":"IR-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Coordinates incident handling activities with contingency planning activities; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4c.","id_raw":"IR-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-5","id_raw":"IR-5","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Monitoring","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-5(1)","id_raw":"IR-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Tracking / Data Collection / Analysis","description":"The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6","id_raw":"IR-6","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Reporting","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(1)","id_raw":"IR-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Reporting","description":"The organization employs automated mechanisms to assist in the reporting of security incidents."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(2)","id_raw":"IR-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Vulnerabilities Related To Incidents","description":"The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(3)","id_raw":"IR-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordination With Supply Chain","description":"The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6a.","id_raw":"IR-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6b.","id_raw":"IR-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reports security incident information to [Assignment: organization-defined authorities]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7","id_raw":"IR-7","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Response Assistance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7(1)","id_raw":"IR-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automation Support For Availability Of Information / Support","description":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7(2)","id_raw":"IR-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Coordination With External Providers","description":"The organization: Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and Identifies organizational incident response team members to the external providers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8","id_raw":"IR-8","tier_raw":"Control","tier":1,"seq":null,"title":"Incident Response Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8a.","id_raw":"IR-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8b.","id_raw":"IR-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8c.","id_raw":"IR-8c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the incident response plan [Assignment: organization-defined frequency];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8d.","id_raw":"IR-8d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8e.","id_raw":"IR-8e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8f.","id_raw":"IR-8f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects the incident response plan from unauthorized disclosure and modification."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9","id_raw":"IR-9","tier_raw":"Control","tier":1,"seq":null,"title":"Information Spillage Response","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(1)","id_raw":"IR-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Responsible Personnel","description":"The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(2)","id_raw":"IR-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Training","description":"The organization provides information spillage response training [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(3)","id_raw":"IR-9 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Post-Spill Operations","description":"The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(4)","id_raw":"IR-9 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Exposure To Unauthorized Personnel","description":"The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9a.","id_raw":"IR-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Identifying the specific information involved in the information system contamination;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9b.","id_raw":"IR-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9c.","id_raw":"IR-9c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Isolating the contaminated information system or system component;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9d.","id_raw":"IR-9d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Eradicating the information from the contaminated information system or component;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9e.","id_raw":"IR-9e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Identifying other information systems or system components that may have been subsequently contaminated; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9f.","id_raw":"IR-9f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization responds to information spills by: Performing other [Assignment: organization-defined actions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1","id_raw":"IR-1","tier_raw":"Control","tier":1,"seq":1,"title":"Incident Response Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-10","id_raw":"IR-10","tier_raw":"Control","tier":1,"seq":10,"title":"Integrated Information Security Analysis Team","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1a.","id_raw":"IR-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-1b.","id_raw":"IR-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Incident response policy [Assignment: organization-defined frequency]; and Incident response procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2","id_raw":"IR-2","tier_raw":"Control","tier":1,"seq":2,"title":"Incident Response Training","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2(1)","id_raw":"IR-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Simulated Events","description":"The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2(2)","id_raw":"IR-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Training Environments","description":"The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2a.","id_raw":"IR-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2b.","id_raw":"IR-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-2c.","id_raw":"IR-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3","id_raw":"IR-3","tier_raw":"Control","tier":1,"seq":3,"title":"Incident Response Testing","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3(1)","id_raw":"IR-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Testing","description":"The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-3(2)","id_raw":"IR-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Coordination With Related Plans","description":"The organization coordinates incident response testing with organizational elements responsible for related plans."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4","id_raw":"IR-4","tier_raw":"Control","tier":1,"seq":4,"title":"Incident Handling","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(1)","id_raw":"IR-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Incident Handling Processes","description":"The organization employs automated mechanisms to support the incident handling process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(10)","id_raw":"IR-4 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Supply Chain Coordination","description":"The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(2)","id_raw":"IR-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Dynamic Reconfiguration","description":"The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(3)","id_raw":"IR-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Continuity Of Operations","description":"The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(4)","id_raw":"IR-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Information Correlation","description":"The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(5)","id_raw":"IR-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Automatic Disabling Of Information System","description":"The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(6)","id_raw":"IR-4 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Insider Threats - Specific Capabilities","description":"The organization implements incident handling capability for insider threats."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(7)","id_raw":"IR-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Insider Threats - Intra-Organization Coordination","description":"The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(8)","id_raw":"IR-4 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Correlation With External Organizations","description":"The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4(9)","id_raw":"IR-4 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Dynamic Response Capability","description":"The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4a.","id_raw":"IR-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4b.","id_raw":"IR-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Coordinates incident handling activities with contingency planning activities; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-4c.","id_raw":"IR-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-5","id_raw":"IR-5","tier_raw":"Control","tier":1,"seq":5,"title":"Incident Monitoring","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-5(1)","id_raw":"IR-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Tracking / Data Collection / Analysis","description":"The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6","id_raw":"IR-6","tier_raw":"Control","tier":1,"seq":6,"title":"Incident Reporting","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(1)","id_raw":"IR-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Reporting","description":"The organization employs automated mechanisms to assist in the reporting of security incidents."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(2)","id_raw":"IR-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Vulnerabilities Related To Incidents","description":"The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6(3)","id_raw":"IR-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Coordination With Supply Chain","description":"The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6a.","id_raw":"IR-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-6b.","id_raw":"IR-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reports security incident information to [Assignment: organization-defined authorities]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7","id_raw":"IR-7","tier_raw":"Control","tier":1,"seq":7,"title":"Incident Response Assistance","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7(1)","id_raw":"IR-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automation Support For Availability Of Information / Support","description":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-7(2)","id_raw":"IR-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Coordination With External Providers","description":"The organization: Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and Identifies organizational incident response team members to the external providers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8","id_raw":"IR-8","tier_raw":"Control","tier":1,"seq":8,"title":"Incident Response Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8a.","id_raw":"IR-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8b.","id_raw":"IR-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8c.","id_raw":"IR-8c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews the incident response plan [Assignment: organization-defined frequency];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8d.","id_raw":"IR-8d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8e.","id_raw":"IR-8e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-8f.","id_raw":"IR-8f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Protects the incident response plan from unauthorized disclosure and modification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9","id_raw":"IR-9","tier_raw":"Control","tier":1,"seq":9,"title":"Information Spillage Response","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(1)","id_raw":"IR-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Responsible Personnel","description":"The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(2)","id_raw":"IR-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Training","description":"The organization provides information spillage response training [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(3)","id_raw":"IR-9 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Post-Spill Operations","description":"The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9(4)","id_raw":"IR-9 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Exposure To Unauthorized Personnel","description":"The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9a.","id_raw":"IR-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization responds to information spills by: Identifying the specific information involved in the information system contamination;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9b.","id_raw":"IR-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization responds to information spills by: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9c.","id_raw":"IR-9c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization responds to information spills by: Isolating the contaminated information system or system component;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9d.","id_raw":"IR-9d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization responds to information spills by: Eradicating the information from the contaminated information system or component;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9e.","id_raw":"IR-9e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization responds to information spills by: Identifying other information systems or system components that may have been subsequently contaminated; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ir-9f.","id_raw":"IR-9f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization responds to information spills by: Performing other [Assignment: organization-defined actions]."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ma","id_raw":"MA","tier_raw":"Family","tier":0,"seq":9,"title":"Maintenance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1","id_raw":"MA-1","tier_raw":"Control","tier":1,"seq":null,"title":"System Maintenance Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1a.","id_raw":"MA-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1b.","id_raw":"MA-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: System maintenance policy [Assignment: organization-defined frequency]; and System maintenance procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2","id_raw":"MA-2","tier_raw":"Control","tier":1,"seq":null,"title":"Controlled Maintenance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2(2)","id_raw":"MA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Maintenance Activities","description":"The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2a.","id_raw":"MA-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2b.","id_raw":"MA-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2c.","id_raw":"MA-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2d.","id_raw":"MA-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2e.","id_raw":"MA-2e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2f.","id_raw":"MA-2f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3","id_raw":"MA-3","tier_raw":"Control","tier":1,"seq":null,"title":"Maintenance Tools","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(1)","id_raw":"MA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inspect Tools","description":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(2)","id_raw":"MA-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inspect Media","description":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(3)","id_raw":"MA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Unauthorized Removal","description":"The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(4)","id_raw":"MA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restricted Tool Use","description":"The information system restricts the use of maintenance tools to authorized personnel only."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4","id_raw":"MA-4","tier_raw":"Control","tier":1,"seq":null,"title":"Nonlocal Maintenance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(1)","id_raw":"MA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Auditing And Review","description":"The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(2)","id_raw":"MA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Document Nonlocal Maintenance","description":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(3)","id_raw":"MA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Comparable Security / Sanitization","description":"The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(4)","id_raw":"MA-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authentication / Separation Of Maintenance Sessions","description":"The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(5)","id_raw":"MA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Approvals And Notifications","description":"The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(6)","id_raw":"MA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(7)","id_raw":"MA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Remote Disconnect Verification","description":"The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4a.","id_raw":"MA-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Approves and monitors nonlocal maintenance and diagnostic activities;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4b.","id_raw":"MA-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4c.","id_raw":"MA-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4d.","id_raw":"MA-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Maintains records for nonlocal maintenance and diagnostic activities; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4e.","id_raw":"MA-4e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Terminates session and network connections when nonlocal maintenance is completed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5","id_raw":"MA-5","tier_raw":"Control","tier":1,"seq":null,"title":"Maintenance Personnel","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(1)","id_raw":"MA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Individuals Without Appropriate Access","description":"The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(2)","id_raw":"MA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Clearances For Classified Systems","description":"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(3)","id_raw":"MA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Citizenship Requirements For Classified Systems","description":"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(4)","id_raw":"MA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Foreign Nationals","description":"The organization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(5)","id_raw":"MA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Nonsystem-Related Maintenance","description":"The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5a.","id_raw":"MA-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5b.","id_raw":"MA-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5c.","id_raw":"MA-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6","id_raw":"MA-6","tier_raw":"Control","tier":1,"seq":null,"title":"Timely Maintenance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(1)","id_raw":"MA-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Preventive Maintenance","description":"The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(2)","id_raw":"MA-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Predictive Maintenance","description":"The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(3)","id_raw":"MA-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Support For Predictive Maintenance","description":"The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1","id_raw":"MA-1","tier_raw":"Control","tier":1,"seq":1,"title":"System Maintenance Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1a.","id_raw":"MA-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-1b.","id_raw":"MA-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: System maintenance policy [Assignment: organization-defined frequency]; and System maintenance procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2","id_raw":"MA-2","tier_raw":"Control","tier":1,"seq":2,"title":"Controlled Maintenance","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2(2)","id_raw":"MA-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Maintenance Activities","description":"The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2a.","id_raw":"MA-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2b.","id_raw":"MA-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2c.","id_raw":"MA-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2d.","id_raw":"MA-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2e.","id_raw":"MA-2e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-2f.","id_raw":"MA-2f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3","id_raw":"MA-3","tier_raw":"Control","tier":1,"seq":3,"title":"Maintenance Tools","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(1)","id_raw":"MA-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Inspect Tools","description":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(2)","id_raw":"MA-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Inspect Media","description":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(3)","id_raw":"MA-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Prevent Unauthorized Removal","description":"The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-3(4)","id_raw":"MA-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Restricted Tool Use","description":"The information system restricts the use of maintenance tools to authorized personnel only."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4","id_raw":"MA-4","tier_raw":"Control","tier":1,"seq":4,"title":"Nonlocal Maintenance","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(1)","id_raw":"MA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Auditing And Review","description":"The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(2)","id_raw":"MA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Document Nonlocal Maintenance","description":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(3)","id_raw":"MA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Comparable Security / Sanitization","description":"The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(4)","id_raw":"MA-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Authentication / Separation Of Maintenance Sessions","description":"The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(5)","id_raw":"MA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Approvals And Notifications","description":"The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(6)","id_raw":"MA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4(7)","id_raw":"MA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Remote Disconnect Verification","description":"The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4a.","id_raw":"MA-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Approves and monitors nonlocal maintenance and diagnostic activities;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4b.","id_raw":"MA-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4c.","id_raw":"MA-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4d.","id_raw":"MA-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Maintains records for nonlocal maintenance and diagnostic activities; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-4e.","id_raw":"MA-4e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Terminates session and network connections when nonlocal maintenance is completed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5","id_raw":"MA-5","tier_raw":"Control","tier":1,"seq":5,"title":"Maintenance Personnel","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(1)","id_raw":"MA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Individuals Without Appropriate Access","description":"The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(2)","id_raw":"MA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Security Clearances For Classified Systems","description":"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(3)","id_raw":"MA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Citizenship Requirements For Classified Systems","description":"The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(4)","id_raw":"MA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Foreign Nationals","description":"The organization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5(5)","id_raw":"MA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Nonsystem-Related Maintenance","description":"The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5a.","id_raw":"MA-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5b.","id_raw":"MA-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-5c.","id_raw":"MA-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6","id_raw":"MA-6","tier_raw":"Control","tier":1,"seq":6,"title":"Timely Maintenance","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(1)","id_raw":"MA-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Preventive Maintenance","description":"The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(2)","id_raw":"MA-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Predictive Maintenance","description":"The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ma-6(3)","id_raw":"MA-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automated Support For Predictive Maintenance","description":"The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:mp","id_raw":"MP","tier_raw":"Family","tier":0,"seq":10,"title":"Media Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1","id_raw":"MP-1","tier_raw":"Control","tier":1,"seq":null,"title":"Media Protection Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1a.","id_raw":"MP-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1b.","id_raw":"MP-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Media protection policy [Assignment: organization-defined frequency]; and Media protection procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-2","id_raw":"MP-2","tier_raw":"Control","tier":1,"seq":null,"title":"Media Access","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3","id_raw":"MP-3","tier_raw":"Control","tier":1,"seq":null,"title":"Media Marking","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3a.","id_raw":"MP-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3b.","id_raw":"MP-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4","id_raw":"MP-4","tier_raw":"Control","tier":1,"seq":null,"title":"Media Storage","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4(2)","id_raw":"MP-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Restricted Access","description":"The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4a.","id_raw":"MP-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4b.","id_raw":"MP-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5","id_raw":"MP-5","tier_raw":"Control","tier":1,"seq":null,"title":"Media Transport","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5(3)","id_raw":"MP-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Custodians","description":"The organization employs an identified custodian during transport of information system media outside of controlled areas."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5(4)","id_raw":"MP-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5a.","id_raw":"MP-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5b.","id_raw":"MP-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Maintains accountability for information system media during transport outside of controlled areas;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5c.","id_raw":"MP-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents activities associated with the transport of information system media; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5d.","id_raw":"MP-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Restricts the activities associated with the transport of information system media to authorized personnel."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6","id_raw":"MP-6","tier_raw":"Control","tier":1,"seq":null,"title":"Media Sanitization","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(1)","id_raw":"MP-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review / Approve / Track / Document / Verify","description":"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(2)","id_raw":"MP-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Equipment Testing","description":"The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(3)","id_raw":"MP-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Nondestructive Techniques","description":"The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(7)","id_raw":"MP-6 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dual Authorization","description":"The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(8)","id_raw":"MP-6 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Remote Purging / Wiping Of Information","description":"The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6a.","id_raw":"MP-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6b.","id_raw":"MP-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7","id_raw":"MP-7","tier_raw":"Control","tier":1,"seq":null,"title":"Media Use","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7(1)","id_raw":"MP-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Use Without Owner","description":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7(2)","id_raw":"MP-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Use Of Sanitization-Resistant Media","description":"The organization prohibits the use of sanitization-resistant media in organizational information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8","id_raw":"MP-8","tier_raw":"Control","tier":1,"seq":null,"title":"Media Downgrading","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(1)","id_raw":"MP-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Documentation Of Process","description":"The organization documents information system media downgrading actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(2)","id_raw":"MP-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Equipment Testing","description":"The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(3)","id_raw":"MP-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Controlled Unclassified Information","description":"The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(4)","id_raw":"MP-8 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Classified Information","description":"The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8a.","id_raw":"MP-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8b.","id_raw":"MP-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8c.","id_raw":"MP-8c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies [Assignment: organization-defined information system media requiring downgrading]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8d.","id_raw":"MP-8d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Downgrades the identified information system media using the established process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1","id_raw":"MP-1","tier_raw":"Control","tier":1,"seq":1,"title":"Media Protection Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1a.","id_raw":"MP-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-1b.","id_raw":"MP-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Media protection policy [Assignment: organization-defined frequency]; and Media protection procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-2","id_raw":"MP-2","tier_raw":"Control","tier":1,"seq":2,"title":"Media Access","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3","id_raw":"MP-3","tier_raw":"Control","tier":1,"seq":3,"title":"Media Marking","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3a.","id_raw":"MP-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-3b.","id_raw":"MP-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4","id_raw":"MP-4","tier_raw":"Control","tier":1,"seq":4,"title":"Media Storage","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4(2)","id_raw":"MP-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Restricted Access","description":"The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4a.","id_raw":"MP-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-4b.","id_raw":"MP-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5","id_raw":"MP-5","tier_raw":"Control","tier":1,"seq":5,"title":"Media Transport","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5(3)","id_raw":"MP-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Custodians","description":"The organization employs an identified custodian during transport of information system media outside of controlled areas."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5(4)","id_raw":"MP-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5a.","id_raw":"MP-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5b.","id_raw":"MP-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Maintains accountability for information system media during transport outside of controlled areas;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5c.","id_raw":"MP-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Documents activities associated with the transport of information system media; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-5d.","id_raw":"MP-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Restricts the activities associated with the transport of information system media to authorized personnel."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6","id_raw":"MP-6","tier_raw":"Control","tier":1,"seq":6,"title":"Media Sanitization","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(1)","id_raw":"MP-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Review / Approve / Track / Document / Verify","description":"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(2)","id_raw":"MP-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Equipment Testing","description":"The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(3)","id_raw":"MP-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Nondestructive Techniques","description":"The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(7)","id_raw":"MP-6 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Dual Authorization","description":"The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6(8)","id_raw":"MP-6 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Remote Purging / Wiping Of Information","description":"The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6a.","id_raw":"MP-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-6b.","id_raw":"MP-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7","id_raw":"MP-7","tier_raw":"Control","tier":1,"seq":7,"title":"Media Use","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7(1)","id_raw":"MP-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Prohibit Use Without Owner","description":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-7(2)","id_raw":"MP-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Prohibit Use Of Sanitization-Resistant Media","description":"The organization prohibits the use of sanitization-resistant media in organizational information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8","id_raw":"MP-8","tier_raw":"Control","tier":1,"seq":8,"title":"Media Downgrading","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(1)","id_raw":"MP-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Documentation Of Process","description":"The organization documents information system media downgrading actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(2)","id_raw":"MP-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Equipment Testing","description":"The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(3)","id_raw":"MP-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Controlled Unclassified Information","description":"The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8(4)","id_raw":"MP-8 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Classified Information","description":"The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8a.","id_raw":"MP-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8b.","id_raw":"MP-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8c.","id_raw":"MP-8c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Identifies [Assignment: organization-defined information system media requiring downgrading]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:mp-8d.","id_raw":"MP-8d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Downgrades the identified information system media using the established process."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:pe","id_raw":"PE","tier_raw":"Family","tier":0,"seq":11,"title":"Physical and Environmental Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1","id_raw":"PE-1","tier_raw":"Control","tier":1,"seq":null,"title":"Physical and Environmental Protection Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10","id_raw":"PE-10","tier_raw":"Control","tier":1,"seq":null,"title":"Emergency Shutoff","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10a.","id_raw":"PE-10a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10b.","id_raw":"PE-10b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10c.","id_raw":"PE-10c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects emergency power shutoff capability from unauthorized activation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11","id_raw":"PE-11","tier_raw":"Control","tier":1,"seq":null,"title":"Emergency Power","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11(1)","id_raw":"PE-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Long-Term Alternate Power Supply - Minimal Operational Capability","description":"The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11(2)","id_raw":"PE-11 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Long-Term Alternate Power Supply - Self-Contained","description":"The organization provides a long-term alternate power supply for the information system that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-12","id_raw":"PE-12","tier_raw":"Control","tier":1,"seq":null,"title":"Emergency Lighting","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-12(1)","id_raw":"PE-12 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Essential Missions / Business Functions","description":"The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13","id_raw":"PE-13","tier_raw":"Control","tier":1,"seq":null,"title":"Fire Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(1)","id_raw":"PE-13 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Detection Devices / Systems","description":"The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(2)","id_raw":"PE-13 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Suppression Devices / Systems","description":"The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(3)","id_raw":"PE-13 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Fire Suppression","description":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(4)","id_raw":"PE-13 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inspections","description":"The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14","id_raw":"PE-14","tier_raw":"Control","tier":1,"seq":null,"title":"Temperature and Humidity Controls","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14(1)","id_raw":"PE-14 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Controls","description":"The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14(2)","id_raw":"PE-14 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Monitoring With Alarms / Notifications","description":"The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14a.","id_raw":"PE-14a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14b.","id_raw":"PE-14b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors temperature and humidity levels [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-15","id_raw":"PE-15","tier_raw":"Control","tier":1,"seq":null,"title":"Water Damage Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-15(1)","id_raw":"PE-15 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automation Support","description":"The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-16","id_raw":"PE-16","tier_raw":"Control","tier":1,"seq":null,"title":"Delivery and Removal","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17","id_raw":"PE-17","tier_raw":"Control","tier":1,"seq":null,"title":"Alternate Work Site","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17a.","id_raw":"PE-17a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs [Assignment: organization-defined security controls] at alternate work sites;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17b.","id_raw":"PE-17b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17c.","id_raw":"PE-17c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-18","id_raw":"PE-18","tier_raw":"Control","tier":1,"seq":null,"title":"Location Of Information System Components","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-18(1)","id_raw":"PE-18 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Facility Site","description":"The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-19","id_raw":"PE-19","tier_raw":"Control","tier":1,"seq":null,"title":"Information Leakage","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-19(1)","id_raw":"PE-19 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"National Emissions / Tempest Policies And Procedures","description":"The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1a.","id_raw":"PE-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1b.","id_raw":"PE-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Physical and environmental protection policy [Assignment: organization-defined frequency]; and Physical and environmental protection procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2","id_raw":"PE-2","tier_raw":"Control","tier":1,"seq":null,"title":"Physical Access Authorizations","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(1)","id_raw":"PE-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access By Position / Role","description":"The organization authorizes physical access to the facility where the information system resides based on position or role."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(2)","id_raw":"PE-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Two Forms Of Identification","description":"The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(3)","id_raw":"PE-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Unescorted Access","description":"The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20","id_raw":"PE-20","tier_raw":"Control","tier":1,"seq":null,"title":"Asset Monitoring and Tracking","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20a.","id_raw":"PE-20a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20b.","id_raw":"PE-20b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3","id_raw":"PE-3","tier_raw":"Control","tier":1,"seq":null,"title":"Physical Access Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(1)","id_raw":"PE-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Information System Access","description":"The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(2)","id_raw":"PE-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Facility / Information System Boundaries","description":"The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(3)","id_raw":"PE-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continuous Guards / Alarms / Monitoring","description":"The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(4)","id_raw":"PE-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Lockable Casings","description":"The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(5)","id_raw":"PE-3 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Tamper Protection","description":"The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(6)","id_raw":"PE-3 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Facility Penetration Testing","description":"The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3a.","id_raw":"PE-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3b.","id_raw":"PE-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3c.","id_raw":"PE-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3d.","id_raw":"PE-3d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3e.","id_raw":"PE-3e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Secures keys, combinations, and other physical access devices;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3f.","id_raw":"PE-3f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3g.","id_raw":"PE-3g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-4","id_raw":"PE-4","tier_raw":"Control","tier":1,"seq":null,"title":"Access Control For Transmission Medium","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5","id_raw":"PE-5","tier_raw":"Control","tier":1,"seq":null,"title":"Access Control For Output Devices","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(1)","id_raw":"PE-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access To Output By Authorized Individuals","description":"The organization: Controls physical access to output from [Assignment: organization-defined output devices]; and Ensures that only authorized individuals receive output from the device."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(2)","id_raw":"PE-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access To Output By Individual Identity","description":"The information system: Controls physical access to output from [Assignment: organization-defined output devices]; and Links individual identity to receipt of the output from the device."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(3)","id_raw":"PE-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Marking Output Devices","description":"The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6","id_raw":"PE-6","tier_raw":"Control","tier":1,"seq":null,"title":"Monitoring Physical Access","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(1)","id_raw":"PE-6 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Intrusion Alarms / Surveillance Equipment","description":"The organization monitors physical intrusion alarms and surveillance equipment."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(2)","id_raw":"PE-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Intrusion Recognition / Responses","description":"The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(3)","id_raw":"PE-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Video Surveillance","description":"The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(4)","id_raw":"PE-6 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Monitoring Physical Access To Information Systems","description":"The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6a.","id_raw":"PE-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6b.","id_raw":"PE-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6c.","id_raw":"PE-6c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Coordinates results of reviews and investigations with the organizational incident response capability."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-7","id_raw":"PE-7","tier_raw":"Control","tier":1,"seq":null,"title":"Visitor Control","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8","id_raw":"PE-8","tier_raw":"Control","tier":1,"seq":null,"title":"Visitor Access Records","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8(1)","id_raw":"PE-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Records Maintenance / Review","description":"The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8a.","id_raw":"PE-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8b.","id_raw":"PE-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews visitor access records [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9","id_raw":"PE-9","tier_raw":"Control","tier":1,"seq":null,"title":"Power Equipment and Cabling","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9(1)","id_raw":"PE-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Redundant Cabling","description":"The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9(2)","id_raw":"PE-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Voltage Controls","description":"The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1","id_raw":"PE-1","tier_raw":"Control","tier":1,"seq":1,"title":"Physical and Environmental Protection Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10","id_raw":"PE-10","tier_raw":"Control","tier":1,"seq":10,"title":"Emergency Shutoff","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10a.","id_raw":"PE-10a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10b.","id_raw":"PE-10b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-10c.","id_raw":"PE-10c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Protects emergency power shutoff capability from unauthorized activation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11","id_raw":"PE-11","tier_raw":"Control","tier":1,"seq":11,"title":"Emergency Power","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11(1)","id_raw":"PE-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Long-Term Alternate Power Supply - Minimal Operational Capability","description":"The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-11(2)","id_raw":"PE-11 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Long-Term Alternate Power Supply - Self-Contained","description":"The organization provides a long-term alternate power supply for the information system that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-12","id_raw":"PE-12","tier_raw":"Control","tier":1,"seq":12,"title":"Emergency Lighting","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-12(1)","id_raw":"PE-12 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Essential Missions / Business Functions","description":"The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13","id_raw":"PE-13","tier_raw":"Control","tier":1,"seq":13,"title":"Fire Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(1)","id_raw":"PE-13 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Detection Devices / Systems","description":"The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(2)","id_raw":"PE-13 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Suppression Devices / Systems","description":"The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(3)","id_raw":"PE-13 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automatic Fire Suppression","description":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-13(4)","id_raw":"PE-13 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Inspections","description":"The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14","id_raw":"PE-14","tier_raw":"Control","tier":1,"seq":14,"title":"Temperature and Humidity Controls","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14(1)","id_raw":"PE-14 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automatic Controls","description":"The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14(2)","id_raw":"PE-14 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Monitoring With Alarms / Notifications","description":"The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14a.","id_raw":"PE-14a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-14b.","id_raw":"PE-14b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Monitors temperature and humidity levels [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-15","id_raw":"PE-15","tier_raw":"Control","tier":1,"seq":15,"title":"Water Damage Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-15(1)","id_raw":"PE-15 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automation Support","description":"The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-16","id_raw":"PE-16","tier_raw":"Control","tier":1,"seq":16,"title":"Delivery and Removal","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17","id_raw":"PE-17","tier_raw":"Control","tier":1,"seq":17,"title":"Alternate Work Site","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17a.","id_raw":"PE-17a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Employs [Assignment: organization-defined security controls] at alternate work sites;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17b.","id_raw":"PE-17b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-17c.","id_raw":"PE-17c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-18","id_raw":"PE-18","tier_raw":"Control","tier":1,"seq":18,"title":"Location Of Information System Components","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-18(1)","id_raw":"PE-18 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Facility Site","description":"The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-19","id_raw":"PE-19","tier_raw":"Control","tier":1,"seq":19,"title":"Information Leakage","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-19(1)","id_raw":"PE-19 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"National Emissions / Tempest Policies And Procedures","description":"The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1a.","id_raw":"PE-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-1b.","id_raw":"PE-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Physical and environmental protection policy [Assignment: organization-defined frequency]; and Physical and environmental protection procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2","id_raw":"PE-2","tier_raw":"Control","tier":1,"seq":2,"title":"Physical Access Authorizations","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(1)","id_raw":"PE-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Access By Position / Role","description":"The organization authorizes physical access to the facility where the information system resides based on position or role."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(2)","id_raw":"PE-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Two Forms Of Identification","description":"The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-2(3)","id_raw":"PE-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Restrict Unescorted Access","description":"The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20","id_raw":"PE-20","tier_raw":"Control","tier":1,"seq":20,"title":"Asset Monitoring and Tracking","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20a.","id_raw":"PE-20a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-20b.","id_raw":"PE-20b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3","id_raw":"PE-3","tier_raw":"Control","tier":1,"seq":3,"title":"Physical Access Control","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(1)","id_raw":"PE-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Information System Access","description":"The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(2)","id_raw":"PE-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Facility / Information System Boundaries","description":"The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(3)","id_raw":"PE-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Continuous Guards / Alarms / Monitoring","description":"The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(4)","id_raw":"PE-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Lockable Casings","description":"The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(5)","id_raw":"PE-3 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Tamper Protection","description":"The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3(6)","id_raw":"PE-3 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Facility Penetration Testing","description":"The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3a.","id_raw":"PE-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3b.","id_raw":"PE-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3c.","id_raw":"PE-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3d.","id_raw":"PE-3d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3e.","id_raw":"PE-3e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Secures keys, combinations, and other physical access devices;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3f.","id_raw":"PE-3f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-3g.","id_raw":"PE-3g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-4","id_raw":"PE-4","tier_raw":"Control","tier":1,"seq":4,"title":"Access Control For Transmission Medium","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5","id_raw":"PE-5","tier_raw":"Control","tier":1,"seq":5,"title":"Access Control For Output Devices","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(1)","id_raw":"PE-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Access To Output By Authorized Individuals","description":"The organization: Controls physical access to output from [Assignment: organization-defined output devices]; and Ensures that only authorized individuals receive output from the device."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(2)","id_raw":"PE-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Access To Output By Individual Identity","description":"The information system: Controls physical access to output from [Assignment: organization-defined output devices]; and Links individual identity to receipt of the output from the device."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-5(3)","id_raw":"PE-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Marking Output Devices","description":"The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6","id_raw":"PE-6","tier_raw":"Control","tier":1,"seq":6,"title":"Monitoring Physical Access","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(1)","id_raw":"PE-6 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Intrusion Alarms / Surveillance Equipment","description":"The organization monitors physical intrusion alarms and surveillance equipment."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(2)","id_raw":"PE-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Intrusion Recognition / Responses","description":"The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(3)","id_raw":"PE-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Video Surveillance","description":"The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6(4)","id_raw":"PE-6 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Monitoring Physical Access To Information Systems","description":"The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6a.","id_raw":"PE-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6b.","id_raw":"PE-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-6c.","id_raw":"PE-6c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Coordinates results of reviews and investigations with the organizational incident response capability."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-7","id_raw":"PE-7","tier_raw":"Control","tier":1,"seq":7,"title":"Visitor Control","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8","id_raw":"PE-8","tier_raw":"Control","tier":1,"seq":8,"title":"Visitor Access Records","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8(1)","id_raw":"PE-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Records Maintenance / Review","description":"The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8a.","id_raw":"PE-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-8b.","id_raw":"PE-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews visitor access records [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9","id_raw":"PE-9","tier_raw":"Control","tier":1,"seq":9,"title":"Power Equipment and Cabling","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9(1)","id_raw":"PE-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Redundant Cabling","description":"The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pe-9(2)","id_raw":"PE-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automatic Voltage Controls","description":"The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:pl","id_raw":"PL","tier_raw":"Family","tier":0,"seq":12,"title":"Planning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1","id_raw":"PL-1","tier_raw":"Control","tier":1,"seq":null,"title":"Security Planning Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1a.","id_raw":"PL-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1b.","id_raw":"PL-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Security planning policy [Assignment: organization-defined frequency]; and Security planning procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2","id_raw":"PL-2","tier_raw":"Control","tier":1,"seq":null,"title":"System Security Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2(3)","id_raw":"PL-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Plan / Coordinate With Other Organizational Entities","description":"The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2a.","id_raw":"PL-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2b.","id_raw":"PL-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2c.","id_raw":"PL-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2d.","id_raw":"PL-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2e.","id_raw":"PL-2e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects the security plan from unauthorized disclosure and modification."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-3","id_raw":"PL-3","tier_raw":"Control","tier":1,"seq":null,"title":"System Security Plan Update","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4","id_raw":"PL-4","tier_raw":"Control","tier":1,"seq":null,"title":"Rules Of Behavior","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4(1)","id_raw":"PL-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Social Media And Networking Restrictions","description":"The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4a.","id_raw":"PL-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4b.","id_raw":"PL-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4c.","id_raw":"PL-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4d.","id_raw":"PL-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-5","id_raw":"PL-5","tier_raw":"Control","tier":1,"seq":null,"title":"Privacy Impact Assessment","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-6","id_raw":"PL-6","tier_raw":"Control","tier":1,"seq":null,"title":"Security-Related Activity Planning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7","id_raw":"PL-7","tier_raw":"Control","tier":1,"seq":null,"title":"Security Concept Of Operations","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7a.","id_raw":"PL-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7b.","id_raw":"PL-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the CONOPS [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8","id_raw":"PL-8","tier_raw":"Control","tier":1,"seq":null,"title":"Information Security Architecture","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8(1)","id_raw":"PL-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Defense-In-Depth","description":"The organization designs its security architecture using a defense-in-depth approach that: Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8(2)","id_raw":"PL-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Supplier Diversity","description":"The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8a.","id_raw":"PL-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8b.","id_raw":"PL-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8c.","id_raw":"PL-8c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-9","id_raw":"PL-9","tier_raw":"Control","tier":1,"seq":null,"title":"Central Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1","id_raw":"PL-1","tier_raw":"Control","tier":1,"seq":1,"title":"Security Planning Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1a.","id_raw":"PL-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-1b.","id_raw":"PL-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Security planning policy [Assignment: organization-defined frequency]; and Security planning procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2","id_raw":"PL-2","tier_raw":"Control","tier":1,"seq":2,"title":"System Security Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2(3)","id_raw":"PL-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Plan / Coordinate With Other Organizational Entities","description":"The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2a.","id_raw":"PL-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2b.","id_raw":"PL-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2c.","id_raw":"PL-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2d.","id_raw":"PL-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-2e.","id_raw":"PL-2e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Protects the security plan from unauthorized disclosure and modification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-3","id_raw":"PL-3","tier_raw":"Control","tier":1,"seq":3,"title":"System Security Plan Update","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4","id_raw":"PL-4","tier_raw":"Control","tier":1,"seq":4,"title":"Rules Of Behavior","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4(1)","id_raw":"PL-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Social Media And Networking Restrictions","description":"The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4a.","id_raw":"PL-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4b.","id_raw":"PL-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4c.","id_raw":"PL-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-4d.","id_raw":"PL-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-5","id_raw":"PL-5","tier_raw":"Control","tier":1,"seq":5,"title":"Privacy Impact Assessment","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-6","id_raw":"PL-6","tier_raw":"Control","tier":1,"seq":6,"title":"Security-Related Activity Planning","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7","id_raw":"PL-7","tier_raw":"Control","tier":1,"seq":7,"title":"Security Concept Of Operations","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7a.","id_raw":"PL-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-7b.","id_raw":"PL-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the CONOPS [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8","id_raw":"PL-8","tier_raw":"Control","tier":1,"seq":8,"title":"Information Security Architecture","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8(1)","id_raw":"PL-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Defense-In-Depth","description":"The organization designs its security architecture using a defense-in-depth approach that: Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8(2)","id_raw":"PL-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Supplier Diversity","description":"The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8a.","id_raw":"PL-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8b.","id_raw":"PL-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-8c.","id_raw":"PL-8c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pl-9","id_raw":"PL-9","tier_raw":"Control","tier":1,"seq":9,"title":"Central Management","description":null}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:pm","id_raw":"PM","tier_raw":"Family","tier":0,"seq":13,"title":"Program Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1","id_raw":"PM-1","tier_raw":"Control","tier":1,"seq":null,"title":"Information Security Program Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10","id_raw":"PM-10","tier_raw":"Control","tier":1,"seq":null,"title":"Security Authorization Process","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10a.","id_raw":"PM-10a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10b.","id_raw":"PM-10b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10c.","id_raw":"PM-10c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Fully integrates the security authorization processes into an organization-wide risk management program."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11","id_raw":"PM-11","tier_raw":"Control","tier":1,"seq":null,"title":"Mission/Business Process Definition","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11a.","id_raw":"PM-11a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11b.","id_raw":"PM-11b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-12","id_raw":"PM-12","tier_raw":"Control","tier":1,"seq":null,"title":"Insider Threat Program","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-13","id_raw":"PM-13","tier_raw":"Control","tier":1,"seq":null,"title":"Information Security Workforce","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14","id_raw":"PM-14","tier_raw":"Control","tier":1,"seq":null,"title":"Testing, Training, and Monitoring","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14a.","id_raw":"PM-14a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14b.","id_raw":"PM-14b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15","id_raw":"PM-15","tier_raw":"Control","tier":1,"seq":null,"title":"Contacts With Security Groups and Associations","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15a.","id_raw":"PM-15a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15b.","id_raw":"PM-15b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To maintain currency with recommended security practices, techniques, and technologies; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15c.","id_raw":"PM-15c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To share current security-related information including threats, vulnerabilities, and incidents."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-16","id_raw":"PM-16","tier_raw":"Control","tier":1,"seq":null,"title":"Threat Awareness Program","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1a.","id_raw":"PM-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1b.","id_raw":"PM-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1c.","id_raw":"PM-1c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1d.","id_raw":"PM-1d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects the information security program plan from unauthorized disclosure and modification."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-2","id_raw":"PM-2","tier_raw":"Control","tier":1,"seq":null,"title":"Senior Information Security Officer","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3","id_raw":"PM-3","tier_raw":"Control","tier":1,"seq":null,"title":"Information Security Resources","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3a.","id_raw":"PM-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3b.","id_raw":"PM-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3c.","id_raw":"PM-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that information security resources are available for expenditure as planned."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4","id_raw":"PM-4","tier_raw":"Control","tier":1,"seq":null,"title":"Plan Of Action and Milestones Process","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4a.","id_raw":"PM-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB FISMA reporting requirements."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4b.","id_raw":"PM-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-5","id_raw":"PM-5","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Inventory","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-6","id_raw":"PM-6","tier_raw":"Control","tier":1,"seq":null,"title":"Information Security Measures Of Performance","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-7","id_raw":"PM-7","tier_raw":"Control","tier":1,"seq":null,"title":"Enterprise Architecture","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-8","id_raw":"PM-8","tier_raw":"Control","tier":1,"seq":null,"title":"Critical Infrastructure Plan","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9","id_raw":"PM-9","tier_raw":"Control","tier":1,"seq":null,"title":"Risk Management Strategy","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9a.","id_raw":"PM-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9b.","id_raw":"PM-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements the risk management strategy consistently across the organization; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9c.","id_raw":"PM-9c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1","id_raw":"PM-1","tier_raw":"Control","tier":1,"seq":1,"title":"Information Security Program Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10","id_raw":"PM-10","tier_raw":"Control","tier":1,"seq":10,"title":"Security Authorization Process","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10a.","id_raw":"PM-10a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10b.","id_raw":"PM-10b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-10c.","id_raw":"PM-10c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Fully integrates the security authorization processes into an organization-wide risk management program."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11","id_raw":"PM-11","tier_raw":"Control","tier":1,"seq":11,"title":"Mission/Business Process Definition","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11a.","id_raw":"PM-11a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-11b.","id_raw":"PM-11b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-12","id_raw":"PM-12","tier_raw":"Control","tier":1,"seq":12,"title":"Insider Threat Program","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-13","id_raw":"PM-13","tier_raw":"Control","tier":1,"seq":13,"title":"Information Security Workforce","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14","id_raw":"PM-14","tier_raw":"Control","tier":1,"seq":14,"title":"Testing, Training, and Monitoring","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14a.","id_raw":"PM-14a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are developed and maintained; and Continue to be executed in a timely manner;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-14b.","id_raw":"PM-14b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15","id_raw":"PM-15","tier_raw":"Control","tier":1,"seq":15,"title":"Contacts With Security Groups and Associations","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15a.","id_raw":"PM-15a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15b.","id_raw":"PM-15b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To maintain currency with recommended security practices, techniques, and technologies; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-15c.","id_raw":"PM-15c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization establishes and institutionalizes contact with selected groups and associations within the security community: To share current security-related information including threats, vulnerabilities, and incidents."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-16","id_raw":"PM-16","tier_raw":"Control","tier":1,"seq":16,"title":"Threat Awareness Program","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1a.","id_raw":"PM-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1b.","id_raw":"PM-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1c.","id_raw":"PM-1c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-1d.","id_raw":"PM-1d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Protects the information security program plan from unauthorized disclosure and modification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-2","id_raw":"PM-2","tier_raw":"Control","tier":1,"seq":2,"title":"Senior Information Security Officer","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3","id_raw":"PM-3","tier_raw":"Control","tier":1,"seq":3,"title":"Information Security Resources","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3a.","id_raw":"PM-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3b.","id_raw":"PM-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-3c.","id_raw":"PM-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Ensures that information security resources are available for expenditure as planned."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4","id_raw":"PM-4","tier_raw":"Control","tier":1,"seq":4,"title":"Plan Of Action and Milestones Process","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4a.","id_raw":"PM-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are developed and maintained; Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and Are reported in accordance with OMB FISMA reporting requirements."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-4b.","id_raw":"PM-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-5","id_raw":"PM-5","tier_raw":"Control","tier":1,"seq":5,"title":"Information System Inventory","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-6","id_raw":"PM-6","tier_raw":"Control","tier":1,"seq":6,"title":"Information Security Measures Of Performance","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-7","id_raw":"PM-7","tier_raw":"Control","tier":1,"seq":7,"title":"Enterprise Architecture","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-8","id_raw":"PM-8","tier_raw":"Control","tier":1,"seq":8,"title":"Critical Infrastructure Plan","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9","id_raw":"PM-9","tier_raw":"Control","tier":1,"seq":9,"title":"Risk Management Strategy","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9a.","id_raw":"PM-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9b.","id_raw":"PM-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Implements the risk management strategy consistently across the organization; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:pm-9c.","id_raw":"PM-9c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ps","id_raw":"PS","tier_raw":"Family","tier":0,"seq":14,"title":"Personnel Security","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1","id_raw":"PS-1","tier_raw":"Control","tier":1,"seq":null,"title":"Personnel Security Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1a.","id_raw":"PS-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1b.","id_raw":"PS-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Personnel security policy [Assignment: organization-defined frequency]; and Personnel security procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2","id_raw":"PS-2","tier_raw":"Control","tier":1,"seq":null,"title":"Position Risk Designation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2a.","id_raw":"PS-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Assigns a risk designation to all organizational positions;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2b.","id_raw":"PS-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes screening criteria for individuals filling those positions; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2c.","id_raw":"PS-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates position risk designations [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3","id_raw":"PS-3","tier_raw":"Control","tier":1,"seq":null,"title":"Personnel Screening","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(1)","id_raw":"PS-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Classified Information","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(2)","id_raw":"PS-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Formal Indoctrination","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(3)","id_raw":"PS-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Information With Special Protection Measures","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3a.","id_raw":"PS-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Screens individuals prior to authorizing access to the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3b.","id_raw":"PS-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4","id_raw":"PS-4","tier_raw":"Control","tier":1,"seq":null,"title":"Personnel Termination","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4(1)","id_raw":"PS-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Post-Employment Requirements","description":"The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4(2)","id_raw":"PS-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Notification","description":"The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4a.","id_raw":"PS-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4b.","id_raw":"PS-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4c.","id_raw":"PS-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4d.","id_raw":"PS-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Retrieves all security-related organizational information system-related property;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4e.","id_raw":"PS-4e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Retains access to organizational information and information systems formerly controlled by terminated individual; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4f.","id_raw":"PS-4f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5","id_raw":"PS-5","tier_raw":"Control","tier":1,"seq":null,"title":"Personnel Transfer","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5a.","id_raw":"PS-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5b.","id_raw":"PS-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5c.","id_raw":"PS-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5d.","id_raw":"PS-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6","id_raw":"PS-6","tier_raw":"Control","tier":1,"seq":null,"title":"Access Agreements","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6(2)","id_raw":"PS-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Classified Information Requiring Special Protection","description":"The organization ensures that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties; Satisfy associated personnel security criteria; and Have read, understood, and signed a nondisclosure agreement."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6(3)","id_raw":"PS-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Post-Employment Requirements","description":"The organization: Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6a.","id_raw":"PS-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops and documents access agreements for organizational information systems;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6b.","id_raw":"PS-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the access agreements [Assignment: organization-defined frequency]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6c.","id_raw":"PS-6c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7","id_raw":"PS-7","tier_raw":"Control","tier":1,"seq":null,"title":"Third-Party Personnel Security","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7a.","id_raw":"PS-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7b.","id_raw":"PS-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires third-party providers to comply with personnel security policies and procedures established by the organization;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7c.","id_raw":"PS-7c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents personnel security requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7d.","id_raw":"PS-7d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7e.","id_raw":"PS-7e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors provider compliance."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8","id_raw":"PS-8","tier_raw":"Control","tier":1,"seq":null,"title":"Personnel Sanctions","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8a.","id_raw":"PS-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8b.","id_raw":"PS-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1","id_raw":"PS-1","tier_raw":"Control","tier":1,"seq":1,"title":"Personnel Security Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1a.","id_raw":"PS-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-1b.","id_raw":"PS-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Personnel security policy [Assignment: organization-defined frequency]; and Personnel security procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2","id_raw":"PS-2","tier_raw":"Control","tier":1,"seq":2,"title":"Position Risk Designation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2a.","id_raw":"PS-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Assigns a risk designation to all organizational positions;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2b.","id_raw":"PS-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Establishes screening criteria for individuals filling those positions; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-2c.","id_raw":"PS-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews and updates position risk designations [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3","id_raw":"PS-3","tier_raw":"Control","tier":1,"seq":3,"title":"Personnel Screening","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(1)","id_raw":"PS-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Classified Information","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(2)","id_raw":"PS-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Formal Indoctrination","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3(3)","id_raw":"PS-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Information With Special Protection Measures","description":"The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3a.","id_raw":"PS-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Screens individuals prior to authorizing access to the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-3b.","id_raw":"PS-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4","id_raw":"PS-4","tier_raw":"Control","tier":1,"seq":4,"title":"Personnel Termination","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4(1)","id_raw":"PS-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Post-Employment Requirements","description":"The organization: Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4(2)","id_raw":"PS-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Notification","description":"The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4a.","id_raw":"PS-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization, upon termination of individual employment: Disables information system access within [Assignment: organization-defined time period];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4b.","id_raw":"PS-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4c.","id_raw":"PS-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4d.","id_raw":"PS-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization, upon termination of individual employment: Retrieves all security-related organizational information system-related property;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4e.","id_raw":"PS-4e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization, upon termination of individual employment: Retains access to organizational information and information systems formerly controlled by terminated individual; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-4f.","id_raw":"PS-4f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5","id_raw":"PS-5","tier_raw":"Control","tier":1,"seq":5,"title":"Personnel Transfer","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5a.","id_raw":"PS-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5b.","id_raw":"PS-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5c.","id_raw":"PS-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-5d.","id_raw":"PS-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6","id_raw":"PS-6","tier_raw":"Control","tier":1,"seq":6,"title":"Access Agreements","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6(2)","id_raw":"PS-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Classified Information Requiring Special Protection","description":"The organization ensures that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government duties; Satisfy associated personnel security criteria; and Have read, understood, and signed a nondisclosure agreement."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6(3)","id_raw":"PS-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Post-Employment Requirements","description":"The organization: Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6a.","id_raw":"PS-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops and documents access agreements for organizational information systems;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6b.","id_raw":"PS-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the access agreements [Assignment: organization-defined frequency]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-6c.","id_raw":"PS-6c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Ensures that individuals requiring access to organizational information and information systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7","id_raw":"PS-7","tier_raw":"Control","tier":1,"seq":7,"title":"Third-Party Personnel Security","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7a.","id_raw":"PS-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7b.","id_raw":"PS-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Requires third-party providers to comply with personnel security policies and procedures established by the organization;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7c.","id_raw":"PS-7c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Documents personnel security requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7d.","id_raw":"PS-7d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-7e.","id_raw":"PS-7e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Monitors provider compliance."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8","id_raw":"PS-8","tier_raw":"Control","tier":1,"seq":8,"title":"Personnel Sanctions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8a.","id_raw":"PS-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ps-8b.","id_raw":"PS-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:ra","id_raw":"RA","tier_raw":"Family","tier":0,"seq":15,"title":"Risk Assessment","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1","id_raw":"RA-1","tier_raw":"Control","tier":1,"seq":null,"title":"Risk Assessment Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1a.","id_raw":"RA-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1b.","id_raw":"RA-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: Risk assessment policy [Assignment: organization-defined frequency]; and Risk assessment procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2","id_raw":"RA-2","tier_raw":"Control","tier":1,"seq":null,"title":"Security Categorization","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2a.","id_raw":"RA-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2b.","id_raw":"RA-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2c.","id_raw":"RA-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3","id_raw":"RA-3","tier_raw":"Control","tier":1,"seq":null,"title":"Risk Assessment","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3a.","id_raw":"RA-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3b.","id_raw":"RA-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3c.","id_raw":"RA-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews risk assessment results [Assignment: organization-defined frequency];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3d.","id_raw":"RA-3d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3e.","id_raw":"RA-3e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-4","id_raw":"RA-4","tier_raw":"Control","tier":1,"seq":null,"title":"Risk Assessment Update","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5","id_raw":"RA-5","tier_raw":"Control","tier":1,"seq":null,"title":"Vulnerability Scanning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(1)","id_raw":"RA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Update Tool Capability","description":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(10)","id_raw":"RA-5 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlate Scanning Information","description":"The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(2)","id_raw":"RA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Update By Frequency / Prior To New Scan / When Identified","description":"The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(3)","id_raw":"RA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Breadth / Depth Of Coverage","description":"The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(4)","id_raw":"RA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Discoverable Information","description":"The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(5)","id_raw":"RA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privileged Access","description":"The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(6)","id_raw":"RA-5 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Trend Analyses","description":"The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(8)","id_raw":"RA-5 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review Historic Audit Logs","description":"The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5a.","id_raw":"RA-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5b.","id_raw":"RA-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5c.","id_raw":"RA-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Analyzes vulnerability scan reports and results from security control assessments;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5d.","id_raw":"RA-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5e.","id_raw":"RA-5e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-6","id_raw":"RA-6","tier_raw":"Control","tier":1,"seq":null,"title":"Technical Surveillance Countermeasures Survey","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1","id_raw":"RA-1","tier_raw":"Control","tier":1,"seq":1,"title":"Risk Assessment Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1a.","id_raw":"RA-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-1b.","id_raw":"RA-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: Risk assessment policy [Assignment: organization-defined frequency]; and Risk assessment procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2","id_raw":"RA-2","tier_raw":"Control","tier":1,"seq":2,"title":"Security Categorization","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2a.","id_raw":"RA-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2b.","id_raw":"RA-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-2c.","id_raw":"RA-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3","id_raw":"RA-3","tier_raw":"Control","tier":1,"seq":3,"title":"Risk Assessment","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3a.","id_raw":"RA-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3b.","id_raw":"RA-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3c.","id_raw":"RA-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Reviews risk assessment results [Assignment: organization-defined frequency];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3d.","id_raw":"RA-3d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-3e.","id_raw":"RA-3e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-4","id_raw":"RA-4","tier_raw":"Control","tier":1,"seq":4,"title":"Risk Assessment Update","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5","id_raw":"RA-5","tier_raw":"Control","tier":1,"seq":5,"title":"Vulnerability Scanning","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(1)","id_raw":"RA-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Update Tool Capability","description":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(10)","id_raw":"RA-5 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Correlate Scanning Information","description":"The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(2)","id_raw":"RA-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Update By Frequency / Prior To New Scan / When Identified","description":"The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(3)","id_raw":"RA-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Breadth / Depth Of Coverage","description":"The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(4)","id_raw":"RA-5 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Discoverable Information","description":"The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(5)","id_raw":"RA-5 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Privileged Access","description":"The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(6)","id_raw":"RA-5 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Automated Trend Analyses","description":"The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5(8)","id_raw":"RA-5 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Review Historic Audit Logs","description":"The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5a.","id_raw":"RA-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5b.","id_raw":"RA-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5c.","id_raw":"RA-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Analyzes vulnerability scan reports and results from security control assessments;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5d.","id_raw":"RA-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-5e.","id_raw":"RA-5e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:ra-6","id_raw":"RA-6","tier_raw":"Control","tier":1,"seq":6,"title":"Technical Surveillance Countermeasures Survey","description":null}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:sa","id_raw":"SA","tier_raw":"Family","tier":0,"seq":16,"title":"System and Services Acquisition","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1","id_raw":"SA-1","tier_raw":"Control","tier":1,"seq":null,"title":"System and Services Acquisition Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10","id_raw":"SA-10","tier_raw":"Control","tier":1,"seq":null,"title":"Developer Configuration Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(1)","id_raw":"SA-10 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Software / Firmware Integrity Verification","description":"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(2)","id_raw":"SA-10 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alternative Configuration Management Processes","description":"The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(3)","id_raw":"SA-10 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware Integrity Verification","description":"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(4)","id_raw":"SA-10 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Trusted Generation","description":"The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(5)","id_raw":"SA-10 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Mapping Integrity For Version Control","description":"The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(6)","id_raw":"SA-10 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Trusted Distribution","description":"The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10a.","id_raw":"SA-10a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10b.","id_raw":"SA-10b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10c.","id_raw":"SA-10c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Implement only organization-approved changes to the system, component, or service;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10d.","id_raw":"SA-10d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Document approved changes to the system, component, or service and the potential security impacts of such changes; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10e.","id_raw":"SA-10e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11","id_raw":"SA-11","tier_raw":"Control","tier":1,"seq":null,"title":"Developer Security Testing and Evaluation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(1)","id_raw":"SA-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Static Code Analysis","description":"The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(2)","id_raw":"SA-11 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Threat And Vulnerability Analyses","description":"The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(3)","id_raw":"SA-11 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Independent Verification Of Assessment Plans / Evidence","description":"The organization: Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(4)","id_raw":"SA-11 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Manual Code Reviews","description":"The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(5)","id_raw":"SA-11 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Penetration Testing","description":"The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(6)","id_raw":"SA-11 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attack Surface Reviews","description":"The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(7)","id_raw":"SA-11 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Verify Scope Of Testing / Evaluation","description":"The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(8)","id_raw":"SA-11 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Code Analysis","description":"The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11a.","id_raw":"SA-11a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11b.","id_raw":"SA-11b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11c.","id_raw":"SA-11c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11d.","id_raw":"SA-11d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11e.","id_raw":"SA-11e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12","id_raw":"SA-12","tier_raw":"Control","tier":1,"seq":null,"title":"Supply Chain Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(1)","id_raw":"SA-12 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acquisition Strategies / Tools / Methods","description":"The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(10)","id_raw":"SA-12 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Validate As Genuine And Not Altered","description":"The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(11)","id_raw":"SA-12 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Penetration Testing / Analysis Of Elements, Processes, And Actors","description":"The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(12)","id_raw":"SA-12 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inter-Organizational Agreements","description":"The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(13)","id_raw":"SA-12 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Critical Information System Components","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(14)","id_raw":"SA-12 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identity And Traceability","description":"The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(15)","id_raw":"SA-12 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Processes To Address Weaknesses Or Deficiencies","description":"The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(2)","id_raw":"SA-12 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Supplier Reviews","description":"The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(5)","id_raw":"SA-12 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Limitation Of Harm","description":"The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(7)","id_raw":"SA-12 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Assessments Prior To Selection / Acceptance / Update","description":"The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(8)","id_raw":"SA-12 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of All-Source Intelligence","description":"The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(9)","id_raw":"SA-12 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Operations Security","description":"The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13","id_raw":"SA-13","tier_raw":"Control","tier":1,"seq":null,"title":"Trustworthiness","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13a.","id_raw":"SA-13a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13b.","id_raw":"SA-13b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-14","id_raw":"SA-14","tier_raw":"Control","tier":1,"seq":null,"title":"Criticality Analysis","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15","id_raw":"SA-15","tier_raw":"Control","tier":1,"seq":null,"title":"Development Process, Standards, and Tools","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(1)","id_raw":"SA-15 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Quality Metrics","description":"The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(10)","id_raw":"SA-15 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Incident Response Plan","description":"The organization requires the developer of the information system, system component, or information system service to provide an incident response plan."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(11)","id_raw":"SA-15 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Archive Information System / Component","description":"The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(2)","id_raw":"SA-15 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security Tracking Tools","description":"The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(3)","id_raw":"SA-15 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Criticality Analysis","description":"The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(4)","id_raw":"SA-15 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Threat Modeling / Vulnerability Analysis","description":"The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(5)","id_raw":"SA-15 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Attack Surface Reduction","description":"The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(6)","id_raw":"SA-15 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continuous Improvement","description":"The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(7)","id_raw":"SA-15 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Vulnerability Analysis","description":"The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(8)","id_raw":"SA-15 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Reuse Of Threat / Vulnerability Information","description":"The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(9)","id_raw":"SA-15 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Live Data","description":"The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15a.","id_raw":"SA-15a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15b.","id_raw":"SA-15b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-16","id_raw":"SA-16","tier_raw":"Control","tier":1,"seq":null,"title":"Developer-Provided Training","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17","id_raw":"SA-17","tier_raw":"Control","tier":1,"seq":null,"title":"Developer Security Architecture and Design","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(1)","id_raw":"SA-17 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Formal Policy Model","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(2)","id_raw":"SA-17 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Security-Relevant Components","description":"The organization requires the developer of the information system, system component, or information system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(3)","id_raw":"SA-17 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Formal Correspondence","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(4)","id_raw":"SA-17 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Informal Correspondence","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(5)","id_raw":"SA-17 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Conceptually Simple Design","description":"The organization requires the developer of the information system, system component, or information system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(6)","id_raw":"SA-17 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Structure For Testing","description":"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(7)","id_raw":"SA-17 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Structure For Least Privilege","description":"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17a.","id_raw":"SA-17a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17b.","id_raw":"SA-17b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17c.","id_raw":"SA-17c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18","id_raw":"SA-18","tier_raw":"Control","tier":1,"seq":null,"title":"Tamper Resistance and Detection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18(1)","id_raw":"SA-18 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Multiple Phases Of Sdlc","description":"The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18(2)","id_raw":"SA-18 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inspection Of Information Systems, Components, Or Devices","description":"The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19","id_raw":"SA-19","tier_raw":"Control","tier":1,"seq":null,"title":"Component Authenticity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(1)","id_raw":"SA-19 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Anti-Counterfeit Training","description":"The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(2)","id_raw":"SA-19 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Configuration Control For Component Service / Repair","description":"The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(3)","id_raw":"SA-19 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Component Disposal","description":"The organization disposes of information system components using [Assignment: organization-defined techniques and methods]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(4)","id_raw":"SA-19 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Anti-Counterfeit Scanning","description":"The organization scans for counterfeit information system components [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19a.","id_raw":"SA-19a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19b.","id_raw":"SA-19b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1a.","id_raw":"SA-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1b.","id_raw":"SA-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: System and services acquisition policy [Assignment: organization-defined frequency]; and System and services acquisition procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2","id_raw":"SA-2","tier_raw":"Control","tier":1,"seq":null,"title":"Allocation Of Resources","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-20","id_raw":"SA-20","tier_raw":"Control","tier":1,"seq":null,"title":"Customized Development Of Critical Components","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21","id_raw":"SA-21","tier_raw":"Control","tier":1,"seq":null,"title":"Developer Screening","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21(1)","id_raw":"SA-21 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Validation Of Screening","description":"The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21a.","id_raw":"SA-21a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21b.","id_raw":"SA-21b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Satisfy [Assignment: organization-defined additional personnel screening criteria]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22","id_raw":"SA-22","tier_raw":"Control","tier":1,"seq":null,"title":"Unsupported System Components","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22(1)","id_raw":"SA-22 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Alternative Sources For Continued Support","description":"The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22a.","id_raw":"SA-22a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22b.","id_raw":"SA-22b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2a.","id_raw":"SA-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines information security requirements for the information system or information system service in mission/business process planning;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2b.","id_raw":"SA-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2c.","id_raw":"SA-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes a discrete line item for information security in organizational programming and budgeting documentation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3","id_raw":"SA-3","tier_raw":"Control","tier":1,"seq":null,"title":"System Development Life Cycle","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3a.","id_raw":"SA-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3b.","id_raw":"SA-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3c.","id_raw":"SA-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies individuals having information security roles and responsibilities; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3d.","id_raw":"SA-3d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Integrates the organizational information security risk management process into system development life cycle activities."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4","id_raw":"SA-4","tier_raw":"Control","tier":1,"seq":null,"title":"Acquisition Process","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(1)","id_raw":"SA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Functional Properties Of Security Controls","description":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(10)","id_raw":"SA-4 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Approved Piv Products","description":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(2)","id_raw":"SA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Design / Implementation Information For Security Controls","description":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(3)","id_raw":"SA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Development Methods / Techniques / Practices","description":"The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(5)","id_raw":"SA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"System / Component / Service Configurations","description":"The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(6)","id_raw":"SA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Use Of Information Assurance Products","description":"The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(7)","id_raw":"SA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Niap-Approved  Protection Profiles","description":"The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(8)","id_raw":"SA-4 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continuous Monitoring Plan","description":"The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(9)","id_raw":"SA-4 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Functions / Ports / Protocols / Services In Use","description":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4a.","id_raw":"SA-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4b.","id_raw":"SA-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4c.","id_raw":"SA-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4d.","id_raw":"SA-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4e.","id_raw":"SA-4e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4f.","id_raw":"SA-4f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4g.","id_raw":"SA-4g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5","id_raw":"SA-5","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Documentation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5a.","id_raw":"SA-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5b.","id_raw":"SA-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and User responsibilities in maintaining the security of the system, component, or service;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5c.","id_raw":"SA-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5d.","id_raw":"SA-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects documentation as required, in accordance with the risk management strategy; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5e.","id_raw":"SA-5e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Distributes documentation to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-6","id_raw":"SA-6","tier_raw":"Control","tier":1,"seq":null,"title":"Software Usage Restrictions","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-7","id_raw":"SA-7","tier_raw":"Control","tier":1,"seq":null,"title":"User-Installed Software","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-8","id_raw":"SA-8","tier_raw":"Control","tier":1,"seq":null,"title":"Security Engineering Principles","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9","id_raw":"SA-9","tier_raw":"Control","tier":1,"seq":null,"title":"External Information System Services","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(1)","id_raw":"SA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Risk Assessments / Organizational Approvals","description":"The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(2)","id_raw":"SA-9 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identification Of Functions / Ports / Protocols / Services","description":"The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(3)","id_raw":"SA-9 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Establish / Maintain Trust Relationship With Providers","description":"The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(4)","id_raw":"SA-9 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Consistent Interests Of Consumers And Providers","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(5)","id_raw":"SA-9 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Processing, Storage, And Service Location","description":"The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9a.","id_raw":"SA-9a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9b.","id_raw":"SA-9b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9c.","id_raw":"SA-9c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1","id_raw":"SA-1","tier_raw":"Control","tier":1,"seq":1,"title":"System and Services Acquisition Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10","id_raw":"SA-10","tier_raw":"Control","tier":1,"seq":10,"title":"Developer Configuration Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(1)","id_raw":"SA-10 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Software / Firmware Integrity Verification","description":"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(2)","id_raw":"SA-10 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Alternative Configuration Management Processes","description":"The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(3)","id_raw":"SA-10 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Hardware Integrity Verification","description":"The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(4)","id_raw":"SA-10 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Trusted Generation","description":"The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(5)","id_raw":"SA-10 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Mapping Integrity For Version Control","description":"The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10(6)","id_raw":"SA-10 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Trusted Distribution","description":"The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10a.","id_raw":"SA-10a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10b.","id_raw":"SA-10b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10c.","id_raw":"SA-10c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Implement only organization-approved changes to the system, component, or service;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10d.","id_raw":"SA-10d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Document approved changes to the system, component, or service and the potential security impacts of such changes; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-10e.","id_raw":"SA-10e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11","id_raw":"SA-11","tier_raw":"Control","tier":1,"seq":11,"title":"Developer Security Testing and Evaluation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(1)","id_raw":"SA-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Static Code Analysis","description":"The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(2)","id_raw":"SA-11 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Threat And Vulnerability Analyses","description":"The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(3)","id_raw":"SA-11 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Independent Verification Of Assessment Plans / Evidence","description":"The organization: Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(4)","id_raw":"SA-11 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Manual Code Reviews","description":"The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(5)","id_raw":"SA-11 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Penetration Testing","description":"The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(6)","id_raw":"SA-11 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Attack Surface Reviews","description":"The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(7)","id_raw":"SA-11 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Verify Scope Of Testing / Evaluation","description":"The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11(8)","id_raw":"SA-11 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Dynamic Code Analysis","description":"The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11a.","id_raw":"SA-11a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11b.","id_raw":"SA-11b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11c.","id_raw":"SA-11c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11d.","id_raw":"SA-11d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-11e.","id_raw":"SA-11e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12","id_raw":"SA-12","tier_raw":"Control","tier":1,"seq":12,"title":"Supply Chain Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(1)","id_raw":"SA-12 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Acquisition Strategies / Tools / Methods","description":"The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(10)","id_raw":"SA-12 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Validate As Genuine And Not Altered","description":"The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(11)","id_raw":"SA-12 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Penetration Testing / Analysis Of Elements, Processes, And Actors","description":"The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(12)","id_raw":"SA-12 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Inter-Organizational Agreements","description":"The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(13)","id_raw":"SA-12 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Critical Information System Components","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(14)","id_raw":"SA-12 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Identity And Traceability","description":"The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(15)","id_raw":"SA-12 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Processes To Address Weaknesses Or Deficiencies","description":"The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(2)","id_raw":"SA-12 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Supplier Reviews","description":"The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(5)","id_raw":"SA-12 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Limitation Of Harm","description":"The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(7)","id_raw":"SA-12 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Assessments Prior To Selection / Acceptance / Update","description":"The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(8)","id_raw":"SA-12 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Use Of All-Source Intelligence","description":"The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-12(9)","id_raw":"SA-12 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Operations Security","description":"The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13","id_raw":"SA-13","tier_raw":"Control","tier":1,"seq":13,"title":"Trustworthiness","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13a.","id_raw":"SA-13a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-13b.","id_raw":"SA-13b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-14","id_raw":"SA-14","tier_raw":"Control","tier":1,"seq":14,"title":"Criticality Analysis","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15","id_raw":"SA-15","tier_raw":"Control","tier":1,"seq":15,"title":"Development Process, Standards, and Tools","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(1)","id_raw":"SA-15 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Quality Metrics","description":"The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(10)","id_raw":"SA-15 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Incident Response Plan","description":"The organization requires the developer of the information system, system component, or information system service to provide an incident response plan."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(11)","id_raw":"SA-15 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Archive Information System / Component","description":"The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(2)","id_raw":"SA-15 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Security Tracking Tools","description":"The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(3)","id_raw":"SA-15 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Criticality Analysis","description":"The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(4)","id_raw":"SA-15 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Threat Modeling / Vulnerability Analysis","description":"The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(5)","id_raw":"SA-15 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Attack Surface Reduction","description":"The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(6)","id_raw":"SA-15 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Continuous Improvement","description":"The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(7)","id_raw":"SA-15 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Automated Vulnerability Analysis","description":"The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(8)","id_raw":"SA-15 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Reuse Of Threat / Vulnerability Information","description":"The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15(9)","id_raw":"SA-15 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Use Of Live Data","description":"The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15a.","id_raw":"SA-15a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-15b.","id_raw":"SA-15b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-16","id_raw":"SA-16","tier_raw":"Control","tier":1,"seq":16,"title":"Developer-Provided Training","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17","id_raw":"SA-17","tier_raw":"Control","tier":1,"seq":17,"title":"Developer Security Architecture and Design","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(1)","id_raw":"SA-17 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Formal Policy Model","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(2)","id_raw":"SA-17 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Security-Relevant Components","description":"The organization requires the developer of the information system, system component, or information system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(3)","id_raw":"SA-17 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Formal Correspondence","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(4)","id_raw":"SA-17 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Informal Correspondence","description":"The organization requires the developer of the information system, system component, or information system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(5)","id_raw":"SA-17 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Conceptually Simple Design","description":"The organization requires the developer of the information system, system component, or information system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(6)","id_raw":"SA-17 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Structure For Testing","description":"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17(7)","id_raw":"SA-17 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Structure For Least Privilege","description":"The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17a.","id_raw":"SA-17a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17b.","id_raw":"SA-17b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-17c.","id_raw":"SA-17c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18","id_raw":"SA-18","tier_raw":"Control","tier":1,"seq":18,"title":"Tamper Resistance and Detection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18(1)","id_raw":"SA-18 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Multiple Phases Of Sdlc","description":"The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-18(2)","id_raw":"SA-18 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Inspection Of Information Systems, Components, Or Devices","description":"The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19","id_raw":"SA-19","tier_raw":"Control","tier":1,"seq":19,"title":"Component Authenticity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(1)","id_raw":"SA-19 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Anti-Counterfeit Training","description":"The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(2)","id_raw":"SA-19 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Configuration Control For Component Service / Repair","description":"The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(3)","id_raw":"SA-19 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Component Disposal","description":"The organization disposes of information system components using [Assignment: organization-defined techniques and methods]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19(4)","id_raw":"SA-19 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Anti-Counterfeit Scanning","description":"The organization scans for counterfeit information system components [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19a.","id_raw":"SA-19a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-19b.","id_raw":"SA-19b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1a.","id_raw":"SA-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-1b.","id_raw":"SA-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: System and services acquisition policy [Assignment: organization-defined frequency]; and System and services acquisition procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2","id_raw":"SA-2","tier_raw":"Control","tier":1,"seq":2,"title":"Allocation Of Resources","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-20","id_raw":"SA-20","tier_raw":"Control","tier":1,"seq":20,"title":"Customized Development Of Critical Components","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21","id_raw":"SA-21","tier_raw":"Control","tier":1,"seq":21,"title":"Developer Screening","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21(1)","id_raw":"SA-21 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Validation Of Screening","description":"The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21a.","id_raw":"SA-21a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-21b.","id_raw":"SA-21b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Satisfy [Assignment: organization-defined additional personnel screening criteria]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22","id_raw":"SA-22","tier_raw":"Control","tier":1,"seq":22,"title":"Unsupported System Components","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22(1)","id_raw":"SA-22 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Alternative Sources For Continued Support","description":"The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22a.","id_raw":"SA-22a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-22b.","id_raw":"SA-22b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2a.","id_raw":"SA-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Determines information security requirements for the information system or information system service in mission/business process planning;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2b.","id_raw":"SA-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-2c.","id_raw":"SA-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Establishes a discrete line item for information security in organizational programming and budgeting documentation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3","id_raw":"SA-3","tier_raw":"Control","tier":1,"seq":3,"title":"System Development Life Cycle","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3a.","id_raw":"SA-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3b.","id_raw":"SA-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3c.","id_raw":"SA-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Identifies individuals having information security roles and responsibilities; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-3d.","id_raw":"SA-3d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Integrates the organizational information security risk management process into system development life cycle activities."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4","id_raw":"SA-4","tier_raw":"Control","tier":1,"seq":4,"title":"Acquisition Process","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(1)","id_raw":"SA-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Functional Properties Of Security Controls","description":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(10)","id_raw":"SA-4 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Use Of Approved Piv Products","description":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(2)","id_raw":"SA-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Design / Implementation Information For Security Controls","description":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(3)","id_raw":"SA-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Development Methods / Techniques / Practices","description":"The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(5)","id_raw":"SA-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"System / Component / Service Configurations","description":"The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(6)","id_raw":"SA-4 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Use Of Information Assurance Products","description":"The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(7)","id_raw":"SA-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Niap-Approved  Protection Profiles","description":"The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(8)","id_raw":"SA-4 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Continuous Monitoring Plan","description":"The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4(9)","id_raw":"SA-4 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Functions / Ports / Protocols / Services In Use","description":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4a.","id_raw":"SA-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4b.","id_raw":"SA-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4c.","id_raw":"SA-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4d.","id_raw":"SA-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4e.","id_raw":"SA-4e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4f.","id_raw":"SA-4f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-4g.","id_raw":"SA-4g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5","id_raw":"SA-5","tier_raw":"Control","tier":1,"seq":5,"title":"Information System Documentation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5a.","id_raw":"SA-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5b.","id_raw":"SA-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and User responsibilities in maintaining the security of the system, component, or service;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5c.","id_raw":"SA-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5d.","id_raw":"SA-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Protects documentation as required, in accordance with the risk management strategy; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-5e.","id_raw":"SA-5e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Distributes documentation to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-6","id_raw":"SA-6","tier_raw":"Control","tier":1,"seq":6,"title":"Software Usage Restrictions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-7","id_raw":"SA-7","tier_raw":"Control","tier":1,"seq":7,"title":"User-Installed Software","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-8","id_raw":"SA-8","tier_raw":"Control","tier":1,"seq":8,"title":"Security Engineering Principles","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9","id_raw":"SA-9","tier_raw":"Control","tier":1,"seq":9,"title":"External Information System Services","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(1)","id_raw":"SA-9 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Risk Assessments / Organizational Approvals","description":"The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(2)","id_raw":"SA-9 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Identification Of Functions / Ports / Protocols / Services","description":"The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(3)","id_raw":"SA-9 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Establish / Maintain Trust Relationship With Providers","description":"The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(4)","id_raw":"SA-9 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Consistent Interests Of Consumers And Providers","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9(5)","id_raw":"SA-9 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Processing, Storage, And Service Location","description":"The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9a.","id_raw":"SA-9a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9b.","id_raw":"SA-9b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sa-9c.","id_raw":"SA-9c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis."}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:sc","id_raw":"SC","tier_raw":"Family","tier":0,"seq":17,"title":"System and Communications Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1","id_raw":"SC-1","tier_raw":"Control","tier":1,"seq":null,"title":"System and Communications Protection Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-10","id_raw":"SC-10","tier_raw":"Control","tier":1,"seq":null,"title":"Network Disconnect","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-11","id_raw":"SC-11","tier_raw":"Control","tier":1,"seq":null,"title":"Trusted Path","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-11(1)","id_raw":"SC-11 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Logical Isolation","description":"The information system provides a trusted communications path that is logically isolated and distinguishable from other paths."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12","id_raw":"SC-12","tier_raw":"Control","tier":1,"seq":null,"title":"Cryptographic Key Establishment and Management","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(1)","id_raw":"SC-12 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Availability","description":"The organization maintains availability of information in the event of the loss of cryptographic keys by users."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(2)","id_raw":"SC-12 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Symmetric Keys","description":"The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(3)","id_raw":"SC-12 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Asymmetric Keys","description":"The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-13","id_raw":"SC-13","tier_raw":"Control","tier":1,"seq":null,"title":"Cryptographic Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-14","id_raw":"SC-14","tier_raw":"Control","tier":1,"seq":null,"title":"Public Access Protections","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15","id_raw":"SC-15","tier_raw":"Control","tier":1,"seq":null,"title":"Collaborative Computing Devices","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(1)","id_raw":"SC-15 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Physical Disconnect","description":"The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(3)","id_raw":"SC-15 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disabling / Removal In Secure Work Areas","description":"The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(4)","id_raw":"SC-15 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Explicitly Indicate Current Participants","description":"The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15a.","id_raw":"SC-15a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15b.","id_raw":"SC-15b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Provides an explicit indication of use to users physically present at the devices."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-16","id_raw":"SC-16","tier_raw":"Control","tier":1,"seq":null,"title":"Transmission Of Security Attributes","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-16(1)","id_raw":"SC-16 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integrity Validation","description":"The information system validates the integrity of transmitted security attributes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-17","id_raw":"SC-17","tier_raw":"Control","tier":1,"seq":null,"title":"Public Key Infrastructure Certificates","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18","id_raw":"SC-18","tier_raw":"Control","tier":1,"seq":null,"title":"Mobile Code","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(1)","id_raw":"SC-18 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Identify Unacceptable Code / Take Corrective Actions","description":"The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(2)","id_raw":"SC-18 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Acquisition / Development / Use","description":"The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(3)","id_raw":"SC-18 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Downloading / Execution","description":"The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(4)","id_raw":"SC-18 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Automatic Execution","description":"The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(5)","id_raw":"SC-18 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Allow Execution Only In Confined Environments","description":"The organization allows execution of permitted mobile code only in confined virtual machine environments."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18a.","id_raw":"SC-18a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Defines acceptable and unacceptable mobile code and mobile code technologies;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18b.","id_raw":"SC-18b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18c.","id_raw":"SC-18c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of mobile code within the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19","id_raw":"SC-19","tier_raw":"Control","tier":1,"seq":null,"title":"Voice Over Internet Protocol","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19a.","id_raw":"SC-19a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19b.","id_raw":"SC-19b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of VoIP within the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1a.","id_raw":"SC-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1b.","id_raw":"SC-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: System and communications protection policy [Assignment: organization-defined frequency]; and System and communications protection procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-2","id_raw":"SC-2","tier_raw":"Control","tier":1,"seq":null,"title":"Application Partitioning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-2(1)","id_raw":"SC-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Interfaces For Non-Privileged Users","description":"The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20","id_raw":"SC-20","tier_raw":"Control","tier":1,"seq":null,"title":"Secure Name / Address Resolution Service (Authoritative Source)","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20(2)","id_raw":"SC-20 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Data Origin / Integrity","description":"The information system provides data origin and integrity protection artifacts for internal name/address resolution queries."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20a.","id_raw":"SC-20a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20b.","id_raw":"SC-20b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-21","id_raw":"SC-21","tier_raw":"Control","tier":1,"seq":null,"title":"Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-22","id_raw":"SC-22","tier_raw":"Control","tier":1,"seq":null,"title":"Architecture and Provisioning For Name / Address Resolution Service","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23","id_raw":"SC-23","tier_raw":"Control","tier":1,"seq":null,"title":"Session Authenticity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(1)","id_raw":"SC-23 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Invalidate Session Identifiers At Logout","description":"The information system invalidates session identifiers upon user logout or other session termination."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(3)","id_raw":"SC-23 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unique Session Identifiers With Randomization","description":"The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(5)","id_raw":"SC-23 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Allowed Certificate Authorities","description":"The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-24","id_raw":"SC-24","tier_raw":"Control","tier":1,"seq":null,"title":"Fail In Known State","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-25","id_raw":"SC-25","tier_raw":"Control","tier":1,"seq":null,"title":"Thin Nodes","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-26","id_raw":"SC-26","tier_raw":"Control","tier":1,"seq":null,"title":"Honeypots","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-27","id_raw":"SC-27","tier_raw":"Control","tier":1,"seq":null,"title":"Platform-Independent Applications","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28","id_raw":"SC-28","tier_raw":"Control","tier":1,"seq":null,"title":"Protection Of Information At Rest","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28(1)","id_raw":"SC-28 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28(2)","id_raw":"SC-28 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Off-Line Storage","description":"The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-29","id_raw":"SC-29","tier_raw":"Control","tier":1,"seq":null,"title":"Heterogeneity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-29(1)","id_raw":"SC-29 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Virtualization Techniques","description":"The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3","id_raw":"SC-3","tier_raw":"Control","tier":1,"seq":null,"title":"Security Function Isolation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(1)","id_raw":"SC-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware Separation","description":"The information system utilizes underlying hardware separation mechanisms to implement security function isolation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(2)","id_raw":"SC-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access / Flow Control Functions","description":"The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(3)","id_raw":"SC-3 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Minimize Nonsecurity Functionality","description":"The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(4)","id_raw":"SC-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Module Coupling And Cohesiveness","description":"The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(5)","id_raw":"SC-3 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Layered Structures","description":"The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30","id_raw":"SC-30","tier_raw":"Control","tier":1,"seq":null,"title":"Concealment and Misdirection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(2)","id_raw":"SC-30 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Randomness","description":"The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(3)","id_raw":"SC-30 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Change Processing / Storage Locations","description":"The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(4)","id_raw":"SC-30 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Misleading Information","description":"The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(5)","id_raw":"SC-30 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Concealment Of System Components","description":"The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31","id_raw":"SC-31","tier_raw":"Control","tier":1,"seq":null,"title":"Covert Channel Analysis","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(1)","id_raw":"SC-31 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Test Covert Channels For Exploitability","description":"The organization tests a subset of the identified covert channels to determine which channels are exploitable."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(2)","id_raw":"SC-31 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Maximum Bandwidth","description":"The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(3)","id_raw":"SC-31 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Measure Bandwidth In Operational Environments","description":"The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31a.","id_raw":"SC-31a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31b.","id_raw":"SC-31b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Estimates the maximum bandwidth of those channels."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-32","id_raw":"SC-32","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Partitioning","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-33","id_raw":"SC-33","tier_raw":"Control","tier":1,"seq":null,"title":"Transmission Preparation Integrity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34","id_raw":"SC-34","tier_raw":"Control","tier":1,"seq":null,"title":"Non-Modifiable Executable Programs","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(1)","id_raw":"SC-34 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"No Writable Storage","description":"The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(2)","id_raw":"SC-34 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integrity Protection / Read-Only Media","description":"The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(3)","id_raw":"SC-34 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware-Based Protection","description":"The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34a.","id_raw":"SC-34a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34b.","id_raw":"SC-34b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system at [Assignment: organization-defined information system components]: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-35","id_raw":"SC-35","tier_raw":"Control","tier":1,"seq":null,"title":"Honeyclients","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-36","id_raw":"SC-36","tier_raw":"Control","tier":1,"seq":null,"title":"Distributed Processing and Storage","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-36(1)","id_raw":"SC-36 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Polling Techniques","description":"The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-37","id_raw":"SC-37","tier_raw":"Control","tier":1,"seq":null,"title":"Out-Of-Band Channels","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-37(1)","id_raw":"SC-37 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Ensure Delivery / Transmission","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-38","id_raw":"SC-38","tier_raw":"Control","tier":1,"seq":null,"title":"Operations Security","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39","id_raw":"SC-39","tier_raw":"Control","tier":1,"seq":null,"title":"Process Isolation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39(1)","id_raw":"SC-39 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Hardware Separation","description":"The information system implements underlying hardware separation mechanisms to facilitate process separation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39(2)","id_raw":"SC-39 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Thread Isolation","description":"The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-4","id_raw":"SC-4","tier_raw":"Control","tier":1,"seq":null,"title":"Information In Shared Resources","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-4(2)","id_raw":"SC-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Periods Processing","description":"The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40","id_raw":"SC-40","tier_raw":"Control","tier":1,"seq":null,"title":"Wireless Link Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(1)","id_raw":"SC-40 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Electromagnetic Interference","description":"The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(2)","id_raw":"SC-40 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Reduce Detection Potential","description":"The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(3)","id_raw":"SC-40 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Imitative Or Manipulative Communications Deception","description":"The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(4)","id_raw":"SC-40 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Signal Parameter Identification","description":"The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-41","id_raw":"SC-41","tier_raw":"Control","tier":1,"seq":null,"title":"Port and I/O Device Access","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42","id_raw":"SC-42","tier_raw":"Control","tier":1,"seq":null,"title":"Sensor Capability and Data","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(1)","id_raw":"SC-42 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Reporting To Authorized Individuals Or Roles","description":"The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(2)","id_raw":"SC-42 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authorized Use","description":"The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(3)","id_raw":"SC-42 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prohibit Use Of Devices","description":"The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42a.","id_raw":"SC-42a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42b.","id_raw":"SC-42b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43","id_raw":"SC-43","tier_raw":"Control","tier":1,"seq":null,"title":"Usage Restrictions","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43a.","id_raw":"SC-43a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43b.","id_raw":"SC-43b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of such components within the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-44","id_raw":"SC-44","tier_raw":"Control","tier":1,"seq":null,"title":"Detonation Chambers","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5","id_raw":"SC-5","tier_raw":"Control","tier":1,"seq":null,"title":"Denial Of Service Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(1)","id_raw":"SC-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Internal Users","description":"The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(2)","id_raw":"SC-5 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Excess Capacity / Bandwidth / Redundancy","description":"The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(3)","id_raw":"SC-5 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Detection / Monitoring","description":"The organization: Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-6","id_raw":"SC-6","tier_raw":"Control","tier":1,"seq":null,"title":"Resource Availability","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7","id_raw":"SC-7","tier_raw":"Control","tier":1,"seq":null,"title":"Boundary Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(10)","id_raw":"SC-7 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Unauthorized Exfiltration","description":"The organization prevents the unauthorized exfiltration of information across managed interfaces."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(11)","id_raw":"SC-7 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Incoming Communications Traffic","description":"The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(12)","id_raw":"SC-7 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Host-Based Protection","description":"The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(13)","id_raw":"SC-7 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Isolation Of Security Tools / Mechanisms / Support Components","description":"The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(14)","id_raw":"SC-7 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Protects Against Unauthorized Physical Connections","description":"The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(15)","id_raw":"SC-7 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Route Privileged Network Accesses","description":"The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(16)","id_raw":"SC-7 (16)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Discovery Of Components / Devices","description":"The information system prevents discovery of specific system components composing a managed interface."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(17)","id_raw":"SC-7 (17)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Enforcement Of Protocol Formats","description":"The information system enforces adherence to protocol formats."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(18)","id_raw":"SC-7 (18)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Fail Secure","description":"The information system fails securely in the event of an operational failure of a boundary protection device."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(19)","id_raw":"SC-7 (19)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Blocks Communication From Non-Organizationally Configured Hosts","description":"The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(20)","id_raw":"SC-7 (20)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Dynamic Isolation / Segregation","description":"The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(21)","id_raw":"SC-7 (21)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Isolation Of Information System Components","description":"The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(22)","id_raw":"SC-7 (22)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Separate Subnets For Connecting To Different Security Domains","description":"The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(23)","id_raw":"SC-7 (23)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Disable Sender Feedback On Protocol Validation Failure","description":"The information system disables feedback to senders on protocol format validation failure."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(3)","id_raw":"SC-7 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Access Points","description":"The organization limits the number of external network connections to the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(4)","id_raw":"SC-7 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"External Telecommunications Services","description":"The organization: Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(5)","id_raw":"SC-7 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Deny By Default / Allow By Exception","description":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(7)","id_raw":"SC-7 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Prevent Split Tunneling For Remote Devices","description":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(8)","id_raw":"SC-7 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Route Traffic To Authenticated Proxy Servers","description":"The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(9)","id_raw":"SC-7 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Threatening Outgoing Communications Traffic","description":"The information system: Detects and denies outgoing communications traffic posing a threat to external information systems; and Audits the identity of internal users associated with denied communications."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7a.","id_raw":"SC-7a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7b.","id_raw":"SC-7b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7c.","id_raw":"SC-7c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8","id_raw":"SC-8","tier_raw":"Control","tier":1,"seq":null,"title":"Transmission Confidentiality and Integrity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(1)","id_raw":"SC-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Or Alternate Physical Protection","description":"The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(2)","id_raw":"SC-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Pre / Post Transmission Handling","description":"The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(3)","id_raw":"SC-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection For Message Externals","description":"The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(4)","id_raw":"SC-8 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Conceal / Randomize Communications","description":"The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-9","id_raw":"SC-9","tier_raw":"Control","tier":1,"seq":null,"title":"Transmission Confidentiality","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1","id_raw":"SC-1","tier_raw":"Control","tier":1,"seq":1,"title":"System and Communications Protection Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-10","id_raw":"SC-10","tier_raw":"Control","tier":1,"seq":10,"title":"Network Disconnect","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-11","id_raw":"SC-11","tier_raw":"Control","tier":1,"seq":11,"title":"Trusted Path","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-11(1)","id_raw":"SC-11 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Logical Isolation","description":"The information system provides a trusted communications path that is logically isolated and distinguishable from other paths."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12","id_raw":"SC-12","tier_raw":"Control","tier":1,"seq":12,"title":"Cryptographic Key Establishment and Management","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(1)","id_raw":"SC-12 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Availability","description":"The organization maintains availability of information in the event of the loss of cryptographic keys by users."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(2)","id_raw":"SC-12 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Symmetric Keys","description":"The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-12(3)","id_raw":"SC-12 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Asymmetric Keys","description":"The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-13","id_raw":"SC-13","tier_raw":"Control","tier":1,"seq":13,"title":"Cryptographic Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-14","id_raw":"SC-14","tier_raw":"Control","tier":1,"seq":14,"title":"Public Access Protections","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15","id_raw":"SC-15","tier_raw":"Control","tier":1,"seq":15,"title":"Collaborative Computing Devices","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(1)","id_raw":"SC-15 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Physical Disconnect","description":"The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(3)","id_raw":"SC-15 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Disabling / Removal In Secure Work Areas","description":"The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15(4)","id_raw":"SC-15 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Explicitly Indicate Current Participants","description":"The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15a.","id_raw":"SC-15a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-15b.","id_raw":"SC-15b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Provides an explicit indication of use to users physically present at the devices."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-16","id_raw":"SC-16","tier_raw":"Control","tier":1,"seq":16,"title":"Transmission Of Security Attributes","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-16(1)","id_raw":"SC-16 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Integrity Validation","description":"The information system validates the integrity of transmitted security attributes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-17","id_raw":"SC-17","tier_raw":"Control","tier":1,"seq":17,"title":"Public Key Infrastructure Certificates","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18","id_raw":"SC-18","tier_raw":"Control","tier":1,"seq":18,"title":"Mobile Code","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(1)","id_raw":"SC-18 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Identify Unacceptable Code / Take Corrective Actions","description":"The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(2)","id_raw":"SC-18 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Acquisition / Development / Use","description":"The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(3)","id_raw":"SC-18 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Prevent Downloading / Execution","description":"The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(4)","id_raw":"SC-18 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Prevent Automatic Execution","description":"The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18(5)","id_raw":"SC-18 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Allow Execution Only In Confined Environments","description":"The organization allows execution of permitted mobile code only in confined virtual machine environments."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18a.","id_raw":"SC-18a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Defines acceptable and unacceptable mobile code and mobile code technologies;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18b.","id_raw":"SC-18b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-18c.","id_raw":"SC-18c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of mobile code within the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19","id_raw":"SC-19","tier_raw":"Control","tier":1,"seq":19,"title":"Voice Over Internet Protocol","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19a.","id_raw":"SC-19a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-19b.","id_raw":"SC-19b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of VoIP within the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1a.","id_raw":"SC-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-1b.","id_raw":"SC-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: System and communications protection policy [Assignment: organization-defined frequency]; and System and communications protection procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-2","id_raw":"SC-2","tier_raw":"Control","tier":1,"seq":2,"title":"Application Partitioning","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-2(1)","id_raw":"SC-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Interfaces For Non-Privileged Users","description":"The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20","id_raw":"SC-20","tier_raw":"Control","tier":1,"seq":20,"title":"Secure Name / Address Resolution Service (Authoritative Source)","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20(2)","id_raw":"SC-20 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Data Origin / Integrity","description":"The information system provides data origin and integrity protection artifacts for internal name/address resolution queries."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20a.","id_raw":"SC-20a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-20b.","id_raw":"SC-20b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-21","id_raw":"SC-21","tier_raw":"Control","tier":1,"seq":21,"title":"Secure Name / Address Resolution Service (Recursive Or Caching Resolver)","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-22","id_raw":"SC-22","tier_raw":"Control","tier":1,"seq":22,"title":"Architecture and Provisioning For Name / Address Resolution Service","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23","id_raw":"SC-23","tier_raw":"Control","tier":1,"seq":23,"title":"Session Authenticity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(1)","id_raw":"SC-23 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Invalidate Session Identifiers At Logout","description":"The information system invalidates session identifiers upon user logout or other session termination."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(3)","id_raw":"SC-23 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Unique Session Identifiers With Randomization","description":"The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-23(5)","id_raw":"SC-23 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Allowed Certificate Authorities","description":"The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-24","id_raw":"SC-24","tier_raw":"Control","tier":1,"seq":24,"title":"Fail In Known State","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-25","id_raw":"SC-25","tier_raw":"Control","tier":1,"seq":25,"title":"Thin Nodes","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-26","id_raw":"SC-26","tier_raw":"Control","tier":1,"seq":26,"title":"Honeypots","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-27","id_raw":"SC-27","tier_raw":"Control","tier":1,"seq":27,"title":"Platform-Independent Applications","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28","id_raw":"SC-28","tier_raw":"Control","tier":1,"seq":28,"title":"Protection Of Information At Rest","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28(1)","id_raw":"SC-28 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-28(2)","id_raw":"SC-28 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Off-Line Storage","description":"The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-29","id_raw":"SC-29","tier_raw":"Control","tier":1,"seq":29,"title":"Heterogeneity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-29(1)","id_raw":"SC-29 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Virtualization Techniques","description":"The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3","id_raw":"SC-3","tier_raw":"Control","tier":1,"seq":3,"title":"Security Function Isolation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(1)","id_raw":"SC-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Hardware Separation","description":"The information system utilizes underlying hardware separation mechanisms to implement security function isolation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(2)","id_raw":"SC-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Access / Flow Control Functions","description":"The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(3)","id_raw":"SC-3 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Minimize Nonsecurity Functionality","description":"The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(4)","id_raw":"SC-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Module Coupling And Cohesiveness","description":"The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-3(5)","id_raw":"SC-3 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Layered Structures","description":"The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30","id_raw":"SC-30","tier_raw":"Control","tier":1,"seq":30,"title":"Concealment and Misdirection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(2)","id_raw":"SC-30 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Randomness","description":"The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(3)","id_raw":"SC-30 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Change Processing / Storage Locations","description":"The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(4)","id_raw":"SC-30 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Misleading Information","description":"The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-30(5)","id_raw":"SC-30 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Concealment Of System Components","description":"The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31","id_raw":"SC-31","tier_raw":"Control","tier":1,"seq":31,"title":"Covert Channel Analysis","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(1)","id_raw":"SC-31 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Test Covert Channels For Exploitability","description":"The organization tests a subset of the identified covert channels to determine which channels are exploitable."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(2)","id_raw":"SC-31 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Maximum Bandwidth","description":"The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31(3)","id_raw":"SC-31 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Measure Bandwidth In Operational Environments","description":"The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31a.","id_raw":"SC-31a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-31b.","id_raw":"SC-31b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Estimates the maximum bandwidth of those channels."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-32","id_raw":"SC-32","tier_raw":"Control","tier":1,"seq":32,"title":"Information System Partitioning","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-33","id_raw":"SC-33","tier_raw":"Control","tier":1,"seq":33,"title":"Transmission Preparation Integrity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34","id_raw":"SC-34","tier_raw":"Control","tier":1,"seq":34,"title":"Non-Modifiable Executable Programs","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(1)","id_raw":"SC-34 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"No Writable Storage","description":"The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(2)","id_raw":"SC-34 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Integrity Protection / Read-Only Media","description":"The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34(3)","id_raw":"SC-34 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Hardware-Based Protection","description":"The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34a.","id_raw":"SC-34a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-34b.","id_raw":"SC-34b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system at [Assignment: organization-defined information system components]: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-35","id_raw":"SC-35","tier_raw":"Control","tier":1,"seq":35,"title":"Honeyclients","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-36","id_raw":"SC-36","tier_raw":"Control","tier":1,"seq":36,"title":"Distributed Processing and Storage","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-36(1)","id_raw":"SC-36 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Polling Techniques","description":"The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-37","id_raw":"SC-37","tier_raw":"Control","tier":1,"seq":37,"title":"Out-Of-Band Channels","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-37(1)","id_raw":"SC-37 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Ensure Delivery / Transmission","description":"The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-38","id_raw":"SC-38","tier_raw":"Control","tier":1,"seq":38,"title":"Operations Security","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39","id_raw":"SC-39","tier_raw":"Control","tier":1,"seq":39,"title":"Process Isolation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39(1)","id_raw":"SC-39 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Hardware Separation","description":"The information system implements underlying hardware separation mechanisms to facilitate process separation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-39(2)","id_raw":"SC-39 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Thread Isolation","description":"The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-4","id_raw":"SC-4","tier_raw":"Control","tier":1,"seq":4,"title":"Information In Shared Resources","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-4(2)","id_raw":"SC-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Periods Processing","description":"The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40","id_raw":"SC-40","tier_raw":"Control","tier":1,"seq":40,"title":"Wireless Link Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(1)","id_raw":"SC-40 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Electromagnetic Interference","description":"The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(2)","id_raw":"SC-40 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Reduce Detection Potential","description":"The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(3)","id_raw":"SC-40 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Imitative Or Manipulative Communications Deception","description":"The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-40(4)","id_raw":"SC-40 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Signal Parameter Identification","description":"The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-41","id_raw":"SC-41","tier_raw":"Control","tier":1,"seq":41,"title":"Port and I/O Device Access","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42","id_raw":"SC-42","tier_raw":"Control","tier":1,"seq":42,"title":"Sensor Capability and Data","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(1)","id_raw":"SC-42 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Reporting To Authorized Individuals Or Roles","description":"The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(2)","id_raw":"SC-42 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Authorized Use","description":"The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42(3)","id_raw":"SC-42 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Prohibit Use Of Devices","description":"The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42a.","id_raw":"SC-42a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-42b.","id_raw":"SC-42b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43","id_raw":"SC-43","tier_raw":"Control","tier":1,"seq":43,"title":"Usage Restrictions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43a.","id_raw":"SC-43a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-43b.","id_raw":"SC-43b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Authorizes, monitors, and controls the use of such components within the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-44","id_raw":"SC-44","tier_raw":"Control","tier":1,"seq":44,"title":"Detonation Chambers","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5","id_raw":"SC-5","tier_raw":"Control","tier":1,"seq":5,"title":"Denial Of Service Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(1)","id_raw":"SC-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Restrict Internal Users","description":"The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(2)","id_raw":"SC-5 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Excess Capacity / Bandwidth / Redundancy","description":"The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-5(3)","id_raw":"SC-5 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Detection / Monitoring","description":"The organization: Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-6","id_raw":"SC-6","tier_raw":"Control","tier":1,"seq":6,"title":"Resource Availability","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7","id_raw":"SC-7","tier_raw":"Control","tier":1,"seq":7,"title":"Boundary Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(10)","id_raw":"SC-7 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Prevent Unauthorized Exfiltration","description":"The organization prevents the unauthorized exfiltration of information across managed interfaces."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(11)","id_raw":"SC-7 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Restrict Incoming Communications Traffic","description":"The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(12)","id_raw":"SC-7 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Host-Based Protection","description":"The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(13)","id_raw":"SC-7 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Isolation Of Security Tools / Mechanisms / Support Components","description":"The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(14)","id_raw":"SC-7 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Protects Against Unauthorized Physical Connections","description":"The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(15)","id_raw":"SC-7 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Route Privileged Network Accesses","description":"The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(16)","id_raw":"SC-7 (16)","tier_raw":"Enhancement","tier":2,"seq":16,"title":"Prevent Discovery Of Components / Devices","description":"The information system prevents discovery of specific system components composing a managed interface."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(17)","id_raw":"SC-7 (17)","tier_raw":"Enhancement","tier":2,"seq":17,"title":"Automated Enforcement Of Protocol Formats","description":"The information system enforces adherence to protocol formats."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(18)","id_raw":"SC-7 (18)","tier_raw":"Enhancement","tier":2,"seq":18,"title":"Fail Secure","description":"The information system fails securely in the event of an operational failure of a boundary protection device."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(19)","id_raw":"SC-7 (19)","tier_raw":"Enhancement","tier":2,"seq":19,"title":"Blocks Communication From Non-Organizationally Configured Hosts","description":"The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(20)","id_raw":"SC-7 (20)","tier_raw":"Enhancement","tier":2,"seq":20,"title":"Dynamic Isolation / Segregation","description":"The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(21)","id_raw":"SC-7 (21)","tier_raw":"Enhancement","tier":2,"seq":21,"title":"Isolation Of Information System Components","description":"The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(22)","id_raw":"SC-7 (22)","tier_raw":"Enhancement","tier":2,"seq":22,"title":"Separate Subnets For Connecting To Different Security Domains","description":"The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(23)","id_raw":"SC-7 (23)","tier_raw":"Enhancement","tier":2,"seq":23,"title":"Disable Sender Feedback On Protocol Validation Failure","description":"The information system disables feedback to senders on protocol format validation failure."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(3)","id_raw":"SC-7 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Access Points","description":"The organization limits the number of external network connections to the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(4)","id_raw":"SC-7 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"External Telecommunications Services","description":"The organization: Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(5)","id_raw":"SC-7 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Deny By Default / Allow By Exception","description":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(7)","id_raw":"SC-7 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Prevent Split Tunneling For Remote Devices","description":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(8)","id_raw":"SC-7 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Route Traffic To Authenticated Proxy Servers","description":"The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7(9)","id_raw":"SC-7 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Restrict Threatening Outgoing Communications Traffic","description":"The information system: Detects and denies outgoing communications traffic posing a threat to external information systems; and Audits the identity of internal users associated with denied communications."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7a.","id_raw":"SC-7a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7b.","id_raw":"SC-7b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-7c.","id_raw":"SC-7c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The information system: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8","id_raw":"SC-8","tier_raw":"Control","tier":1,"seq":8,"title":"Transmission Confidentiality and Integrity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(1)","id_raw":"SC-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Cryptographic Or Alternate Physical Protection","description":"The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(2)","id_raw":"SC-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Pre / Post Transmission Handling","description":"The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(3)","id_raw":"SC-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Cryptographic Protection For Message Externals","description":"The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-8(4)","id_raw":"SC-8 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Conceal / Randomize Communications","description":"The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:sc-9","id_raw":"SC-9","tier_raw":"Control","tier":1,"seq":9,"title":"Transmission Confidentiality","description":null}
 {"source":"nist_800_53_v4","id":"nist_800_53_v4:si","id_raw":"SI","tier_raw":"Family","tier":0,"seq":18,"title":"System and Information Integrity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1","id_raw":"SI-1","tier_raw":"Control","tier":1,"seq":null,"title":"System and Information Integrity Policy and Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10","id_raw":"SI-10","tier_raw":"Control","tier":1,"seq":null,"title":"Information Input Validation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(1)","id_raw":"SI-10 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Manual Override Capability","description":"The information system: Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and Audits the use of the manual override capability."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(2)","id_raw":"SI-10 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review / Resolution Of Errors","description":"The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(3)","id_raw":"SI-10 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Predictable Behavior","description":"The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(4)","id_raw":"SI-10 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Review / Timing Interactions","description":"The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(5)","id_raw":"SI-10 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Restrict Inputs To Trusted Sources And Approved Formats","description":"The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11","id_raw":"SI-11","tier_raw":"Control","tier":1,"seq":null,"title":"Error Handling","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11a.","id_raw":"SI-11a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11b.","id_raw":"SI-11b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Reveals error messages only to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-12","id_raw":"SI-12","tier_raw":"Control","tier":1,"seq":null,"title":"Information Handling and Retention","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13","id_raw":"SI-13","tier_raw":"Control","tier":1,"seq":null,"title":"Predictable Failure Prevention","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(1)","id_raw":"SI-13 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Transferring Component Responsibilities","description":"The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(3)","id_raw":"SI-13 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Manual Transfer Between Components","description":"The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(4)","id_raw":"SI-13 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Standby Component Installation / Notification","description":"The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(5)","id_raw":"SI-13 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Failover Capability","description":"The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13a.","id_raw":"SI-13a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13b.","id_raw":"SI-13b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-14","id_raw":"SI-14","tier_raw":"Control","tier":1,"seq":null,"title":"Non-Persistence","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-14(1)","id_raw":"SI-14 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Refresh From Trusted Sources","description":"The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-15","id_raw":"SI-15","tier_raw":"Control","tier":1,"seq":null,"title":"Information Output Filtering","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-16","id_raw":"SI-16","tier_raw":"Control","tier":1,"seq":null,"title":"Memory Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-17","id_raw":"SI-17","tier_raw":"Control","tier":1,"seq":null,"title":"Fail-Safe Procedures","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1a.","id_raw":"SI-1a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1b.","id_raw":"SI-1b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Reviews and updates the current: System and information integrity policy [Assignment: organization-defined frequency]; and System and information integrity procedures [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2","id_raw":"SI-2","tier_raw":"Control","tier":1,"seq":null,"title":"Flaw Remediation","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(1)","id_raw":"SI-2 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Central Management","description":"The organization centrally manages the flaw remediation process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(2)","id_raw":"SI-2 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Flaw Remediation Status","description":"The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(3)","id_raw":"SI-2 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Time To Remediate Flaws / Benchmarks For Corrective Actions","description":"The organization: Measures the time between flaw identification and flaw remediation; and Establishes [Assignment: organization-defined benchmarks] for taking corrective actions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(5)","id_raw":"SI-2 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Software / Firmware Updates","description":"The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(6)","id_raw":"SI-2 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Removal Of Previous Versions Of Software / Firmware","description":"The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2a.","id_raw":"SI-2a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies, reports, and corrects information system flaws;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2b.","id_raw":"SI-2b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2c.","id_raw":"SI-2c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2d.","id_raw":"SI-2d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Incorporates flaw remediation into the organizational configuration management process."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3","id_raw":"SI-3","tier_raw":"Control","tier":1,"seq":null,"title":"Malicious Code Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(1)","id_raw":"SI-3 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Central Management","description":"The organization centrally manages malicious code protection mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(10)","id_raw":"SI-3 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Malicious Code Analysis","description":"The organization: Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(2)","id_raw":"SI-3 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Updates","description":"The information system automatically updates malicious code protection mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(4)","id_raw":"SI-3 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Updates Only By Privileged Users","description":"The information system updates malicious code protection mechanisms only when directed by a privileged user."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(6)","id_raw":"SI-3 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Testing / Verification","description":"The organization: Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and Verifies that both detection of the test case and associated incident reporting occur."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(7)","id_raw":"SI-3 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Nonsignature-Based Detection","description":"The information system implements nonsignature-based malicious code detection mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(8)","id_raw":"SI-3 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Detect Unauthorized Commands","description":"The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(9)","id_raw":"SI-3 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Authenticate Remote Commands","description":"The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3a.","id_raw":"SI-3a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3b.","id_raw":"SI-3b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3c.","id_raw":"SI-3c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3d.","id_raw":"SI-3d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4","id_raw":"SI-4","tier_raw":"Control","tier":1,"seq":null,"title":"Information System Monitoring","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(1)","id_raw":"SI-4 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"System-Wide Intrusion Detection System","description":"The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(10)","id_raw":"SI-4 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Visibility Of Encrypted Communications","description":"The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(11)","id_raw":"SI-4 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Analyze Communications Traffic Anomalies","description":"The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(12)","id_raw":"SI-4 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Alerts","description":"The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(13)","id_raw":"SI-4 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Analyze Traffic / Event Patterns","description":"The organization: Analyzes communications traffic/event patterns for the information system; Develops profiles representing common traffic patterns and/or events; and Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(14)","id_raw":"SI-4 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Wireless Intrusion Detection","description":"The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(15)","id_raw":"SI-4 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Wireless To Wireline Communications","description":"The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(16)","id_raw":"SI-4 (16)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Correlate Monitoring Information","description":"The organization correlates information from monitoring tools employed throughout the information system."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(17)","id_raw":"SI-4 (17)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integrated Situational Awareness","description":"The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(18)","id_raw":"SI-4 (18)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Analyze Traffic / Covert Exfiltration","description":"The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(19)","id_raw":"SI-4 (19)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Individuals Posing Greater Risk","description":"The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(2)","id_raw":"SI-4 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Tools For Real-Time Analysis","description":"The organization employs automated tools to support near real-time analysis of events."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(20)","id_raw":"SI-4 (20)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Privileged Users","description":"The organization implements [Assignment: organization-defined additional monitoring] of privileged users."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(21)","id_raw":"SI-4 (21)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Probationary Periods","description":"The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(22)","id_raw":"SI-4 (22)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Unauthorized Network Services","description":"The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(23)","id_raw":"SI-4 (23)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Host-Based Devices","description":"The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(24)","id_raw":"SI-4 (24)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Indicators Of Compromise","description":"The information system discovers, collects, distributes, and uses indicators of compromise."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(3)","id_raw":"SI-4 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Tool Integration","description":"The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(4)","id_raw":"SI-4 (4)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Inbound And Outbound Communications Traffic","description":"The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(5)","id_raw":"SI-4 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"System-Generated Alerts","description":"The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(7)","id_raw":"SI-4 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Response To Suspicious Events","description":"The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(9)","id_raw":"SI-4 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Testing Of Monitoring Tools","description":"The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4a.","id_raw":"SI-4a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4b.","id_raw":"SI-4b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4c.","id_raw":"SI-4c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4d.","id_raw":"SI-4d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4e.","id_raw":"SI-4e.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4f.","id_raw":"SI-4f.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4g.","id_raw":"SI-4g.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5","id_raw":"SI-5","tier_raw":"Control","tier":1,"seq":null,"title":"Security Alerts, Advisories, and Directives","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5(1)","id_raw":"SI-5 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Alerts And Advisories","description":"The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5a.","id_raw":"SI-5a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5b.","id_raw":"SI-5b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Generates internal security alerts, advisories, and directives as deemed necessary;"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5c.","id_raw":"SI-5c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5d.","id_raw":"SI-5d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6","id_raw":"SI-6","tier_raw":"Control","tier":1,"seq":null,"title":"Security Function Verification","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6(2)","id_raw":"SI-6 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automation Support For Distributed Testing","description":"The information system implements automated mechanisms to support the management of distributed security testing."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6(3)","id_raw":"SI-6 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Report Verification Results","description":"The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6a.","id_raw":"SI-6a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Verifies the correct operation of [Assignment: organization-defined security functions];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6b.","id_raw":"SI-6b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6c.","id_raw":"SI-6c.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6d.","id_raw":"SI-6d.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7","id_raw":"SI-7","tier_raw":"Control","tier":1,"seq":null,"title":"Software, Firmware, and Information Integrity","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(1)","id_raw":"SI-7 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integrity Checks","description":"The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(10)","id_raw":"SI-7 (10)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Protection Of Boot Firmware","description":"The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(11)","id_raw":"SI-7 (11)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Confined Environments With Limited Privileges","description":"The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(12)","id_raw":"SI-7 (12)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integrity Verification","description":"The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(13)","id_raw":"SI-7 (13)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Code Execution In Protected Environments","description":"The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(14)","id_raw":"SI-7 (14)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Binary Or Machine Executable Code","description":"The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(15)","id_raw":"SI-7 (15)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Code Authentication","description":"The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(16)","id_raw":"SI-7 (16)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Time Limit On Process Execution W/O Supervision","description":"The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(2)","id_raw":"SI-7 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Notifications Of Integrity Violations","description":"The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(3)","id_raw":"SI-7 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Centrally-Managed Integrity Tools","description":"The organization employs centrally managed integrity verification tools."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(5)","id_raw":"SI-7 (5)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automated Response To Integrity Violations","description":"The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(6)","id_raw":"SI-7 (6)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(7)","id_raw":"SI-7 (7)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Integration Of Detection And Response","description":"The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(8)","id_raw":"SI-7 (8)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Auditing Capability For Significant Events","description":"The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(9)","id_raw":"SI-7 (9)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Verify Boot Process","description":"The information system verifies the integrity of the boot process of [Assignment: organization-defined devices]."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8","id_raw":"SI-8","tier_raw":"Control","tier":1,"seq":null,"title":"Spam Protection","description":null}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(1)","id_raw":"SI-8 (1)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Central Management","description":"The organization centrally manages spam protection mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(2)","id_raw":"SI-8 (2)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Automatic Updates","description":"The information system automatically updates spam protection mechanisms."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(3)","id_raw":"SI-8 (3)","tier_raw":"Enhancement","tier":2,"seq":null,"title":"Continuous Learning Capability","description":"The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8a.","id_raw":"SI-8a.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8b.","id_raw":"SI-8b.","tier_raw":"Statement","tier":2,"seq":null,"title":null,"description":"The organization: Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}
-{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-9","id_raw":"SI-9","tier_raw":"Control","tier":1,"seq":null,"title":"Information Input Restrictions","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1","id_raw":"SI-1","tier_raw":"Control","tier":1,"seq":1,"title":"System and Information Integrity Policy and Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10","id_raw":"SI-10","tier_raw":"Control","tier":1,"seq":10,"title":"Information Input Validation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(1)","id_raw":"SI-10 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Manual Override Capability","description":"The information system: Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and Audits the use of the manual override capability."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(2)","id_raw":"SI-10 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Review / Resolution Of Errors","description":"The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(3)","id_raw":"SI-10 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Predictable Behavior","description":"The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(4)","id_raw":"SI-10 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Review / Timing Interactions","description":"The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-10(5)","id_raw":"SI-10 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Restrict Inputs To Trusted Sources And Approved Formats","description":"The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11","id_raw":"SI-11","tier_raw":"Control","tier":1,"seq":11,"title":"Error Handling","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11a.","id_raw":"SI-11a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-11b.","id_raw":"SI-11b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Reveals error messages only to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-12","id_raw":"SI-12","tier_raw":"Control","tier":1,"seq":12,"title":"Information Handling and Retention","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13","id_raw":"SI-13","tier_raw":"Control","tier":1,"seq":13,"title":"Predictable Failure Prevention","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(1)","id_raw":"SI-13 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Transferring Component Responsibilities","description":"The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(3)","id_raw":"SI-13 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Manual Transfer Between Components","description":"The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(4)","id_raw":"SI-13 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Standby Component Installation / Notification","description":"The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13(5)","id_raw":"SI-13 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Failover Capability","description":"The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13a.","id_raw":"SI-13a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-13b.","id_raw":"SI-13b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-14","id_raw":"SI-14","tier_raw":"Control","tier":1,"seq":14,"title":"Non-Persistence","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-14(1)","id_raw":"SI-14 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Refresh From Trusted Sources","description":"The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-15","id_raw":"SI-15","tier_raw":"Control","tier":1,"seq":15,"title":"Information Output Filtering","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-16","id_raw":"SI-16","tier_raw":"Control","tier":1,"seq":16,"title":"Memory Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-17","id_raw":"SI-17","tier_raw":"Control","tier":1,"seq":17,"title":"Fail-Safe Procedures","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1a.","id_raw":"SI-1a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-1b.","id_raw":"SI-1b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Reviews and updates the current: System and information integrity policy [Assignment: organization-defined frequency]; and System and information integrity procedures [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2","id_raw":"SI-2","tier_raw":"Control","tier":1,"seq":2,"title":"Flaw Remediation","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(1)","id_raw":"SI-2 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Central Management","description":"The organization centrally manages the flaw remediation process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(2)","id_raw":"SI-2 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Flaw Remediation Status","description":"The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(3)","id_raw":"SI-2 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Time To Remediate Flaws / Benchmarks For Corrective Actions","description":"The organization: Measures the time between flaw identification and flaw remediation; and Establishes [Assignment: organization-defined benchmarks] for taking corrective actions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(5)","id_raw":"SI-2 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Automatic Software / Firmware Updates","description":"The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2(6)","id_raw":"SI-2 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Removal Of Previous Versions Of Software / Firmware","description":"The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2a.","id_raw":"SI-2a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Identifies, reports, and corrects information system flaws;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2b.","id_raw":"SI-2b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2c.","id_raw":"SI-2c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-2d.","id_raw":"SI-2d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Incorporates flaw remediation into the organizational configuration management process."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3","id_raw":"SI-3","tier_raw":"Control","tier":1,"seq":3,"title":"Malicious Code Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(1)","id_raw":"SI-3 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Central Management","description":"The organization centrally manages malicious code protection mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(10)","id_raw":"SI-3 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Malicious Code Analysis","description":"The organization: Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(2)","id_raw":"SI-3 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automatic Updates","description":"The information system automatically updates malicious code protection mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(4)","id_raw":"SI-3 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Updates Only By Privileged Users","description":"The information system updates malicious code protection mechanisms only when directed by a privileged user."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(6)","id_raw":"SI-3 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Testing / Verification","description":"The organization: Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and Verifies that both detection of the test case and associated incident reporting occur."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(7)","id_raw":"SI-3 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Nonsignature-Based Detection","description":"The information system implements nonsignature-based malicious code detection mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(8)","id_raw":"SI-3 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Detect Unauthorized Commands","description":"The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3(9)","id_raw":"SI-3 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Authenticate Remote Commands","description":"The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3a.","id_raw":"SI-3a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3b.","id_raw":"SI-3b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3c.","id_raw":"SI-3c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-3d.","id_raw":"SI-3d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4","id_raw":"SI-4","tier_raw":"Control","tier":1,"seq":4,"title":"Information System Monitoring","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(1)","id_raw":"SI-4 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"System-Wide Intrusion Detection System","description":"The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(10)","id_raw":"SI-4 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Visibility Of Encrypted Communications","description":"The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(11)","id_raw":"SI-4 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Analyze Communications Traffic Anomalies","description":"The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(12)","id_raw":"SI-4 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Automated Alerts","description":"The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(13)","id_raw":"SI-4 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Analyze Traffic / Event Patterns","description":"The organization: Analyzes communications traffic/event patterns for the information system; Develops profiles representing common traffic patterns and/or events; and Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(14)","id_raw":"SI-4 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Wireless Intrusion Detection","description":"The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(15)","id_raw":"SI-4 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Wireless To Wireline Communications","description":"The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(16)","id_raw":"SI-4 (16)","tier_raw":"Enhancement","tier":2,"seq":16,"title":"Correlate Monitoring Information","description":"The organization correlates information from monitoring tools employed throughout the information system."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(17)","id_raw":"SI-4 (17)","tier_raw":"Enhancement","tier":2,"seq":17,"title":"Integrated Situational Awareness","description":"The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(18)","id_raw":"SI-4 (18)","tier_raw":"Enhancement","tier":2,"seq":18,"title":"Analyze Traffic / Covert Exfiltration","description":"The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(19)","id_raw":"SI-4 (19)","tier_raw":"Enhancement","tier":2,"seq":19,"title":"Individuals Posing Greater Risk","description":"The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(2)","id_raw":"SI-4 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Tools For Real-Time Analysis","description":"The organization employs automated tools to support near real-time analysis of events."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(20)","id_raw":"SI-4 (20)","tier_raw":"Enhancement","tier":2,"seq":20,"title":"Privileged Users","description":"The organization implements [Assignment: organization-defined additional monitoring] of privileged users."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(21)","id_raw":"SI-4 (21)","tier_raw":"Enhancement","tier":2,"seq":21,"title":"Probationary Periods","description":"The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(22)","id_raw":"SI-4 (22)","tier_raw":"Enhancement","tier":2,"seq":22,"title":"Unauthorized Network Services","description":"The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(23)","id_raw":"SI-4 (23)","tier_raw":"Enhancement","tier":2,"seq":23,"title":"Host-Based Devices","description":"The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(24)","id_raw":"SI-4 (24)","tier_raw":"Enhancement","tier":2,"seq":24,"title":"Indicators Of Compromise","description":"The information system discovers, collects, distributes, and uses indicators of compromise."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(3)","id_raw":"SI-4 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Automated Tool Integration","description":"The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(4)","id_raw":"SI-4 (4)","tier_raw":"Enhancement","tier":2,"seq":4,"title":"Inbound And Outbound Communications Traffic","description":"The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(5)","id_raw":"SI-4 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"System-Generated Alerts","description":"The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(7)","id_raw":"SI-4 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Automated Response To Suspicious Events","description":"The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4(9)","id_raw":"SI-4 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Testing Of Monitoring Tools","description":"The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4a.","id_raw":"SI-4a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4b.","id_raw":"SI-4b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4c.","id_raw":"SI-4c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4d.","id_raw":"SI-4d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4e.","id_raw":"SI-4e.","tier_raw":"Statement","tier":2,"seq":5,"title":null,"description":"The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4f.","id_raw":"SI-4f.","tier_raw":"Statement","tier":2,"seq":6,"title":null,"description":"The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-4g.","id_raw":"SI-4g.","tier_raw":"Statement","tier":2,"seq":7,"title":null,"description":"The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5","id_raw":"SI-5","tier_raw":"Control","tier":1,"seq":5,"title":"Security Alerts, Advisories, and Directives","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5(1)","id_raw":"SI-5 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Automated Alerts And Advisories","description":"The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5a.","id_raw":"SI-5a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5b.","id_raw":"SI-5b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Generates internal security alerts, advisories, and directives as deemed necessary;"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5c.","id_raw":"SI-5c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The organization: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-5d.","id_raw":"SI-5d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6","id_raw":"SI-6","tier_raw":"Control","tier":1,"seq":6,"title":"Security Function Verification","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6(2)","id_raw":"SI-6 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automation Support For Distributed Testing","description":"The information system implements automated mechanisms to support the management of distributed security testing."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6(3)","id_raw":"SI-6 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Report Verification Results","description":"The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6a.","id_raw":"SI-6a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The information system: Verifies the correct operation of [Assignment: organization-defined security functions];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6b.","id_raw":"SI-6b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The information system: Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6c.","id_raw":"SI-6c.","tier_raw":"Statement","tier":2,"seq":3,"title":null,"description":"The information system: Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-6d.","id_raw":"SI-6d.","tier_raw":"Statement","tier":2,"seq":4,"title":null,"description":"The information system: [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7","id_raw":"SI-7","tier_raw":"Control","tier":1,"seq":7,"title":"Software, Firmware, and Information Integrity","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(1)","id_raw":"SI-7 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Integrity Checks","description":"The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(10)","id_raw":"SI-7 (10)","tier_raw":"Enhancement","tier":2,"seq":10,"title":"Protection Of Boot Firmware","description":"The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(11)","id_raw":"SI-7 (11)","tier_raw":"Enhancement","tier":2,"seq":11,"title":"Confined Environments With Limited Privileges","description":"The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(12)","id_raw":"SI-7 (12)","tier_raw":"Enhancement","tier":2,"seq":12,"title":"Integrity Verification","description":"The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(13)","id_raw":"SI-7 (13)","tier_raw":"Enhancement","tier":2,"seq":13,"title":"Code Execution In Protected Environments","description":"The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(14)","id_raw":"SI-7 (14)","tier_raw":"Enhancement","tier":2,"seq":14,"title":"Binary Or Machine Executable Code","description":"The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(15)","id_raw":"SI-7 (15)","tier_raw":"Enhancement","tier":2,"seq":15,"title":"Code Authentication","description":"The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(16)","id_raw":"SI-7 (16)","tier_raw":"Enhancement","tier":2,"seq":16,"title":"Time Limit On Process Execution W/O Supervision","description":"The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(2)","id_raw":"SI-7 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automated Notifications Of Integrity Violations","description":"The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(3)","id_raw":"SI-7 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Centrally-Managed Integrity Tools","description":"The organization employs centrally managed integrity verification tools."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(5)","id_raw":"SI-7 (5)","tier_raw":"Enhancement","tier":2,"seq":5,"title":"Automated Response To Integrity Violations","description":"The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(6)","id_raw":"SI-7 (6)","tier_raw":"Enhancement","tier":2,"seq":6,"title":"Cryptographic Protection","description":"The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(7)","id_raw":"SI-7 (7)","tier_raw":"Enhancement","tier":2,"seq":7,"title":"Integration Of Detection And Response","description":"The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(8)","id_raw":"SI-7 (8)","tier_raw":"Enhancement","tier":2,"seq":8,"title":"Auditing Capability For Significant Events","description":"The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-7(9)","id_raw":"SI-7 (9)","tier_raw":"Enhancement","tier":2,"seq":9,"title":"Verify Boot Process","description":"The information system verifies the integrity of the boot process of [Assignment: organization-defined devices]."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8","id_raw":"SI-8","tier_raw":"Control","tier":1,"seq":8,"title":"Spam Protection","description":null}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(1)","id_raw":"SI-8 (1)","tier_raw":"Enhancement","tier":2,"seq":1,"title":"Central Management","description":"The organization centrally manages spam protection mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(2)","id_raw":"SI-8 (2)","tier_raw":"Enhancement","tier":2,"seq":2,"title":"Automatic Updates","description":"The information system automatically updates spam protection mechanisms."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8(3)","id_raw":"SI-8 (3)","tier_raw":"Enhancement","tier":2,"seq":3,"title":"Continuous Learning Capability","description":"The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8a.","id_raw":"SI-8a.","tier_raw":"Statement","tier":2,"seq":1,"title":null,"description":"The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-8b.","id_raw":"SI-8b.","tier_raw":"Statement","tier":2,"seq":2,"title":null,"description":"The organization: Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}
+{"source":"nist_800_53_v4","id":"nist_800_53_v4:si-9","id_raw":"SI-9","tier_raw":"Control","tier":1,"seq":9,"title":"Information Input Restrictions","description":null}
 {"source":"nist_csf_v1.1","id":"nist_csf_v1.1:de","id_raw":"DE","tier_raw":"Function","tier":0,"seq":3,"title":"Detect","description":"Develop and implement appropriate activities to identify the occurrence of a cybersecurity event."}
 {"source":"nist_csf_v1.1","id":"nist_csf_v1.1:de.ae","id_raw":"DE.AE","tier_raw":"Category","tier":1,"seq":13,"title":"Anomalies and Events ","description":"Anomalous activity is detected and the potential impact of events is understood."}
 {"source":"nist_csf_v1.1","id":"nist_csf_v1.1:de.ae-1","id_raw":"DE.AE-1","tier_raw":"Subcategory","tier":2,"seq":69,"title":null,"description":"A baseline of network operations and expected data flows for users and systems is established and managed"}
@@ -1758,289 +1758,2930 @@
 {"source":"asvs_v4.0.1","id":"asvs_v4.0.1:v12","id_raw":"V12","tier_raw":"Section","tier":0,"seq":12,"title":"Files","description":"File and Resources Verification Requirements"}
 {"source":"asvs_v4.0.1","id":"asvs_v4.0.1:v13","id_raw":"V13","tier_raw":"Section","tier":0,"seq":13,"title":"API","description":"API and Web Service Verification Requirements"}
 {"source":"asvs_v4.0.1","id":"asvs_v4.0.1:v14","id_raw":"V14","tier_raw":"Section","tier":0,"seq":14,"title":"Config","description":"Configuration Verification Requirements"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.1","id_raw":"1.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the use of a secure software development lifecycle that addresses security in all stages of development. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.2","id_raw":"1.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.3","id_raw":"1.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all user stories and features contain functional security constraints, such as \"As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile\""}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.4","id_raw":"1.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify documentation and justification of all the application's trust boundaries, components, and significant data flows."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.5","id_raw":"1.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify definition and security analysis of the application's high-level architecture and all connected remote services. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.6","id_raw":"1.1.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.7","id_raw":"1.1.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.10.1","id_raw":"1.10.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.1","id_raw":"1.11.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the definition and documentation of all application components in terms of the business or security functions they provide."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.2","id_raw":"1.11.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.3","id_raw":"1.11.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.12.1","id_raw":"1.12.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user-uploaded files are stored outside of the web root."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.12.2","id_raw":"1.12.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.1","id_raw":"1.14.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.2","id_raw":"1.14.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.3","id_raw":"1.14.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.4","id_raw":"1.14.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.5","id_raw":"1.14.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.6","id_raw":"1.14.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.1","id_raw":"1.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.2","id_raw":"1.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.3","id_raw":"1.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.4","id_raw":"1.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.1","id_raw":"1.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.2","id_raw":"1.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the chosen access control solution is flexible enough to meet the application's needs."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.3","id_raw":"1.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.4","id_raw":"1.4.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.5","id_raw":"1.4.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.1","id_raw":"1.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.2","id_raw":"1.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.3","id_raw":"1.5.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that input validation is enforced on a trusted service layer. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.4","id_raw":"1.5.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.1","id_raw":"1.6.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.2","id_raw":"1.6.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.3","id_raw":"1.6.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.4","id_raw":"1.6.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.7.1","id_raw":"1.7.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a common logging format and approach is used across the system.  ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.7.2","id_raw":"1.7.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.8.1","id_raw":"1.8.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all sensitive data is identified and classified into protection levels."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.8.2","id_raw":"1.8.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.9.1","id_raw":"1.9.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.9.2","id_raw":"1.9.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.1","id_raw":"2.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user set passwords are at least 12 characters in length. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.10","id_raw":"2.1.10","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that there are no periodic credential rotation or password history requirements."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.11","id_raw":"2.1.11","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.12","id_raw":"2.1.12","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.2","id_raw":"2.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that passwords 64 characters or longer are permitted. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.3","id_raw":"2.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.4","id_raw":"2.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.5","id_raw":"2.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify users can change their password."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.6","id_raw":"2.1.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that password change functionality requires the user's current and new password."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.7","id_raw":"2.1.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.8","id_raw":"2.1.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a password strength meter is provided to help users set a stronger password."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.9","id_raw":"2.1.9","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.1","id_raw":"2.10.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged accounts."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.2","id_raw":"2.10.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if passwords are required, the credentials are not a default account."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.3","id_raw":"2.10.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.4","id_raw":"2.10.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform module (TPM), or a hardware security module (L3) is recommended for password storage."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.1","id_raw":"2.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.2","id_raw":"2.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.3","id_raw":"2.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.4","id_raw":"2.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.5","id_raw":"2.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.6","id_raw":"2.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup codes."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.7","id_raw":"2.2.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.1","id_raw":"2.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.2","id_raw":"2.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or FIDO tokens."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.3","id_raw":"2.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that renewal instructions are sent with sufficient time to renew time bound authenticators."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.1","id_raw":"2.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.2","id_raw":"2.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.3","id_raw":"2.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.4","id_raw":"2.4.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.5","id_raw":"2.4.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.1","id_raw":"2.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.2","id_raw":"2.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify password hints or knowledge-based authentication (so-called \"secret questions\") are not present."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.3","id_raw":"2.5.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify password credential recovery does not reveal the current password in any way. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.4","id_raw":"2.5.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify shared or default accounts are not present (e.g. \"root\", \"admin\", or \"sa\")."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.5","id_raw":"2.5.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if an authentication factor is changed or replaced, that the user is notified of this event."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.6","id_raw":"2.5.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.7","id_raw":"2.5.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.1","id_raw":"2.6.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that lookup secrets can be used only once."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.2","id_raw":"2.6.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.3","id_raw":"2.6.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that lookup secrets are resistant to offline attacks, such as predictable values."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.1","id_raw":"2.7.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that clear text out of band (NIST \"restricted\") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.2","id_raw":"2.7.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.3","id_raw":"2.7.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.4","id_raw":"2.7.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the out of band authenticator and verifier communicates over a secure independent channel."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.5","id_raw":"2.7.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the out of band verifier retains only a hashed version of the authentication code."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.6","id_raw":"2.7.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.1","id_raw":"2.8.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that time-based OTPs have a defined lifetime before expiring."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.2","id_raw":"2.8.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.3","id_raw":"2.8.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.4","id_raw":"2.8.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that time-based OTP can be used only once within the validity period."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.5","id_raw":"2.8.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.6","id_raw":"2.8.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.7","id_raw":"2.8.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.1","id_raw":"2.9.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.2","id_raw":"2.9.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.3","id_raw":"2.9.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.1.1","id_raw":"3.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application never reveals session tokens in URL parameters or error messages."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.1","id_raw":"3.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application generates a new session token on user authentication. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.2","id_raw":"3.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that session tokens possess at least 64 bits of entropy. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.3","id_raw":"3.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.4","id_raw":"3.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that session token are generated using approved cryptographic algorithms. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.1","id_raw":"3.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.2","id_raw":"3.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.3","id_raw":"3.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.4","id_raw":"3.3.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that users are able to view and log out of any or all currently active sessions and devices."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.1","id_raw":"3.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.2","id_raw":"3.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.3","id_raw":"3.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.4","id_raw":"3.4.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that cookie-based session tokens use \"__Host-\" prefix (see references) to provide session cookie confidentiality."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.5","id_raw":"3.4.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.1","id_raw":"3.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.2","id_raw":"3.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.3","id_raw":"3.5.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.6.1","id_raw":"3.6.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven't used a session within that period."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.6.2","id_raw":"3.6.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.7.1","id_raw":"3.7.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.1","id_raw":"4.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.2","id_raw":"4.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.3","id_raw":"4.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.4","id_raw":"4.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.  ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.5","id_raw":"4.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that access controls fail securely including when an exception occurs. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.2.1","id_raw":"4.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.2.2","id_raw":"4.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.1","id_raw":"4.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.2","id_raw":"4.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.3","id_raw":"4.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.1","id_raw":"5.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.2","id_raw":"5.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.3","id_raw":"5.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.4","id_raw":"5.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.5","id_raw":"5.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.1","id_raw":"5.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.2","id_raw":"5.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.3","id_raw":"5.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.4","id_raw":"5.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.5","id_raw":"5.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.6","id_raw":"5.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.7","id_raw":"5.2.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.8","id_raw":"5.2.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.1","id_raw":"5.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.10","id_raw":"5.3.10","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.2","id_raw":"5.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.3","id_raw":"5.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.4","id_raw":"5.3.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.5","id_raw":"5.3.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.6","id_raw":"5.3.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.7","id_raw":"5.3.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.8","id_raw":"5.3.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.9","id_raw":"5.3.9","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.1","id_raw":"5.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.2","id_raw":"5.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that format strings do not take potentially hostile input, and are constant."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.3","id_raw":"5.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sign, range, and input validation techniques are used to prevent integer overflows."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.1","id_raw":"5.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.2","id_raw":"5.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.3","id_raw":"5.5.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.4","id_raw":"5.5.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.1","id_raw":"6.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.2","id_raw":"6.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.3","id_raw":"6.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.1","id_raw":"6.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.2","id_raw":"6.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.3","id_raw":"6.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.4","id_raw":"6.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.5","id_raw":"6.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.6","id_raw":"6.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.7","id_raw":"6.2.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.8","id_raw":"6.2.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.1","id_raw":"6.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.2","id_raw":"6.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.3","id_raw":"6.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.4.1","id_raw":"6.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.4.2","id_raw":"6.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.1","id_raw":"7.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.2","id_raw":"7.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.3","id_raw":"7.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures. ([C5, C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.4","id_raw":"7.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.2.1","id_raw":"7.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.2.2","id_raw":"7.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.1","id_raw":"7.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application appropriately encodes user-supplied data to prevent log injection. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.2","id_raw":"7.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all events are protected from injection when viewed in log viewing software. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.3","id_raw":"7.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that security logs are protected from unauthorized access and modification. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.4","id_raw":"7.3.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.1","id_raw":"7.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.  ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.2","id_raw":"7.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.3","id_raw":"7.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a \"last resort\" error handler is defined which will catch all unhandled exceptions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.1","id_raw":"8.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application protects sensitive data from being cached in server components such as load balancers and application caches."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.2","id_raw":"8.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.3","id_raw":"8.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.4","id_raw":"8.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.5","id_raw":"8.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that regular backups of important data are performed and that test restoration of data is performed."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.6","id_raw":"8.1.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that backups are stored securely to prevent data from being stolen or corrupted."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.1","id_raw":"8.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.2","id_raw":"8.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.3","id_raw":"8.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.1","id_raw":"8.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.2","id_raw":"8.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that users have a method to remove or export their data on demand."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.3","id_raw":"8.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.4","id_raw":"8.3.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.5","id_raw":"8.3.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.6","id_raw":"8.3.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.7","id_raw":"8.3.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.8","id_raw":"8.3.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.1","id_raw":"9.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.2","id_raw":"9.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.3","id_raw":"9.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.1","id_raw":"9.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.2","id_raw":"9.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.3","id_raw":"9.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.4","id_raw":"9.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.5","id_raw":"9.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that backend TLS connection failures are logged."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.1.1","id_raw":"10.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.1","id_raw":"10.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate  before collecting any data."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.2","id_raw":"10.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.3","id_raw":"10.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.4","id_raw":"10.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application source code and third party libraries does not contain time bombs by searching for date and time related functions."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.5","id_raw":"10.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application source code and third party libraries does not contain malicious code, such as salami attacks, logic bypasses, or logic bombs."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.6","id_raw":"10.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.1","id_raw":"10.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.2","id_raw":"10.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.3","id_raw":"10.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.1","id_raw":"11.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.2","id_raw":"11.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.3","id_raw":"11.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.4","id_raw":"11.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.5","id_raw":"11.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.6","id_raw":"11.1.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application does not suffer from \"time of check to time of use\" (TOCTOU) issues or other race conditions for sensitive operations."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.7","id_raw":"11.1.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.8","id_raw":"11.1.8","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify the application has configurable alerting when automated attacks or unusual activity is detected."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.1","id_raw":"12.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application will not accept large files that could fill up storage or cause a denial of service attack."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.2","id_raw":"12.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that compressed files are checked for \"zip bombs\" - small input files that will decompress into huge files thus exhausting file storage limits."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.3","id_raw":"12.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.2.1","id_raw":"12.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.1","id_raw":"12.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.2","id_raw":"12.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.3","id_raw":"12.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.4","id_raw":"12.3.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.5","id_raw":"12.3.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.6","id_raw":"12.3.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.4.1","id_raw":"12.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.4.2","id_raw":"12.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.5.1","id_raw":"12.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.5.2","id_raw":"12.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.6.1","id_raw":"12.6.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.1","id_raw":"13.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.2","id_raw":"13.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that access to administration and management functions is limited to authorized administrators."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.3","id_raw":"13.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify API URLs do not expose sensitive information, such as the API key, session tokens etc."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.4","id_raw":"13.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.5","id_raw":"13.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.1","id_raw":"13.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.2","id_raw":"13.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that JSON schema validation is in place and verified before accepting input."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.3","id_raw":"13.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.4","id_raw":"13.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.5","id_raw":"13.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.6","id_raw":"13.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.3.1","id_raw":"13.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.3.2","id_raw":"13.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.4.1","id_raw":"13.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.4.2","id_raw":"13.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.1","id_raw":"14.1.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.2","id_raw":"14.1.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.3","id_raw":"14.1.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.4","id_raw":"14.1.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.5","id_raw":"14.1.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.1","id_raw":"14.2.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.2","id_raw":"14.2.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.3","id_raw":"14.2.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.4","id_raw":"14.2.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.5","id_raw":"14.2.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.6","id_raw":"14.2.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.1","id_raw":"14.3.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.2","id_raw":"14.3.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.3","id_raw":"14.3.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.1","id_raw":"14.4.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.2","id_raw":"14.4.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all API responses contain Content-Disposition: attachment; filename=\"api.json\" (or other appropriate filename for the content type)."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.3","id_raw":"14.4.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.4","id_raw":"14.4.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that all responses contain X-Content-Type-Options: nosniff."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.5","id_raw":"14.4.5","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.6","id_raw":"14.4.6","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a suitable \"Referrer-Policy\" header is included, such as \"no-referrer\" or \"same-origin\"."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.7","id_raw":"14.4.7","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.1","id_raw":"14.5.1","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.2","id_raw":"14.5.2","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.3","id_raw":"14.5.3","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the \"null\" origin."}
-{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.4","id_raw":"14.5.4","tier_raw":"Item","tier":1,"seq":null,"title":null,"description":"Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.1","id_raw":"1.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the use of a secure software development lifecycle that addresses security in all stages of development. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.2","id_raw":"1.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.3","id_raw":"1.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that all user stories and features contain functional security constraints, such as \"As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile\""}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.4","id_raw":"1.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify documentation and justification of all the application's trust boundaries, components, and significant data flows."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.5","id_raw":"1.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify definition and security analysis of the application's high-level architecture and all connected remote services. ([C1](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.6","id_raw":"1.1.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.1.7","id_raw":"1.1.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.10.1","id_raw":"1.10.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.1","id_raw":"1.11.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the definition and documentation of all application components in terms of the business or security functions they provide."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.2","id_raw":"1.11.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.11.3","id_raw":"1.11.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.12.1","id_raw":"1.12.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that user-uploaded files are stored outside of the web root."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.12.2","id_raw":"1.12.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.1","id_raw":"1.14.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.2","id_raw":"1.14.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.3","id_raw":"1.14.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.4","id_raw":"1.14.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.5","id_raw":"1.14.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.14.6","id_raw":"1.14.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.1","id_raw":"1.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.2","id_raw":"1.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.3","id_raw":"1.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.2.4","id_raw":"1.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.1","id_raw":"1.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.2","id_raw":"1.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the chosen access control solution is flexible enough to meet the application's needs."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.3","id_raw":"1.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.4","id_raw":"1.4.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.4.5","id_raw":"1.4.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.1","id_raw":"1.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.2","id_raw":"1.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.3","id_raw":"1.5.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that input validation is enforced on a trusted service layer. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.5.4","id_raw":"1.5.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.1","id_raw":"1.6.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.2","id_raw":"1.6.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.3","id_raw":"1.6.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.6.4","id_raw":"1.6.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that symmetric keys, passwords, or API secrets generated by or shared with clients are used only in protecting low risk secrets, such as encrypting local storage, or temporary ephemeral uses such as parameter obfuscation. Sharing secrets with clients is clear-text equivalent and architecturally should be treated as such."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.7.1","id_raw":"1.7.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a common logging format and approach is used across the system.  ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.7.2","id_raw":"1.7.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.8.1","id_raw":"1.8.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all sensitive data is identified and classified into protection levels."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.8.2","id_raw":"1.8.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.9.1","id_raw":"1.9.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:1.9.2","id_raw":"1.9.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.1","id_raw":"2.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that user set passwords are at least 12 characters in length. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.10","id_raw":"2.1.10","tier_raw":"Item","tier":1,"seq":10,"title":null,"description":"Verify that there are no periodic credential rotation or password history requirements."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.11","id_raw":"2.1.11","tier_raw":"Item","tier":1,"seq":11,"title":null,"description":"Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.12","id_raw":"2.1.12","tier_raw":"Item","tier":1,"seq":12,"title":null,"description":"Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as native functionality."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.2","id_raw":"2.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that passwords 64 characters or longer are permitted. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.3","id_raw":"2.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.4","id_raw":"2.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.5","id_raw":"2.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify users can change their password."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.6","id_raw":"2.1.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that password change functionality requires the user's current and new password."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.7","id_raw":"2.1.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.8","id_raw":"2.1.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify that a password strength meter is provided to help users set a stronger password."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.1.9","id_raw":"2.1.9","tier_raw":"Item","tier":1,"seq":9,"title":null,"description":"Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.1","id_raw":"2.10.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that integration secrets do not rely on unchanging passwords, such as API keys or shared privileged accounts."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.2","id_raw":"2.10.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that if passwords are required, the credentials are not a default account."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.3","id_raw":"2.10.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.10.4","id_raw":"2.10.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware trusted platform module (TPM), or a hardware security module (L3) is recommended for password storage."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.1","id_raw":"2.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.2","id_raw":"2.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.3","id_raw":"2.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.4","id_raw":"2.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.5","id_raw":"2.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.6","id_raw":"2.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify replay resistance through the mandated use of OTP devices, cryptographic authenticators, or lookup codes."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.2.7","id_raw":"2.2.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.1","id_raw":"2.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.2","id_raw":"2.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that enrollment and use of subscriber-provided authentication devices are supported, such as a U2F or FIDO tokens."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.3.3","id_raw":"2.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that renewal instructions are sent with sufficient time to renew time bound authenticators."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.1","id_raw":"2.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.2","id_raw":"2.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.3","id_raw":"2.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.4","id_raw":"2.4.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.4.5","id_raw":"2.4.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.1","id_raw":"2.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.2","id_raw":"2.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify password hints or knowledge-based authentication (so-called \"secret questions\") are not present."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.3","id_raw":"2.5.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify password credential recovery does not reveal the current password in any way. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.4","id_raw":"2.5.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify shared or default accounts are not present (e.g. \"root\", \"admin\", or \"sa\")."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.5","id_raw":"2.5.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that if an authentication factor is changed or replaced, that the user is notified of this event."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.6","id_raw":"2.5.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.5.7","id_raw":"2.5.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.1","id_raw":"2.6.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that lookup secrets can be used only once."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.2","id_raw":"2.6.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.6.3","id_raw":"2.6.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that lookup secrets are resistant to offline attacks, such as predictable values."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.1","id_raw":"2.7.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that clear text out of band (NIST \"restricted\") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.2","id_raw":"2.7.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.3","id_raw":"2.7.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.4","id_raw":"2.7.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the out of band authenticator and verifier communicates over a secure independent channel."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.5","id_raw":"2.7.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that the out of band verifier retains only a hashed version of the authentication code."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.7.6","id_raw":"2.7.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.1","id_raw":"2.8.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that time-based OTPs have a defined lifetime before expiring."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.2","id_raw":"2.8.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.3","id_raw":"2.8.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.4","id_raw":"2.8.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that time-based OTP can be used only once within the validity period."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.5","id_raw":"2.8.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that if a time-based multi factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.6","id_raw":"2.8.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify physical single factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.8.7","id_raw":"2.8.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.1","id_raw":"2.9.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a TPM or HSM, or an OS service that can use this secure storage."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.2","id_raw":"2.9.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:2.9.3","id_raw":"2.9.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that approved cryptographic algorithms are used in the generation, seeding, and verification."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.1.1","id_raw":"3.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application never reveals session tokens in URL parameters or error messages."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.1","id_raw":"3.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application generates a new session token on user authentication. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.2","id_raw":"3.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that session tokens possess at least 64 bits of entropy. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.3","id_raw":"3.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.2.4","id_raw":"3.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that session token are generated using approved cryptographic algorithms. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.1","id_raw":"3.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.2","id_raw":"3.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.3","id_raw":"3.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application terminates all other active sessions after a successful password change, and that this is effective across the application, federated login (if present), and any relying parties."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.3.4","id_raw":"3.3.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that users are able to view and log out of any or all currently active sessions and devices."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.1","id_raw":"3.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that cookie-based session tokens have the 'Secure' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.2","id_raw":"3.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that cookie-based session tokens have the 'HttpOnly' attribute set. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.3","id_raw":"3.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.4","id_raw":"3.4.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that cookie-based session tokens use \"__Host-\" prefix (see references) to provide session cookie confidentiality."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.4.5","id_raw":"3.4.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. ([C6](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.1","id_raw":"3.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application does not treat OAuth and refresh tokens — on their own — as the presence of the subscriber and allows users to terminate trust relationships with linked applications."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.2","id_raw":"3.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.5.3","id_raw":"3.5.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.6.1","id_raw":"3.6.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven't used a session within that period."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.6.2","id_raw":"3.6.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:3.7.1","id_raw":"3.7.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.1","id_raw":"4.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.2","id_raw":"4.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.3","id_raw":"4.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.4","id_raw":"4.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.  ([C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.1.5","id_raw":"4.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that access controls fail securely including when an exception occurs. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.2.1","id_raw":"4.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.2.2","id_raw":"4.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.1","id_raw":"4.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.2","id_raw":"4.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:4.3.3","id_raw":"4.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.1","id_raw":"5.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.2","id_raw":"5.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.3","id_raw":"5.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.4","id_raw":"5.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.1.5","id_raw":"5.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.1","id_raw":"5.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.2","id_raw":"5.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.3","id_raw":"5.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.4","id_raw":"5.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.5","id_raw":"5.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.6","id_raw":"5.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.7","id_raw":"5.2.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.2.8","id_raw":"5.2.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.1","id_raw":"5.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL Parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.10","id_raw":"5.3.10","tier_raw":"Item","tier":1,"seq":10,"title":null,"description":"Verify that the application protects against XPath injection or XML injection attacks. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.2","id_raw":"5.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.3","id_raw":"5.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.4","id_raw":"5.3.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.5","id_raw":"5.3.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.6","id_raw":"5.3.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the application projects against JavaScript or JSON injection attacks, including for eval attacks, remote JavaScript includes, CSP bypasses, DOM XSS, and JavaScript expression evaluation. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.7","id_raw":"5.3.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.8","id_raw":"5.3.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.3.9","id_raw":"5.3.9","tier_raw":"Item","tier":1,"seq":9,"title":null,"description":"Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.1","id_raw":"5.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.2","id_raw":"5.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that format strings do not take potentially hostile input, and are constant."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.4.3","id_raw":"5.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that sign, range, and input validation techniques are used to prevent integer overflows."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.1","id_raw":"5.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. ([C5](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.2","id_raw":"5.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.3","id_raw":"5.5.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:5.5.4","id_raw":"5.5.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.1","id_raw":"6.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.2","id_raw":"6.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.1.3","id_raw":"6.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.1","id_raw":"6.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.2","id_raw":"6.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.3","id_raw":"6.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.4","id_raw":"6.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.5","id_raw":"6.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.6","id_raw":"6.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.7","id_raw":"6.2.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.2.8","id_raw":"6.2.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.1","id_raw":"6.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.2","id_raw":"6.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.3.3","id_raw":"6.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.4.1","id_raw":"6.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:6.4.2","id_raw":"6.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.1","id_raw":"7.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.2","id_raw":"7.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.3","id_raw":"7.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures. ([C5, C7](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.1.4","id_raw":"7.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.2.1","id_raw":"7.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.2.2","id_raw":"7.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.1","id_raw":"7.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application appropriately encodes user-supplied data to prevent log injection. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.2","id_raw":"7.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all events are protected from injection when viewed in log viewing software. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.3","id_raw":"7.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that security logs are protected from unauthorized access and modification. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.3.4","id_raw":"7.3.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.1","id_raw":"7.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.  ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.2","id_raw":"7.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:7.4.3","id_raw":"7.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that a \"last resort\" error handler is defined which will catch all unhandled exceptions. ([C10](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.1","id_raw":"8.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application protects sensitive data from being cached in server components such as load balancers and application caches."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.2","id_raw":"8.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.3","id_raw":"8.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.4","id_raw":"8.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.5","id_raw":"8.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that regular backups of important data are performed and that test restoration of data is performed."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.1.6","id_raw":"8.1.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that backups are stored securely to prevent data from being stolen or corrupted."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.1","id_raw":"8.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.2","id_raw":"8.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.2.3","id_raw":"8.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.1","id_raw":"8.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.2","id_raw":"8.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that users have a method to remove or export their data on demand."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.3","id_raw":"8.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.4","id_raw":"8.3.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.5","id_raw":"8.3.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.6","id_raw":"8.3.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.7","id_raw":"8.3.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:8.3.8","id_raw":"8.3.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.1","id_raw":"9.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. ([C8](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.2","id_raw":"9.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.1.3","id_raw":"9.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.1","id_raw":"9.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.2","id_raw":"9.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.3","id_raw":"9.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.4","id_raw":"9.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:9.2.5","id_raw":"9.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that backend TLS connection failures are logged."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.1.1","id_raw":"10.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.1","id_raw":"10.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate  before collecting any data."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.2","id_raw":"10.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.3","id_raw":"10.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.4","id_raw":"10.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the application source code and third party libraries does not contain time bombs by searching for date and time related functions."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.5","id_raw":"10.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that the application source code and third party libraries does not contain malicious code, such as salami attacks, logic bypasses, or logic bombs."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.2.6","id_raw":"10.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.1","id_raw":"10.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.2","id_raw":"10.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:10.3.3","id_raw":"10.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.1","id_raw":"11.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.2","id_raw":"11.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.3","id_raw":"11.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.4","id_raw":"11.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.5","id_raw":"11.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.6","id_raw":"11.1.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify the application does not suffer from \"time of check to time of use\" (TOCTOU) issues or other race conditions for sensitive operations."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.7","id_raw":"11.1.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:11.1.8","id_raw":"11.1.8","tier_raw":"Item","tier":1,"seq":8,"title":null,"description":"Verify the application has configurable alerting when automated attacks or unusual activity is detected."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.1","id_raw":"12.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application will not accept large files that could fill up storage or cause a denial of service attack."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.2","id_raw":"12.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that compressed files are checked for \"zip bombs\" - small input files that will decompress into huge files thus exhausting file storage limits."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.1.3","id_raw":"12.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.2.1","id_raw":"12.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.1","id_raw":"12.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.2","id_raw":"12.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.3","id_raw":"12.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.4","id_raw":"12.3.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.5","id_raw":"12.3.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.3.6","id_raw":"12.3.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.4.1","id_raw":"12.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.4.2","id_raw":"12.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.5.1","id_raw":"12.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.5.2","id_raw":"12.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:12.6.1","id_raw":"12.6.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.1","id_raw":"13.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.2","id_raw":"13.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that access to administration and management functions is limited to authorized administrators."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.3","id_raw":"13.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify API URLs do not expose sensitive information, such as the API key, session tokens etc."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.4","id_raw":"13.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.1.5","id_raw":"13.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.1","id_raw":"13.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.2","id_raw":"13.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that JSON schema validation is in place and verified before accepting input."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.3","id_raw":"13.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.4","id_raw":"13.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.5","id_raw":"13.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.2.6","id_raw":"13.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.3.1","id_raw":"13.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.3.2","id_raw":"13.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.4.1","id_raw":"13.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:13.4.2","id_raw":"13.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.1","id_raw":"14.1.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.2","id_raw":"14.1.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.3","id_raw":"14.1.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.4","id_raw":"14.1.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.1.5","id_raw":"14.1.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.1","id_raw":"14.2.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.2","id_raw":"14.2.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.3","id_raw":"14.2.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.4","id_raw":"14.2.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.5","id_raw":"14.2.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.2.6","id_raw":"14.2.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))"}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.1","id_raw":"14.3.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.2","id_raw":"14.3.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.3.3","id_raw":"14.3.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.1","id_raw":"14.4.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.2","id_raw":"14.4.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that all API responses contain Content-Disposition: attachment; filename=\"api.json\" (or other appropriate filename for the content type)."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.3","id_raw":"14.4.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.4","id_raw":"14.4.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that all responses contain X-Content-Type-Options: nosniff."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.5","id_raw":"14.4.5","tier_raw":"Item","tier":1,"seq":5,"title":null,"description":"Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.6","id_raw":"14.4.6","tier_raw":"Item","tier":1,"seq":6,"title":null,"description":"Verify that a suitable \"Referrer-Policy\" header is included, such as \"no-referrer\" or \"same-origin\"."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.4.7","id_raw":"14.4.7","tier_raw":"Item","tier":1,"seq":7,"title":null,"description":"Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.1","id_raw":"14.5.1","tier_raw":"Item","tier":1,"seq":1,"title":null,"description":"Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.2","id_raw":"14.5.2","tier_raw":"Item","tier":1,"seq":2,"title":null,"description":"Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.3","id_raw":"14.5.3","tier_raw":"Item","tier":1,"seq":3,"title":null,"description":"Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the \"null\" origin."}
+{"source":"asvs_v4.0.1","id":"asvs_v4.0.1:14.5.4","id_raw":"14.5.4","tier_raw":"Item","tier":1,"seq":4,"title":null,"description":"Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv","id_raw":"GV","tier_raw":"Function","tier":0,"seq":1,"title":"Governance","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id","id_raw":"ID","tier_raw":"Function","tier":0,"seq":2,"title":"Identify","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr","id_raw":"PR","tier_raw":"Function","tier":0,"seq":3,"title":"Protect","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de","id_raw":"DE","tier_raw":"Function","tier":0,"seq":4,"title":"Detect","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs","id_raw":"RS","tier_raw":"Function","tier":0,"seq":5,"title":"Respond","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc","id_raw":"RC","tier_raw":"Function","tier":0,"seq":6,"title":"Recover","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm","id_raw":"DM","tier_raw":"Function","tier":0,"seq":7,"title":"Supply chain / dependency management","description":null}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf","id_raw":"GV.SF","tier_raw":"Category","tier":1,"seq":1,"title":"Strategy and Framework","description":"The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm","id_raw":"GV.RM","tier_raw":"Category","tier":1,"seq":2,"title":"Risk Management","description":"The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl","id_raw":"GV.PL","tier_raw":"Category","tier":1,"seq":3,"title":"Policy","description":"The organization has established a security policy in support of its cyber risk management framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr","id_raw":"GV.RR","tier_raw":"Category","tier":1,"seq":4,"title":"Roles and Responsibilities","description":"The organization has designated appropriate roles and responsibilities, including an individual responsible for cybersecurity for the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp","id_raw":"GV.SP","tier_raw":"Category","tier":1,"seq":5,"title":"Security Program","description":"The organization has a cybersecurity program that is continually measured and improved."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir","id_raw":"GV.IR","tier_raw":"Category","tier":1,"seq":6,"title":"Independent Risk Management Function","description":"The organization has an independent risk management function."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au","id_raw":"GV.AU","tier_raw":"Category","tier":1,"seq":7,"title":"Audit","description":"The organization has an independent audit function to provide for appropriate oversight of the cybersecurity program."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te","id_raw":"GV.TE","tier_raw":"Category","tier":1,"seq":8,"title":"Technology","description":"The organization integrates cyber risk considerations into new technology development, design, implementation, and adoption."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am","id_raw":"ID.AM","tier_raw":"Category","tier":1,"seq":9,"title":"Asset Management","description":"The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra","id_raw":"ID.RA","tier_raw":"Category","tier":1,"seq":10,"title":"Risk Assessment","description":"The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac","id_raw":"PR.AC","tier_raw":"Category","tier":1,"seq":11,"title":"Identity Management and Access Control","description":"Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at","id_raw":"PR.AT","tier_raw":"Category","tier":1,"seq":12,"title":"Awareness and Training","description":"The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds","id_raw":"PR.DS","tier_raw":"Category","tier":1,"seq":13,"title":"Data Security","description":"Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip","id_raw":"PR.IP","tier_raw":"Category","tier":1,"seq":14,"title":"Information Protection Processes and Procedures","description":"Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.\n"}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ma","id_raw":"PR.MA","tier_raw":"Category","tier":1,"seq":15,"title":"Maintenance","description":"Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt","id_raw":"PR.PT","tier_raw":"Category","tier":1,"seq":16,"title":"Protective Technology","description":"Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae","id_raw":"DE.AE","tier_raw":"Category","tier":1,"seq":17,"title":"Anomalies and Events","description":"Anomalous activity is detected in a timely manner and the potential impact of events is understood."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm","id_raw":"DE.CM","tier_raw":"Category","tier":1,"seq":18,"title":"Security Continuous Monitoring","description":"The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp","id_raw":"DE.DP","tier_raw":"Category","tier":1,"seq":19,"title":"Detection Processes","description":"Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.rp","id_raw":"RS.RP","tier_raw":"Category","tier":1,"seq":20,"title":"Response Planning","description":"Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co","id_raw":"RS.CO","tier_raw":"Category","tier":1,"seq":21,"title":"Communications","description":"Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an","id_raw":"RS.AN","tier_raw":"Category","tier":1,"seq":22,"title":"Analysis","description":"Analysis is conducted to ensure adequate response and support recovery activities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi","id_raw":"RS.MI","tier_raw":"Category","tier":1,"seq":23,"title":"Mitigation","description":"Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im","id_raw":"RS.IM","tier_raw":"Category","tier":1,"seq":24,"title":"Improvements","description":"Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp","id_raw":"RC.RP","tier_raw":"Category","tier":1,"seq":25,"title":"Recovery Planning","description":"Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.im","id_raw":"RC.IM","tier_raw":"Category","tier":1,"seq":26,"title":"Improvements","description":"Recovery planning and processes are improved by incorporating lessons learned into future activities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co","id_raw":"RC.CO","tier_raw":"Category","tier":1,"seq":27,"title":"Communications","description":"Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id","id_raw":"DM.ID","tier_raw":"Category","tier":1,"seq":28,"title":"Internal Dependencies","description":"The organization manages risks associated with its internal dependencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed","id_raw":"DM.ED","tier_raw":"Category","tier":1,"seq":29,"title":"External Dependencies","description":"The organization manages risks associated with its external dependencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs","id_raw":"DM.RS","tier_raw":"Category","tier":1,"seq":30,"title":"Resilience","description":"The organization is resilient and able to operate while experiencing a cyber attack."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be","id_raw":"DM.BE","tier_raw":"Category","tier":1,"seq":31,"title":"Business Environment","description":"The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1","id_raw":"GV.SF-1","tier_raw":"Subcategory","tier":2,"seq":1,"title":null,"description":"Organization has a cyber risk management strategy and framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-2","id_raw":"GV.SF-2","tier_raw":"Subcategory","tier":2,"seq":2,"title":null,"description":"Cyber risk management strategy and framework is appropriately informed by international, national, and industry standards and guidelines."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-3","id_raw":"GV.SF-3","tier_raw":"Subcategory","tier":2,"seq":3,"title":null,"description":"Cyber risk management strategy and framework address applicable cybersecurity risks."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-4","id_raw":"GV.SF-4","tier_raw":"Subcategory","tier":2,"seq":4,"title":null,"description":"The organization’s determination of cyber risk appetite is informed by its role in critical infrastructure and sector specific risk analysis."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1","id_raw":"GV.RM-1","tier_raw":"Subcategory","tier":2,"seq":5,"title":null,"description":"Cyber risk management processes are established, managed, and agreed to by organizational stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-2","id_raw":"GV.RM-2","tier_raw":"Subcategory","tier":2,"seq":6,"title":null,"description":"Organizational risk tolerance is determined and clearly expressed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-3","id_raw":"GV.RM-3","tier_raw":"Subcategory","tier":2,"seq":7,"title":null,"description":"Cyber risk management framework is integrated into the enterprise risk management framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-1","id_raw":"GV.PL-1","tier_raw":"Subcategory","tier":2,"seq":8,"title":null,"description":"Organizational cybersecurity policy is established and has been approved by appropriate governance bodies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-2","id_raw":"GV.PL-2","tier_raw":"Subcategory","tier":2,"seq":9,"title":null,"description":"Organizational cybersecurity policy addresses appropriate controls, identified through risk assessment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-3","id_raw":"GV.PL-3","tier_raw":"Subcategory","tier":2,"seq":10,"title":null,"description":"Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-1","id_raw":"GV.RR-1","tier_raw":"Subcategory","tier":2,"seq":11,"title":null,"description":"Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-2","id_raw":"GV.RR-2","tier_raw":"Subcategory","tier":2,"seq":12,"title":null,"description":"Organization has appointed a manager responsible for cybersecurity efforts within the organization, including authority, sufficient budget, and access to the executive suite and appropriate governing authority (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-1","id_raw":"GV.SP-1","tier_raw":"Subcategory","tier":2,"seq":13,"title":null,"description":"Organization has a cybersecurity program that implements, monitors and updates its policies, procedures, processes, and controls to continually manage cybersecurity risks to the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-2","id_raw":"GV.SP-2","tier_raw":"Subcategory","tier":2,"seq":14,"title":null,"description":"Cybersecurity performance is measured and regularly reported to senior executives and the Board or an appropriate governing body."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-1","id_raw":"GV.IR-1","tier_raw":"Subcategory","tier":2,"seq":15,"title":null,"description":"An independent risk management function provides assurance that the cybersecurity risk management framework has been implemented according to policy and is consistent with the organization's risk appetite and tolerance."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-2","id_raw":"GV.IR-2","tier_raw":"Subcategory","tier":2,"seq":16,"title":null,"description":"An independent risk management function assesses the appropriateness of the risk management program for the organization's risk appetite and proposes risk mitigation strategies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-3","id_raw":"GV.IR-3","tier_raw":"Subcategory","tier":2,"seq":17,"title":null,"description":"An independent risk management function reports implementation of cyber risk management framework to the appropriate governing authority (e.g., the Board or one of its committees)"}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-1","id_raw":"GV.AU-1","tier_raw":"Subcategory","tier":2,"seq":18,"title":null,"description":"An independent audit function assesses compliance with internal controls and applicable laws and regulations.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-2","id_raw":"GV.AU-2","tier_raw":"Subcategory","tier":2,"seq":19,"title":null,"description":"An independent audit function updates its procedures to adjust to the evolving cybersecurity environment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-3","id_raw":"GV.AU-3","tier_raw":"Subcategory","tier":2,"seq":20,"title":null,"description":"An independent audit function identifies, tracks, and reports significant changes in the organization's cyber risk exposure to the appropriate governing authority (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te-1","id_raw":"GV.TE-1","tier_raw":"Subcategory","tier":2,"seq":21,"title":null,"description":"Organization integrates consideration of cyber risks into technology implementations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te-2","id_raw":"GV.TE-2","tier_raw":"Subcategory","tier":2,"seq":22,"title":null,"description":"Organization should use technical security standards, architectures, and tools to ensure security to the maximum extent possible."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-1","id_raw":"ID.AM-1","tier_raw":"Subcategory","tier":2,"seq":23,"title":null,"description":"Physical devices and systems within the organization are inventoried."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-2","id_raw":"ID.AM-2","tier_raw":"Subcategory","tier":2,"seq":24,"title":null,"description":"Software platforms and applications within the organization are inventoried."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-3","id_raw":"ID.AM-3","tier_raw":"Subcategory","tier":2,"seq":25,"title":null,"description":"Organizational communication and data flows are mapped."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-4","id_raw":"ID.AM-4","tier_raw":"Subcategory","tier":2,"seq":26,"title":null,"description":"External information systems are catalogued."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-5","id_raw":"ID.AM-5","tier_raw":"Subcategory","tier":2,"seq":27,"title":null,"description":"Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-6","id_raw":"ID.AM-6","tier_raw":"Subcategory","tier":2,"seq":28,"title":null,"description":"Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-1","id_raw":"ID.RA-1","tier_raw":"Subcategory","tier":2,"seq":29,"title":null,"description":"Asset vulnerabilities are identified and documented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-2","id_raw":"ID.RA-2","tier_raw":"Subcategory","tier":2,"seq":30,"title":null,"description":"Cyber threat intelligence is received from information sharing forums and sources."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-3","id_raw":"ID.RA-3","tier_raw":"Subcategory","tier":2,"seq":31,"title":null,"description":"Cyber threats, both internal and external, are identified and documented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-4","id_raw":"ID.RA-4","tier_raw":"Subcategory","tier":2,"seq":32,"title":null,"description":"Potential business impacts and likelihoods are identified."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5","id_raw":"ID.RA-5","tier_raw":"Subcategory","tier":2,"seq":33,"title":null,"description":"Threats, vulnerabilities, likelihoods, and impacts are used to determine risk."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-6","id_raw":"ID.RA-6","tier_raw":"Subcategory","tier":2,"seq":34,"title":null,"description":"Risk responses are identified and prioritized."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-1","id_raw":"PR.AC-1","tier_raw":"Subcategory","tier":2,"seq":35,"title":null,"description":"Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-2","id_raw":"PR.AC-2","tier_raw":"Subcategory","tier":2,"seq":36,"title":null,"description":"Physical access to assets is managed and protected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-3","id_raw":"PR.AC-3","tier_raw":"Subcategory","tier":2,"seq":37,"title":null,"description":"Remote access is managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-4","id_raw":"PR.AC-4","tier_raw":"Subcategory","tier":2,"seq":38,"title":null,"description":"Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-5","id_raw":"PR.AC-5","tier_raw":"Subcategory","tier":2,"seq":39,"title":null,"description":"Network integrity is protected, incorporating network segregation where appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-6","id_raw":"PR.AC-6","tier_raw":"Subcategory","tier":2,"seq":40,"title":null,"description":"Identities are proofed and bound to credentials, and asserted in interactions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-7","id_raw":"PR.AC-7","tier_raw":"Subcategory","tier":2,"seq":41,"title":null,"description":"Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).\n"}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-1","id_raw":"PR.AT-1","tier_raw":"Subcategory","tier":2,"seq":42,"title":null,"description":"All users are informed and trained."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-2","id_raw":"PR.AT-2","tier_raw":"Subcategory","tier":2,"seq":43,"title":null,"description":"Privileged users understand their roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-3","id_raw":"PR.AT-3","tier_raw":"Subcategory","tier":2,"seq":44,"title":null,"description":"Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-4","id_raw":"PR.AT-4","tier_raw":"Subcategory","tier":2,"seq":45,"title":null,"description":"Senior executives understand their roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-5","id_raw":"PR.AT-5","tier_raw":"Subcategory","tier":2,"seq":46,"title":null,"description":"Physical and information security personnel understand roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-1","id_raw":"PR.DS-1","tier_raw":"Subcategory","tier":2,"seq":47,"title":null,"description":"Data-at-rest is protected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-2","id_raw":"PR.DS-2","tier_raw":"Subcategory","tier":2,"seq":48,"title":null,"description":"Data-in-transit is protected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-3","id_raw":"PR.DS-3","tier_raw":"Subcategory","tier":2,"seq":49,"title":null,"description":"Assets are formally managed throughout removal, transfers, and disposition."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-4","id_raw":"PR.DS-4","tier_raw":"Subcategory","tier":2,"seq":50,"title":null,"description":"Adequate capacity to ensure availability is maintained."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-5","id_raw":"PR.DS-5","tier_raw":"Subcategory","tier":2,"seq":51,"title":null,"description":"Protections against data leaks are implemented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-6","id_raw":"PR.DS-6","tier_raw":"Subcategory","tier":2,"seq":52,"title":null,"description":"Integrity checking mechanisms are used to verify software, firmware, and information integrity."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-7","id_raw":"PR.DS-7","tier_raw":"Subcategory","tier":2,"seq":53,"title":null,"description":"The development and testing environment(s) are separate from the production environment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-8","id_raw":"PR.DS-8","tier_raw":"Subcategory","tier":2,"seq":54,"title":null,"description":"Integrity checking mechanisms are used to verify hardware integrity."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-1","id_raw":"PR.IP-1","tier_raw":"Subcategory","tier":2,"seq":55,"title":null,"description":"A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-2","id_raw":"PR.IP-2","tier_raw":"Subcategory","tier":2,"seq":56,"title":null,"description":"A System Development Life Cycle to manage systems is implemented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-3","id_raw":"PR.IP-3","tier_raw":"Subcategory","tier":2,"seq":57,"title":null,"description":"Configuration change control processes are in place."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-4","id_raw":"PR.IP-4","tier_raw":"Subcategory","tier":2,"seq":58,"title":null,"description":"Backups of information are conducted, maintained, and tested periodically."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-5","id_raw":"PR.IP-5","tier_raw":"Subcategory","tier":2,"seq":59,"title":null,"description":"Policy and regulations regarding the physical operating environment for organizational assets are met."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-6","id_raw":"PR.IP-6","tier_raw":"Subcategory","tier":2,"seq":60,"title":null,"description":"Data is destroyed according to policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-7","id_raw":"PR.IP-7","tier_raw":"Subcategory","tier":2,"seq":61,"title":null,"description":"Protection processes are continuously improved."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-8","id_raw":"PR.IP-8","tier_raw":"Subcategory","tier":2,"seq":62,"title":null,"description":"Effectiveness of protection technologies is shared with appropriate parties."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-9","id_raw":"PR.IP-9","tier_raw":"Subcategory","tier":2,"seq":63,"title":null,"description":"Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-10","id_raw":"PR.IP-10","tier_raw":"Subcategory","tier":2,"seq":64,"title":null,"description":"Response and recovery plans are tested."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-11","id_raw":"PR.IP-11","tier_raw":"Subcategory","tier":2,"seq":65,"title":null,"description":"Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-12","id_raw":"PR.IP-12","tier_raw":"Subcategory","tier":2,"seq":66,"title":null,"description":"A vulnerability management plan is developed and implemented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ma-1","id_raw":"PR.MA-1","tier_raw":"Subcategory","tier":2,"seq":67,"title":null,"description":"Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ma-2","id_raw":"PR.MA-2","tier_raw":"Subcategory","tier":2,"seq":68,"title":null,"description":"Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-1","id_raw":"PR.PT-1","tier_raw":"Subcategory","tier":2,"seq":69,"title":null,"description":"Audit/log records are determined, documented, implemented, and reviewed in accordance with policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-2","id_raw":"PR.PT-2","tier_raw":"Subcategory","tier":2,"seq":70,"title":null,"description":"Removable media is protected and its use restricted according to policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-3","id_raw":"PR.PT-3","tier_raw":"Subcategory","tier":2,"seq":71,"title":null,"description":"The principle of least functionality is incorporated by configuring systems to provide only essential capabilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-4","id_raw":"PR.PT-4","tier_raw":"Subcategory","tier":2,"seq":72,"title":null,"description":"Communications and control networks are protected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-5","id_raw":"PR.PT-5","tier_raw":"Subcategory","tier":2,"seq":73,"title":null,"description":"Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-1","id_raw":"DE.AE-1","tier_raw":"Subcategory","tier":2,"seq":74,"title":null,"description":"A baseline of network operations and expected data flows for users and systems is established and managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-2","id_raw":"DE.AE-2","tier_raw":"Subcategory","tier":2,"seq":75,"title":null,"description":"Detected events are analyzed to understand attack targets and methods."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-3","id_raw":"DE.AE-3","tier_raw":"Subcategory","tier":2,"seq":76,"title":null,"description":"Event data are collected and correlated from multiple sources and sensors."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-4","id_raw":"DE.AE-4","tier_raw":"Subcategory","tier":2,"seq":77,"title":null,"description":"Impact of events is determined."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-5","id_raw":"DE.AE-5","tier_raw":"Subcategory","tier":2,"seq":78,"title":null,"description":"Incident alert thresholds are established."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-1","id_raw":"DE.CM-1","tier_raw":"Subcategory","tier":2,"seq":79,"title":null,"description":"The network is monitored to detect potential cybersecurity events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-2","id_raw":"DE.CM-2","tier_raw":"Subcategory","tier":2,"seq":80,"title":null,"description":"The physical environment is monitored to detect potential cybersecurity events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-3","id_raw":"DE.CM-3","tier_raw":"Subcategory","tier":2,"seq":81,"title":null,"description":"Personnel activity is monitored to detect potential cybersecurity events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-4","id_raw":"DE.CM-4","tier_raw":"Subcategory","tier":2,"seq":82,"title":null,"description":"Malicious code is detected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-5","id_raw":"DE.CM-5","tier_raw":"Subcategory","tier":2,"seq":83,"title":null,"description":"Unauthorized mobile code is detected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-6","id_raw":"DE.CM-6","tier_raw":"Subcategory","tier":2,"seq":84,"title":null,"description":"External service provider activity is monitored to detect potential cybersecurity events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-7","id_raw":"DE.CM-7","tier_raw":"Subcategory","tier":2,"seq":85,"title":null,"description":"Monitoring for unauthorized personnel, connections, devices, and software is performed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-8","id_raw":"DE.CM-8","tier_raw":"Subcategory","tier":2,"seq":86,"title":null,"description":"Vulnerability scans are performed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-1","id_raw":"DE.DP-1","tier_raw":"Subcategory","tier":2,"seq":87,"title":null,"description":"Roles and responsibilities for detection are well defined to ensure accountability."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-2","id_raw":"DE.DP-2","tier_raw":"Subcategory","tier":2,"seq":88,"title":null,"description":"Detection activities comply with all applicable requirements."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-3","id_raw":"DE.DP-3","tier_raw":"Subcategory","tier":2,"seq":89,"title":null,"description":"Detection processes are tested."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-4","id_raw":"DE.DP-4","tier_raw":"Subcategory","tier":2,"seq":90,"title":null,"description":"Event detection information is communicated to appropriate parties."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-5","id_raw":"DE.DP-5","tier_raw":"Subcategory","tier":2,"seq":91,"title":null,"description":"Detection processes are continuously improved."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.rp-1","id_raw":"RS.RP-1","tier_raw":"Subcategory","tier":2,"seq":92,"title":null,"description":"Response plan is executed during or after an incident."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-1","id_raw":"RS.CO-1","tier_raw":"Subcategory","tier":2,"seq":93,"title":null,"description":"Personnel know their roles and order of operations when a response is needed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-2","id_raw":"RS.CO-2","tier_raw":"Subcategory","tier":2,"seq":94,"title":null,"description":"Incidents are reported consistent with established criteria."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-3","id_raw":"RS.CO-3","tier_raw":"Subcategory","tier":2,"seq":95,"title":null,"description":"Information is shared consistent with response plans."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-4","id_raw":"RS.CO-4","tier_raw":"Subcategory","tier":2,"seq":96,"title":null,"description":"Coordination with stakeholders occurs consistent with response plans."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-5","id_raw":"RS.CO-5","tier_raw":"Subcategory","tier":2,"seq":97,"title":null,"description":"Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-1","id_raw":"RS.AN-1","tier_raw":"Subcategory","tier":2,"seq":98,"title":null,"description":"Notifications from detection systems are investigated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-2","id_raw":"RS.AN-2","tier_raw":"Subcategory","tier":2,"seq":99,"title":null,"description":"The impact of the incident is understood."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-3","id_raw":"RS.AN-3","tier_raw":"Subcategory","tier":2,"seq":100,"title":null,"description":"Forensics are performed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-4","id_raw":"RS.AN-4","tier_raw":"Subcategory","tier":2,"seq":101,"title":null,"description":"Incidents are categorized consistent with response plans."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-5","id_raw":"RS.AN-5","tier_raw":"Subcategory","tier":2,"seq":102,"title":null,"description":"Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, or security researchers)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-1","id_raw":"RS.MI-1","tier_raw":"Subcategory","tier":2,"seq":103,"title":null,"description":"Incidents are contained."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-2","id_raw":"RS.MI-2","tier_raw":"Subcategory","tier":2,"seq":104,"title":null,"description":"Incidents are mitigated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-3","id_raw":"RS.MI-3","tier_raw":"Subcategory","tier":2,"seq":105,"title":null,"description":"Newly identified vulnerabilities are mitigated or documented as accepted risks."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-1","id_raw":"RS.IM-1","tier_raw":"Subcategory","tier":2,"seq":106,"title":null,"description":"Response plans incorporate lessons learned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-2","id_raw":"RS.IM-2","tier_raw":"Subcategory","tier":2,"seq":107,"title":null,"description":"Response strategies are updated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1","id_raw":"RC.RP-1","tier_raw":"Subcategory","tier":2,"seq":108,"title":null,"description":"Recovery plan is executed during or after a cybersecurity incident."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.im-1","id_raw":"RC.IM-1","tier_raw":"Subcategory","tier":2,"seq":109,"title":null,"description":"Recovery plans incorporate lessons learned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.im-2","id_raw":"RC.IM-2","tier_raw":"Subcategory","tier":2,"seq":110,"title":null,"description":"Recovery strategies are updated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-1","id_raw":"RC.CO-1","tier_raw":"Subcategory","tier":2,"seq":111,"title":null,"description":"Public relations are managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-2","id_raw":"RC.CO-2","tier_raw":"Subcategory","tier":2,"seq":112,"title":null,"description":"Reputation after an event is repaired."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-3","id_raw":"RC.CO-3","tier_raw":"Subcategory","tier":2,"seq":113,"title":null,"description":"Recovery activities are communicated to internal and external stakeholders as well as and executive and management teams."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-1","id_raw":"DM.ID-1","tier_raw":"Subcategory","tier":2,"seq":114,"title":null,"description":"The organization integrates internal dependency management strategy into the overall strategic risk management plan."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-2","id_raw":"DM.ID-2","tier_raw":"Subcategory","tier":2,"seq":115,"title":null,"description":"Roles and responsibilities for internal dependency management are defined and assigned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-1","id_raw":"DM.ED-1","tier_raw":"Subcategory","tier":2,"seq":116,"title":null,"description":"The organization integrates external dependency management strategy into the overall strategic risk management plan."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2","id_raw":"DM.ED-2","tier_raw":"Subcategory","tier":2,"seq":117,"title":null,"description":"Dependency management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-3","id_raw":"DM.ED-3","tier_raw":"Subcategory","tier":2,"seq":118,"title":null,"description":"Roles and responsibilities for external dependency management are defined and assigned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4","id_raw":"DM.ED-4","tier_raw":"Subcategory","tier":2,"seq":119,"title":null,"description":"The organization manages cyber risks associated with external dependencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-5","id_raw":"DM.ED-5","tier_raw":"Subcategory","tier":2,"seq":120,"title":null,"description":"Functions, activities, products, and services - including interconnections, dependencies, and third parties - are identified and prioritized based on their criticality to the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6","id_raw":"DM.ED-6","tier_raw":"Subcategory","tier":2,"seq":121,"title":null,"description":"Minimum cybersecurity practices for critical external dependencies designed to meet the objectives of the Cyber Risk Management Program or Cyber Supply Chain Risk Management Plan are identified and documented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-7","id_raw":"DM.ED-7","tier_raw":"Subcategory","tier":2,"seq":122,"title":null,"description":"Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-1","id_raw":"DM.RS-1","tier_raw":"Subcategory","tier":2,"seq":123,"title":null,"description":"Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2","id_raw":"DM.RS-2","tier_raw":"Subcategory","tier":2,"seq":124,"title":null,"description":"Organizational incident response, business continuity, and disaster recovery plans and exercises incorporate its external dependencies and critical business partners."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-1","id_raw":"DM.BE-1","tier_raw":"Subcategory","tier":2,"seq":125,"title":null,"description":"The organization’s place in critical infrastructure and its industry sector is identified and communicated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-2","id_raw":"DM.BE-2","tier_raw":"Subcategory","tier":2,"seq":126,"title":null,"description":"Dependencies and critical functions for delivery of critical services are established."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-3","id_raw":"DM.BE-3","tier_raw":"Subcategory","tier":2,"seq":127,"title":null,"description":"Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1.1","id_raw":"GV.SF-1.1","tier_raw":"Statement","tier":3,"seq":1,"title":null,"description":"The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1.2","id_raw":"GV.SF-1.2","tier_raw":"Statement","tier":3,"seq":2,"title":null,"description":"An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization’s cyber risk management strategy and framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1.3","id_raw":"GV.SF-1.3","tier_raw":"Statement","tier":3,"seq":3,"title":null,"description":"The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1.4","id_raw":"GV.SF-1.4","tier_raw":"Statement","tier":3,"seq":4,"title":null,"description":"The cyber risk management strategy identifies and communicates the organization’s role within the financial services sector as a component of critical infrastructure in the financial services industry."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-1.5","id_raw":"GV.SF-1.5","tier_raw":"Statement","tier":3,"seq":5,"title":null,"description":"The cyber risk management strategy and framework establishes and communicates priorities for organizational mission, objectives, and activities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-2.1","id_raw":"GV.SF-2.1","tier_raw":"Statement","tier":3,"seq":6,"title":null,"description":"The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-3.1","id_raw":"GV.SF-3.1","tier_raw":"Statement","tier":3,"seq":7,"title":null,"description":"An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-3.2","id_raw":"GV.SF-3.2","tier_raw":"Statement","tier":3,"seq":8,"title":null,"description":"An appropriate governing authority (e.g., the Board or one of its committees) periodically reviews and evaluates the organization's ability to manage its cyber risks."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-3.3","id_raw":"GV.SF-3.3","tier_raw":"Statement","tier":3,"seq":9,"title":null,"description":"The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sf-4.1","id_raw":"GV.SF-4.1","tier_raw":"Statement","tier":3,"seq":10,"title":null,"description":"The risk appetite is informed by the organization’s role in critical infrastructure."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.1","id_raw":"GV.RM-1.1","tier_raw":"Statement","tier":3,"seq":11,"title":null,"description":"The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.2","id_raw":"GV.RM-1.2","tier_raw":"Statement","tier":3,"seq":12,"title":null,"description":"The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.3","id_raw":"GV.RM-1.3","tier_raw":"Statement","tier":3,"seq":13,"title":null,"description":"As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.4","id_raw":"GV.RM-1.4","tier_raw":"Statement","tier":3,"seq":14,"title":null,"description":"The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.5","id_raw":"GV.RM-1.5","tier_raw":"Statement","tier":3,"seq":15,"title":null,"description":"The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-1.6","id_raw":"GV.RM-1.6","tier_raw":"Statement","tier":3,"seq":16,"title":null,"description":"The cyber risk management program addresses identified cyber risks in one of the following ways:  risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-2.1","id_raw":"GV.RM-2.1","tier_raw":"Statement","tier":3,"seq":17,"title":null,"description":"The organization has established a cyber risk tolerance consistent with its risk appetite, and integrated it into technology or operational risk management, as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-2.2","id_raw":"GV.RM-2.2","tier_raw":"Statement","tier":3,"seq":18,"title":null,"description":"The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-2.3","id_raw":"GV.RM-2.3","tier_raw":"Statement","tier":3,"seq":19,"title":null,"description":"The cyber risk management strategy articulates how the organization would maintain an acceptable level of residual cyber risk set by the appropriate governing authority (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-3.1","id_raw":"GV.RM-3.1","tier_raw":"Statement","tier":3,"seq":20,"title":null,"description":"The cyber risk management framework is integrated into the enterprise risk management framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-3.2","id_raw":"GV.RM-3.2","tier_raw":"Statement","tier":3,"seq":21,"title":null,"description":"The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rm-3.3","id_raw":"GV.RM-3.3","tier_raw":"Statement","tier":3,"seq":22,"title":null,"description":"The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-1.1","id_raw":"GV.PL-1.1","tier_raw":"Statement","tier":3,"seq":23,"title":null,"description":"The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-1.2","id_raw":"GV.PL-1.2","tier_raw":"Statement","tier":3,"seq":24,"title":null,"description":"The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-2.1","id_raw":"GV.PL-2.1","tier_raw":"Statement","tier":3,"seq":25,"title":null,"description":"The cybersecurity policy is supported by the organization's risk management program."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-2.2","id_raw":"GV.PL-2.2","tier_raw":"Statement","tier":3,"seq":26,"title":null,"description":"Cybersecurity processes and procedures are established based on the cybersecurity policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-2.3","id_raw":"GV.PL-2.3","tier_raw":"Statement","tier":3,"seq":27,"title":null,"description":"The cybersecurity policy is periodically reviewed and revised under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-3.1","id_raw":"GV.PL-3.1","tier_raw":"Statement","tier":3,"seq":28,"title":null,"description":"The cybersecurity policy, strategy and framework should take into account the organization's legal and regulatory obligations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-3.2","id_raw":"GV.PL-3.2","tier_raw":"Statement","tier":3,"seq":29,"title":null,"description":"The organization's cybersecurity policies are consistent with its privacy and civil liberty obligations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.pl-3.3","id_raw":"GV.PL-3.3","tier_raw":"Statement","tier":3,"seq":30,"title":null,"description":"The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-1.1","id_raw":"GV.RR-1.1","tier_raw":"Statement","tier":3,"seq":31,"title":null,"description":"The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-2.1","id_raw":"GV.RR-2.1","tier_raw":"Statement","tier":3,"seq":32,"title":null,"description":"The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-2.2","id_raw":"GV.RR-2.2","tier_raw":"Statement","tier":3,"seq":33,"title":null,"description":"The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-2.3","id_raw":"GV.RR-2.3","tier_raw":"Statement","tier":3,"seq":34,"title":null,"description":"The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.rr-2.4","id_raw":"GV.RR-2.4","tier_raw":"Statement","tier":3,"seq":35,"title":null,"description":"The organization provides adequate resources to maintain and enhance the cybersecurity situational awareness of senior managers within the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-1.1","id_raw":"GV.SP-1.1","tier_raw":"Statement","tier":3,"seq":36,"title":null,"description":"The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-1.2","id_raw":"GV.SP-1.2","tier_raw":"Statement","tier":3,"seq":37,"title":null,"description":"Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-2.1","id_raw":"GV.SP-2.1","tier_raw":"Statement","tier":3,"seq":38,"title":null,"description":"The organization implements a repeatable process to develop, collect, store, report, and refresh actionable cybersecurity key performance indicators and metrics. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-2.2","id_raw":"GV.SP-2.2","tier_raw":"Statement","tier":3,"seq":39,"title":null,"description":"The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to  measure, monitor, and report actionable indicators to help guide the security program.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.sp-2.3","id_raw":"GV.SP-2.3","tier_raw":"Statement","tier":3,"seq":40,"title":null,"description":"The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-1.1","id_raw":"GV.IR-1.1","tier_raw":"Statement","tier":3,"seq":41,"title":null,"description":"The organization's enterprise-wide cyber risk management framework includes an independent risk management function that provides assurance that the cyber risk management framework is implemented as intended."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-1.2","id_raw":"GV.IR-1.2","tier_raw":"Statement","tier":3,"seq":42,"title":null,"description":"An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-1.3","id_raw":"GV.IR-1.3","tier_raw":"Statement","tier":3,"seq":43,"title":null,"description":"The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-1.4","id_raw":"GV.IR-1.4","tier_raw":"Statement","tier":3,"seq":44,"title":null,"description":"Individuals responsible for independent risk management and oversight are independent of business line management, including senior leadership."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-2.1","id_raw":"GV.IR-2.1","tier_raw":"Statement","tier":3,"seq":45,"title":null,"description":"An independent risk management function assesses the appropriateness of the cyber risk management program according to the organization's risk appetite."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-2.2","id_raw":"GV.IR-2.2","tier_raw":"Statement","tier":3,"seq":46,"title":null,"description":"An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.ir-3.1","id_raw":"GV.IR-3.1","tier_raw":"Statement","tier":3,"seq":47,"title":null,"description":"An independent risk management function reports to the appropriate governing authority (e.g., the Board or one of its committees) and to the appropriate risk management officer within the organization on the implementation of the cyber risk management framework throughout the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-1.1","id_raw":"GV.AU-1.1","tier_raw":"Statement","tier":3,"seq":48,"title":null,"description":"The organization has an independent audit function. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-1.2","id_raw":"GV.AU-1.2","tier_raw":"Statement","tier":3,"seq":49,"title":null,"description":"The organization has an independent audit plan that provides for an evaluation of the organization's compliance with the appropriately approved cyber risk management framework and its cybersecurity policies and processes including how well the organization adapts to the evolving cyber risk environment while remaining within its stated risk appetite and tolerance."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-1.3","id_raw":"GV.AU-1.3","tier_raw":"Statement","tier":3,"seq":50,"title":null,"description":"An independent audit function tests security controls and information security policies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-1.4","id_raw":"GV.AU-1.4","tier_raw":"Statement","tier":3,"seq":51,"title":null,"description":"An independent audit function assesses compliance with applicable laws and regulations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-2.1","id_raw":"GV.AU-2.1","tier_raw":"Statement","tier":3,"seq":52,"title":null,"description":"A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-2.2","id_raw":"GV.AU-2.2","tier_raw":"Statement","tier":3,"seq":53,"title":null,"description":"A formal process is in place for the independent audit function to update its procedures based on changes to the organization's risk appetite and risk tolerance."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-3.1","id_raw":"GV.AU-3.1","tier_raw":"Statement","tier":3,"seq":54,"title":null,"description":"An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-3.2","id_raw":"GV.AU-3.2","tier_raw":"Statement","tier":3,"seq":55,"title":null,"description":"An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.au-3.3","id_raw":"GV.AU-3.3","tier_raw":"Statement","tier":3,"seq":56,"title":null,"description":"An independent audit function reports to the appropriate governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when cyber risk tolerance has been exceeded in any part of the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te-1.1","id_raw":"GV.TE-1.1","tier_raw":"Statement","tier":3,"seq":57,"title":null,"description":"The organization identifies how cybersecurity will support emerging technologies that support business needs (e.g., cloud, mobile, IoT, IIoT, etc.) by integrating cybersecurity considerations into the lifecycle of new technologies from their inception."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te-1.2","id_raw":"GV.TE-1.2","tier_raw":"Statement","tier":3,"seq":58,"title":null,"description":"The organization applies its cyber risk management framework to all technology projects."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:gv.te-2.1","id_raw":"GV.TE-2.1","tier_raw":"Statement","tier":3,"seq":59,"title":null,"description":"The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-1.1","id_raw":"ID.AM-1.1","tier_raw":"Statement","tier":3,"seq":60,"title":null,"description":"The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-2.1","id_raw":"ID.AM-2.1","tier_raw":"Statement","tier":3,"seq":61,"title":null,"description":"The organization maintains a current and complete inventory of software platforms and business applications."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-3.1","id_raw":"ID.AM-3.1","tier_raw":"Statement","tier":3,"seq":62,"title":null,"description":"The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-3.2","id_raw":"ID.AM-3.2","tier_raw":"Statement","tier":3,"seq":63,"title":null,"description":"The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-3.3","id_raw":"ID.AM-3.3","tier_raw":"Statement","tier":3,"seq":64,"title":null,"description":"The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-4.1","id_raw":"ID.AM-4.1","tier_raw":"Statement","tier":3,"seq":65,"title":null,"description":"The organization maintains an inventory of external information systems. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-5.1","id_raw":"ID.AM-5.1","tier_raw":"Statement","tier":3,"seq":66,"title":null,"description":"The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees).  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-5.2","id_raw":"ID.AM-5.2","tier_raw":"Statement","tier":3,"seq":67,"title":null,"description":"The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.am-6.1","id_raw":"ID.AM-6.1","tier_raw":"Statement","tier":3,"seq":68,"title":null,"description":"Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-1.1","id_raw":"ID.RA-1.1","tier_raw":"Statement","tier":3,"seq":69,"title":null,"description":"The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-2.1","id_raw":"ID.RA-2.1","tier_raw":"Statement","tier":3,"seq":70,"title":null,"description":"The organization participates actively (in geopolitical alignment with its business operations) in applicable information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats and early warning indicators relating to cyber threats. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-3.1","id_raw":"ID.RA-3.1","tier_raw":"Statement","tier":3,"seq":71,"title":null,"description":"The organization identifies, documents, and analyzes threats that are internal and external to the firm."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-3.2","id_raw":"ID.RA-3.2","tier_raw":"Statement","tier":3,"seq":72,"title":null,"description":"The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-3.3","id_raw":"ID.RA-3.3","tier_raw":"Statement","tier":3,"seq":73,"title":null,"description":"The organization regularly reviews and updates results of its cyber threat analysis."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-4.1","id_raw":"ID.RA-4.1","tier_raw":"Statement","tier":3,"seq":74,"title":null,"description":"The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.1","id_raw":"ID.RA-5.1","tier_raw":"Statement","tier":3,"seq":75,"title":null,"description":"Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.2","id_raw":"ID.RA-5.2","tier_raw":"Statement","tier":3,"seq":76,"title":null,"description":"The organization considers threat intelligence received from the organization's participants, service and utility providers and other industry organizations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.3","id_raw":"ID.RA-5.3","tier_raw":"Statement","tier":3,"seq":77,"title":null,"description":"The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.4","id_raw":"ID.RA-5.4","tier_raw":"Statement","tier":3,"seq":78,"title":null,"description":"The organization's business units assess, on an ongoing basis, the cyber risks associated with the activities of the business unit."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.5","id_raw":"ID.RA-5.5","tier_raw":"Statement","tier":3,"seq":79,"title":null,"description":"The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-5.6","id_raw":"ID.RA-5.6","tier_raw":"Statement","tier":3,"seq":80,"title":null,"description":"The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-6.1","id_raw":"ID.RA-6.1","tier_raw":"Statement","tier":3,"seq":81,"title":null,"description":"The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:id.ra-6.2","id_raw":"ID.RA-6.2","tier_raw":"Statement","tier":3,"seq":82,"title":null,"description":"Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-1.1","id_raw":"PR.AC-1.1","tier_raw":"Statement","tier":3,"seq":83,"title":null,"description":"Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-1.2","id_raw":"PR.AC-1.2","tier_raw":"Statement","tier":3,"seq":84,"title":null,"description":"User access authorization is limited to individuals who are appropriately trained and monitored."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-1.3","id_raw":"PR.AC-1.3","tier_raw":"Statement","tier":3,"seq":85,"title":null,"description":"Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, revocation of credentials for users who change roles or leave the organization, etc.)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-2.1","id_raw":"PR.AC-2.1","tier_raw":"Statement","tier":3,"seq":86,"title":null,"description":"The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-3.1","id_raw":"PR.AC-3.1","tier_raw":"Statement","tier":3,"seq":87,"title":null,"description":"Remote access is actively managed and restricted to necessary systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-3.2","id_raw":"PR.AC-3.2","tier_raw":"Statement","tier":3,"seq":88,"title":null,"description":"The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-4.1","id_raw":"PR.AC-4.1","tier_raw":"Statement","tier":3,"seq":89,"title":null,"description":"The organization limits access privileges to the minimum necessary."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-4.2","id_raw":"PR.AC-4.2","tier_raw":"Statement","tier":3,"seq":90,"title":null,"description":"The organization institutes strong controls over privileged system access by strictly limiting and closely supervising staff with elevated system access entitlements. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-4.3","id_raw":"PR.AC-4.3","tier_raw":"Statement","tier":3,"seq":91,"title":null,"description":"The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-5.1","id_raw":"PR.AC-5.1","tier_raw":"Statement","tier":3,"seq":92,"title":null,"description":"Networks and systems are segmented to maintain appropriate security."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-5.2","id_raw":"PR.AC-5.2","tier_raw":"Statement","tier":3,"seq":93,"title":null,"description":"The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-6.1","id_raw":"PR.AC-6.1","tier_raw":"Statement","tier":3,"seq":94,"title":null,"description":"The organization authenticates identity and validates the authorization level of a user before granting access to its systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-7.1","id_raw":"PR.AC-7.1","tier_raw":"Statement","tier":3,"seq":95,"title":null,"description":"The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on:\n(1) The type of data being accessed (e.g., customer PII, public data);\n(2) The risk of the transaction (e.g., internal-to-internal, external-to-internal);\n(3) The organization's level of trust for the accessing agent (e.g., external application, internal user); and\n(4) The potential for harm."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ac-7.2","id_raw":"PR.AC-7.2","tier_raw":"Statement","tier":3,"seq":96,"title":null,"description":"Based on the risk level of a given transaction, the organization has defined and implemented authentication requirements, such as including implementing multi-factor, out-of-band authentication for high risk transactions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-1.1","id_raw":"PR.AT-1.1","tier_raw":"Statement","tier":3,"seq":97,"title":null,"description":"All personnel (full-time or part-time; permanent, temporary or contract) receive periodic cybersecurity awareness training, as permitted by law."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-1.2","id_raw":"PR.AT-1.2","tier_raw":"Statement","tier":3,"seq":98,"title":null,"description":"Cybersecurity awareness training includes at a minimum appropriate awareness of and competencies for data protection, detecting and addressing cyber risks, and how to report any unusual activity or incidents.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-1.3","id_raw":"PR.AT-1.3","tier_raw":"Statement","tier":3,"seq":99,"title":null,"description":"Cybersecurity awareness training is updated on a regular basis to reflect risks identified by the organization in its risk assessment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-2.1","id_raw":"PR.AT-2.1","tier_raw":"Statement","tier":3,"seq":100,"title":null,"description":"High-risk groups, such as those with privileged system access or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-2.2","id_raw":"PR.AT-2.2","tier_raw":"Statement","tier":3,"seq":101,"title":null,"description":"Cybersecurity personnel receive training appropriate for their roles and responsibilities in cybersecurity, including situational awareness training sufficient to maintain current knowledge of cyber threats and countermeasures. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-2.3","id_raw":"PR.AT-2.3","tier_raw":"Statement","tier":3,"seq":102,"title":null,"description":"A mechanism is in place to verify that key cybersecurity personnel maintain current knowledge of changing cyber threats and countermeasures. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-3.1","id_raw":"PR.AT-3.1","tier_raw":"Statement","tier":3,"seq":103,"title":null,"description":"The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of their role in cybersecurity, as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-3.2","id_raw":"PR.AT-3.2","tier_raw":"Statement","tier":3,"seq":104,"title":null,"description":"Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-3.3","id_raw":"PR.AT-3.3","tier_raw":"Statement","tier":3,"seq":105,"title":null,"description":"Cybersecurity training covers topics designed to minimize risks to or from interconnected parties."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-4.1","id_raw":"PR.AT-4.1","tier_raw":"Statement","tier":3,"seq":106,"title":null,"description":"The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to: \n(1) Evaluate and manage cyber risks;\n(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and\n(3) Lead by example."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-4.2","id_raw":"PR.AT-4.2","tier_raw":"Statement","tier":3,"seq":107,"title":null,"description":"Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.at-5.1","id_raw":"PR.AT-5.1","tier_raw":"Statement","tier":3,"seq":108,"title":null,"description":"The individuals who fulfill the organization’s physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-1.1","id_raw":"PR.DS-1.1","tier_raw":"Statement","tier":3,"seq":109,"title":null,"description":"Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-1.2","id_raw":"PR.DS-1.2","tier_raw":"Statement","tier":3,"seq":110,"title":null,"description":"Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-2.1","id_raw":"PR.DS-2.1","tier_raw":"Statement","tier":3,"seq":111,"title":null,"description":"Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-2.2","id_raw":"PR.DS-2.2","tier_raw":"Statement","tier":3,"seq":112,"title":null,"description":"Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-3.1","id_raw":"PR.DS-3.1","tier_raw":"Statement","tier":3,"seq":113,"title":null,"description":"The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-4.1","id_raw":"PR.DS-4.1","tier_raw":"Statement","tier":3,"seq":114,"title":null,"description":"The organization maintains appropriate system and network availability, consistent with business requirements and risk assessment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-5.1","id_raw":"PR.DS-5.1","tier_raw":"Statement","tier":3,"seq":115,"title":null,"description":"The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-6.1","id_raw":"PR.DS-6.1","tier_raw":"Statement","tier":3,"seq":116,"title":null,"description":"The organization uses integrity checking mechanisms to verify software, firmware and information integrity, as practicable. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-7.1","id_raw":"PR.DS-7.1","tier_raw":"Statement","tier":3,"seq":117,"title":null,"description":"The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ds-8.1","id_raw":"PR.DS-8.1","tier_raw":"Statement","tier":3,"seq":118,"title":null,"description":"The organization uses integrity checking mechanisms to verify hardware integrity, as practicable."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-1.1","id_raw":"PR.IP-1.1","tier_raw":"Statement","tier":3,"seq":119,"title":null,"description":"The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-1.2","id_raw":"PR.IP-1.2","tier_raw":"Statement","tier":3,"seq":120,"title":null,"description":"The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-1.3","id_raw":"PR.IP-1.3","tier_raw":"Statement","tier":3,"seq":121,"title":null,"description":"The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-2.1","id_raw":"PR.IP-2.1","tier_raw":"Statement","tier":3,"seq":122,"title":null,"description":"The organization implements a process for Secure System Development Lifecycle for in-house software design and development."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-2.2","id_raw":"PR.IP-2.2","tier_raw":"Statement","tier":3,"seq":123,"title":null,"description":"The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-2.3","id_raw":"PR.IP-2.3","tier_raw":"Statement","tier":3,"seq":124,"title":null,"description":"The organization assesses the cyber risks of software prior to deployment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-3.1","id_raw":"PR.IP-3.1","tier_raw":"Statement","tier":3,"seq":125,"title":null,"description":"The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-4.1","id_raw":"PR.IP-4.1","tier_raw":"Statement","tier":3,"seq":126,"title":null,"description":"The organization designs and tests its systems and processes to enable recovery of accurate data (e.g., material financial transactions) sufficient to support normal operations and obligations following a cybersecurity incident. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-4.2","id_raw":"PR.IP-4.2","tier_raw":"Statement","tier":3,"seq":127,"title":null,"description":"The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-4.3","id_raw":"PR.IP-4.3","tier_raw":"Statement","tier":3,"seq":128,"title":null,"description":"The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-4.4","id_raw":"PR.IP-4.4","tier_raw":"Statement","tier":3,"seq":129,"title":null,"description":"Recovery point objectives to support data integrity efforts are consistent with the organization's resumption time objective for critical operations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-5.1","id_raw":"PR.IP-5.1","tier_raw":"Statement","tier":3,"seq":130,"title":null,"description":"Physical and environmental security policies are implemented and managed. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-6.1","id_raw":"PR.IP-6.1","tier_raw":"Statement","tier":3,"seq":131,"title":null,"description":"Data is maintained, stored, retained and destroyed according to the organization's data retention policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-7.1","id_raw":"PR.IP-7.1","tier_raw":"Statement","tier":3,"seq":132,"title":null,"description":"A formal process is in place to improve protection processes by integrating lessons learned and responding to changes in the organization's environment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-8.1","id_raw":"PR.IP-8.1","tier_raw":"Statement","tier":3,"seq":133,"title":null,"description":"The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-9.1","id_raw":"PR.IP-9.1","tier_raw":"Statement","tier":3,"seq":134,"title":null,"description":"The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-9.2","id_raw":"PR.IP-9.2","tier_raw":"Statement","tier":3,"seq":135,"title":null,"description":"The organization defines objectives for resumption of critical operations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-10.1","id_raw":"PR.IP-10.1","tier_raw":"Statement","tier":3,"seq":136,"title":null,"description":"The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive) that could affect the organization's ability to service clients."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-10.2","id_raw":"PR.IP-10.2","tier_raw":"Statement","tier":3,"seq":137,"title":null,"description":"The organization's testing program validates the effectiveness of its cyber resilience framework on a regular basis."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-10.3","id_raw":"PR.IP-10.3","tier_raw":"Statement","tier":3,"seq":138,"title":null,"description":"The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-10.4","id_raw":"PR.IP-10.4","tier_raw":"Statement","tier":3,"seq":139,"title":null,"description":"The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-11.1","id_raw":"PR.IP-11.1","tier_raw":"Statement","tier":3,"seq":140,"title":null,"description":"The organization conducts background/screening checks on all new employees, as permitted by law."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-11.2","id_raw":"PR.IP-11.2","tier_raw":"Statement","tier":3,"seq":141,"title":null,"description":"The organization conducts background/screening checks on all staff at regular intervals throughout their employment, commensurate with staff’s access to critical systems or a change in role, as permitted by law."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-11.3","id_raw":"PR.IP-11.3","tier_raw":"Statement","tier":3,"seq":142,"title":null,"description":"The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-12.1","id_raw":"PR.IP-12.1","tier_raw":"Statement","tier":3,"seq":143,"title":null,"description":"The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-12.2","id_raw":"PR.IP-12.2","tier_raw":"Statement","tier":3,"seq":144,"title":null,"description":"The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-12.3","id_raw":"PR.IP-12.3","tier_raw":"Statement","tier":3,"seq":145,"title":null,"description":"The organization has a formal exception management process for vulnerabilities that cannot be mitigated due to business-related exceptions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ip-12.4","id_raw":"PR.IP-12.4","tier_raw":"Statement","tier":3,"seq":146,"title":null,"description":"The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ma-1.1","id_raw":"PR.MA-1.1","tier_raw":"Statement","tier":3,"seq":147,"title":null,"description":"Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.ma-2.1","id_raw":"PR.MA-2.1","tier_raw":"Statement","tier":3,"seq":148,"title":null,"description":"Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-1.1","id_raw":"PR.PT-1.1","tier_raw":"Statement","tier":3,"seq":149,"title":null,"description":"The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-1.2","id_raw":"PR.PT-1.2","tier_raw":"Statement","tier":3,"seq":150,"title":null,"description":"The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-2.1","id_raw":"PR.PT-2.1","tier_raw":"Statement","tier":3,"seq":151,"title":null,"description":"The organization's removable media and mobile devices are protected and use is restricted according to policy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-3.1","id_raw":"PR.PT-3.1","tier_raw":"Statement","tier":3,"seq":152,"title":null,"description":"The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-4.1","id_raw":"PR.PT-4.1","tier_raw":"Statement","tier":3,"seq":153,"title":null,"description":"The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:pr.pt-5.1","id_raw":"PR.PT-5.1","tier_raw":"Statement","tier":3,"seq":154,"title":null,"description":"The organization implements mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-1.1","id_raw":"DE.AE-1.1","tier_raw":"Statement","tier":3,"seq":155,"title":null,"description":"The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-2.1","id_raw":"DE.AE-2.1","tier_raw":"Statement","tier":3,"seq":156,"title":null,"description":"The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to:\n(1) Assess and understand the nature, scope and method of the attack;\n(2) Predict and block a similar future attack; and\n(3) Report timely risk metrics."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-3.1","id_raw":"DE.AE-3.1","tier_raw":"Statement","tier":3,"seq":157,"title":null,"description":"The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-3.2","id_raw":"DE.AE-3.2","tier_raw":"Statement","tier":3,"seq":158,"title":null,"description":"The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prevent multifaceted cyber attacks."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-4.1","id_raw":"DE.AE-4.1","tier_raw":"Statement","tier":3,"seq":159,"title":null,"description":"The organization has a documented process in place to analyze the impact of a material cybersecurity incident (including the financial impact) on the organization as well as across the financial sector, as appropriate, per organization's size, scope, and complexity and its role in the financial sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.ae-5.1","id_raw":"DE.AE-5.1","tier_raw":"Statement","tier":3,"seq":160,"title":null,"description":"The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-1.1","id_raw":"DE.CM-1.1","tier_raw":"Statement","tier":3,"seq":161,"title":null,"description":"The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-1.2","id_raw":"DE.CM-1.2","tier_raw":"Statement","tier":3,"seq":162,"title":null,"description":"The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-1.3","id_raw":"DE.CM-1.3","tier_raw":"Statement","tier":3,"seq":163,"title":null,"description":"The organization deploys an intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-1.4","id_raw":"DE.CM-1.4","tier_raw":"Statement","tier":3,"seq":164,"title":null,"description":"The organization implements mechanisms, such as alerting and filtering sudden high volume and suspicious incoming traffic, to prevent (Distributed) Denial of Services (DoS/DDoS) attacks."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-2.1","id_raw":"DE.CM-2.1","tier_raw":"Statement","tier":3,"seq":165,"title":null,"description":"The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-3.1","id_raw":"DE.CM-3.1","tier_raw":"Statement","tier":3,"seq":166,"title":null,"description":"The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-3.2","id_raw":"DE.CM-3.2","tier_raw":"Statement","tier":3,"seq":167,"title":null,"description":"The organization performs logging and reviewing of the systems activities of privileged users, and monitoring for anomalies is implemented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-3.3","id_raw":"DE.CM-3.3","tier_raw":"Statement","tier":3,"seq":168,"title":null,"description":"The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-4.1","id_raw":"DE.CM-4.1","tier_raw":"Statement","tier":3,"seq":169,"title":null,"description":"The organization implements and manages appropriate tools to detect and block malware from infecting networks and systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-4.2","id_raw":"DE.CM-4.2","tier_raw":"Statement","tier":3,"seq":170,"title":null,"description":"The organization implements email protection mechanisms to automatically scan, detect, and protect from any attached malware or malicious links present in the email."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-5.1","id_raw":"DE.CM-5.1","tier_raw":"Statement","tier":3,"seq":171,"title":null,"description":"The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-6.1","id_raw":"DE.CM-6.1","tier_raw":"Statement","tier":3,"seq":172,"title":null,"description":"The organization authorizes and monitors all third-party connections."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-6.2","id_raw":"DE.CM-6.2","tier_raw":"Statement","tier":3,"seq":173,"title":null,"description":"The organization collaborates with third-party service providers to maintain and improve the security of external connections."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-6.3","id_raw":"DE.CM-6.3","tier_raw":"Statement","tier":3,"seq":174,"title":null,"description":"The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-7.1","id_raw":"DE.CM-7.1","tier_raw":"Statement","tier":3,"seq":175,"title":null,"description":"The organization implements appropriate controls to prevent use of unsupported and unauthorized software. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-7.2","id_raw":"DE.CM-7.2","tier_raw":"Statement","tier":3,"seq":176,"title":null,"description":"The organization has policies, procedures and adequate tools in place to monitor, detect, and block access from/to devices, connections, and data transfers."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-7.3","id_raw":"DE.CM-7.3","tier_raw":"Statement","tier":3,"seq":177,"title":null,"description":"The organization sets up automatic and real-time alerts when an unauthorized software, hardware or configuration change occurs."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-7.4","id_raw":"DE.CM-7.4","tier_raw":"Statement","tier":3,"seq":178,"title":null,"description":"The organization implements web-filtering tools and technology to block access to inappropriate or malicious websites. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-8.1","id_raw":"DE.CM-8.1","tier_raw":"Statement","tier":3,"seq":179,"title":null,"description":"The organization conducts periodic vulnerability scanning, including automated scanning across all environments to identify potential system vulnerabilities, including publicly known vulnerabilities, upgrade opportunities, and new defense layers."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.cm-8.2","id_raw":"DE.CM-8.2","tier_raw":"Statement","tier":3,"seq":180,"title":null,"description":"The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-1.1","id_raw":"DE.DP-1.1","tier_raw":"Statement","tier":3,"seq":181,"title":null,"description":"The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-2.1","id_raw":"DE.DP-2.1","tier_raw":"Statement","tier":3,"seq":182,"title":null,"description":"The organization's monitoring and detection processes comply with all applicable requirements."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-3.1","id_raw":"DE.DP-3.1","tier_raw":"Statement","tier":3,"seq":183,"title":null,"description":"The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-4.1","id_raw":"DE.DP-4.1","tier_raw":"Statement","tier":3,"seq":184,"title":null,"description":"The organization has established processes and protocols to communicate, alert and periodically report detected potential cyber attacks and incident information including its corresponding analysis and cyber threat intelligence to internal and external stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-4.2","id_raw":"DE.DP-4.2","tier_raw":"Statement","tier":3,"seq":185,"title":null,"description":"The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:de.dp-5.1","id_raw":"DE.DP-5.1","tier_raw":"Statement","tier":3,"seq":186,"title":null,"description":"The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.rp-1.1","id_raw":"RS.RP-1.1","tier_raw":"Statement","tier":3,"seq":187,"title":null,"description":"The organization's response plans are in place and executed during or after an incident."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-1.1","id_raw":"RS.CO-1.1","tier_raw":"Statement","tier":3,"seq":188,"title":null,"description":"The organization's incident response plan contains clearly defined roles, responsibilities and levels of decision-making authority."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-1.2","id_raw":"RS.CO-1.2","tier_raw":"Statement","tier":3,"seq":189,"title":null,"description":"The organization ensures cyber threat intelligence is made available to appropriate staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-1.3","id_raw":"RS.CO-1.3","tier_raw":"Statement","tier":3,"seq":190,"title":null,"description":"The organization's personnel know their roles and responsibilities and order of operations when a response is needed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-2.1","id_raw":"RS.CO-2.1","tier_raw":"Statement","tier":3,"seq":191,"title":null,"description":"The organization's incident response plan describes how to appropriately document and report cyber events and related incident response activities."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-2.2","id_raw":"RS.CO-2.2","tier_raw":"Statement","tier":3,"seq":192,"title":null,"description":"In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-2.3","id_raw":"RS.CO-2.3","tier_raw":"Statement","tier":3,"seq":193,"title":null,"description":"The organization's incident response program includes effective escalation protocols linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's appropriate governing authority and senior management), and how information provided to the organization will be acted upon."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-2.4","id_raw":"RS.CO-2.4","tier_raw":"Statement","tier":3,"seq":194,"title":null,"description":"The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-3.1","id_raw":"RS.CO-3.1","tier_raw":"Statement","tier":3,"seq":195,"title":null,"description":"Information is shared consistent with response plans.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-3.2","id_raw":"RS.CO-3.2","tier_raw":"Statement","tier":3,"seq":196,"title":null,"description":"In the event of a cybersecurity incident, the organization shares information in an appropriate manner that could facilitate the detection, response, resumption and recovery of its own systems and those of other financial sector participants through trusted channels."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-4.1","id_raw":"RS.CO-4.1","tier_raw":"Statement","tier":3,"seq":197,"title":null,"description":"The organization has a plan to coordinate and communicate with internal and external stakeholders during or following a cyber attack as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-5.1","id_raw":"RS.CO-5.1","tier_raw":"Statement","tier":3,"seq":198,"title":null,"description":"The organization actively participates in multilateral information-sharing arrangements to facilitate a sector-wide response to large-scale incidents."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-5.2","id_raw":"RS.CO-5.2","tier_raw":"Statement","tier":3,"seq":199,"title":null,"description":"The organization shares information on its cyber resilience framework bilaterally with trusted external stakeholders to promote understanding of each other’s approach to securing systems that are linked or interfaced."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.co-5.3","id_raw":"RS.CO-5.3","tier_raw":"Statement","tier":3,"seq":200,"title":null,"description":"The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-1.1","id_raw":"RS.AN-1.1","tier_raw":"Statement","tier":3,"seq":201,"title":null,"description":"Tools and processes are in place to ensure timely detection, alert, and activation of the incident response program."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-2.1","id_raw":"RS.AN-2.1","tier_raw":"Statement","tier":3,"seq":202,"title":null,"description":"The organization uses cyber-attack scenarios to determine potential impact to critical business processes."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-2.2","id_raw":"RS.AN-2.2","tier_raw":"Statement","tier":3,"seq":203,"title":null,"description":"The organization performs a thorough investigation to determine the nature of a cyber event, its extent, and the damage inflicted."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-3.1","id_raw":"RS.AN-3.1","tier_raw":"Statement","tier":3,"seq":204,"title":null,"description":"The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-4.1","id_raw":"RS.AN-4.1","tier_raw":"Statement","tier":3,"seq":205,"title":null,"description":"The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems to the enterprise."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-5.1","id_raw":"RS.AN-5.1","tier_raw":"Statement","tier":3,"seq":206,"title":null,"description":"The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from:\n(1) Public sources (e.g., security researchers);\n(2) Vulnerability sharing forums (e.g., FS-ISAC); and\n(3) Third-parties (e.g., cloud vendors);\n(4) Internal sources (e.g., development teams)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-5.2","id_raw":"RS.AN-5.2","tier_raw":"Statement","tier":3,"seq":207,"title":null,"description":"The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on:\n(1) Determining its validity;\n(2) Aassessing its scope (e.g., affected assets);\n(3) Determining it's severity and impact;\n(4) Identifying affected stakeholders or customers; and\n(5) Analyzing options to respond."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.an-5.3","id_raw":"RS.AN-5.3","tier_raw":"Statement","tier":3,"seq":208,"title":null,"description":"The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-1.1","id_raw":"RS.MI-1.1","tier_raw":"Statement","tier":3,"seq":209,"title":null,"description":"The organization contains cybersecurity incidents in a timely manner.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-1.2","id_raw":"RS.MI-1.2","tier_raw":"Statement","tier":3,"seq":210,"title":null,"description":"The organization's procedures include containment strategies and notifying potentially impacted third-parties, as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-2.1","id_raw":"RS.MI-2.1","tier_raw":"Statement","tier":3,"seq":211,"title":null,"description":"The organization mitigates cybersecurity incidents in a timely manner.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-3.1","id_raw":"RS.MI-3.1","tier_raw":"Statement","tier":3,"seq":212,"title":null,"description":"The organization's incident response plan identifies requirements for the remediation of any identified weaknesses in systems and associated controls."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.mi-3.2","id_raw":"RS.MI-3.2","tier_raw":"Statement","tier":3,"seq":213,"title":null,"description":"Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-1.1","id_raw":"RS.IM-1.1","tier_raw":"Statement","tier":3,"seq":214,"title":null,"description":"The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-1.2","id_raw":"RS.IM-1.2","tier_raw":"Statement","tier":3,"seq":215,"title":null,"description":"The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-1.3","id_raw":"RS.IM-1.3","tier_raw":"Statement","tier":3,"seq":216,"title":null,"description":"The organization's cyber resilience and incident response programs have processes in place to incorporate lessons learned from cyber events that have occurred within and outside the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rs.im-2.1","id_raw":"RS.IM-2.1","tier_raw":"Statement","tier":3,"seq":217,"title":null,"description":"The organization periodically reviews response strategy and exercises and updates them as necessary, based on:\n(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);\n(2) Current cyber threat intelligence (both internal and external sources);\n(3) Recent and wide-scale cyber attack scenarios;\n(4) Operationally and technically plausible future cyber attacks; and\n(5) New technological developments."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.1","id_raw":"RC.RP-1.1","tier_raw":"Statement","tier":3,"seq":218,"title":null,"description":"The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.2","id_raw":"RC.RP-1.2","tier_raw":"Statement","tier":3,"seq":219,"title":null,"description":"Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.3","id_raw":"RC.RP-1.3","tier_raw":"Statement","tier":3,"seq":220,"title":null,"description":"The recovery plan includes a minimum recovery time for the sector critical systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.4","id_raw":"RC.RP-1.4","tier_raw":"Statement","tier":3,"seq":221,"title":null,"description":"The recovery plan includes recovery of clearing and settlement activities after a wide-scale disruption with the overall goal of completing material pending transactions on the scheduled settlement date."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.5","id_raw":"RC.RP-1.5","tier_raw":"Statement","tier":3,"seq":222,"title":null,"description":"The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.rp-1.6","id_raw":"RC.RP-1.6","tier_raw":"Statement","tier":3,"seq":223,"title":null,"description":"The recovery plan includes plans to come back for both traditional and highly available (e.g., cloud) infrastructure."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.im-1.1","id_raw":"RC.IM-1.1","tier_raw":"Statement","tier":3,"seq":224,"title":null,"description":"The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from:\n(1) cybersecurity incidents that have occurred within the organization;\n(2) Cybersecurity assessments and testing performed internally; and\n(3) Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.im-2.1","id_raw":"RC.IM-2.1","tier_raw":"Statement","tier":3,"seq":225,"title":null,"description":"The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on: \n(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);\n(2) Current cyber threat intelligence (both internal and external sources);\n(3) Recent and wide-scale cyber attack scenarios;\n(4) Operationally and technically plausible future cyber attacks; and\n(5) New technological developments."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-1.1","id_raw":"RC.CO-1.1","tier_raw":"Statement","tier":3,"seq":226,"title":null,"description":"The organization's governing body (e.g., the Board or one of its committees) ensures that a communication plan exists to notify internal and external stakeholders about an incident, as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-1.2","id_raw":"RC.CO-1.2","tier_raw":"Statement","tier":3,"seq":227,"title":null,"description":"The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-2.1","id_raw":"RC.CO-2.1","tier_raw":"Statement","tier":3,"seq":228,"title":null,"description":"Actionable and effective mitigation techniques are taken and communicated appropriately to restore and improve the organization's reputation after an incident."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:rc.co-3.1","id_raw":"RC.CO-3.1","tier_raw":"Statement","tier":3,"seq":229,"title":null,"description":"The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the appropriate governing body (e.g., the Board or one of its committees), senior management and relevant internal stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-1.1","id_raw":"DM.ID-1.1","tier_raw":"Statement","tier":3,"seq":230,"title":null,"description":"The organization has integrated its internal dependency management strategy into the overall strategic risk management plan."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-1.2","id_raw":"DM.ID-1.2","tier_raw":"Statement","tier":3,"seq":231,"title":null,"description":"The organization monitors the effectiveness of its internal dependency management strategy."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-1.3","id_raw":"DM.ID-1.3","tier_raw":"Statement","tier":3,"seq":232,"title":null,"description":"The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-1.4","id_raw":"DM.ID-1.4","tier_raw":"Statement","tier":3,"seq":233,"title":null,"description":"The organization has established and applies appropriate controls to address the inherent risk of internal dependencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.id-2.1","id_raw":"DM.ID-2.1","tier_raw":"Statement","tier":3,"seq":234,"title":null,"description":"Roles and responsibilities for internal dependency management are defined and assigned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-1.1","id_raw":"DM.ED-1.1","tier_raw":"Statement","tier":3,"seq":235,"title":null,"description":"The organization has integrated its external dependency management strategy into the overall cyber risk management plan."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-1.2","id_raw":"DM.ED-1.2","tier_raw":"Statement","tier":3,"seq":236,"title":null,"description":"The organization monitors the effectiveness of its external dependency management strategy to reduce cyber risks associated with external dependencies."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-1.3","id_raw":"DM.ED-1.3","tier_raw":"Statement","tier":3,"seq":237,"title":null,"description":"The organization ensures appropriate oversight and compliance with the external dependency strategy implementation."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2.1","id_raw":"DM.ED-2.1","tier_raw":"Statement","tier":3,"seq":238,"title":null,"description":"The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2.2","id_raw":"DM.ED-2.2","tier_raw":"Statement","tier":3,"seq":239,"title":null,"description":"The organization's dependency management policies, plans, and procedures are regularly updated."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2.3","id_raw":"DM.ED-2.3","tier_raw":"Statement","tier":3,"seq":240,"title":null,"description":"The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2.4","id_raw":"DM.ED-2.4","tier_raw":"Statement","tier":3,"seq":241,"title":null,"description":"Dependency management processes may allow the organization to the adopt  security program(s) of its affiliate(s) as long as such program provides an appropriate level of control and assurance."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-2.5","id_raw":"DM.ED-2.5","tier_raw":"Statement","tier":3,"seq":242,"title":null,"description":"The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-3.1","id_raw":"DM.ED-3.1","tier_raw":"Statement","tier":3,"seq":243,"title":null,"description":"Roles and responsibilities for external dependency management are defined and assigned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-3.2","id_raw":"DM.ED-3.2","tier_raw":"Statement","tier":3,"seq":244,"title":null,"description":"Responsibilities for ongoing independent oversight (external) of third-party access are defined and assigned."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4.1","id_raw":"DM.ED-4.1","tier_raw":"Statement","tier":3,"seq":245,"title":null,"description":"The organization ensures that cyber risks associated with external dependencies are consistent with cyber risk appetite approved by an appropriate governing body (e.g., the Board or one of its committees)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4.2","id_raw":"DM.ED-4.2","tier_raw":"Statement","tier":3,"seq":246,"title":null,"description":"The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4.3","id_raw":"DM.ED-4.3","tier_raw":"Statement","tier":3,"seq":247,"title":null,"description":"The organization conducts a risk assessment to define appropriate controls to address the cyber risk presented by each external partner, implements these controls, and monitors their status throughout the lifecycle of partner relationships."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4.4","id_raw":"DM.ED-4.4","tier_raw":"Statement","tier":3,"seq":248,"title":null,"description":"The organization has a documented third-party termination/exit strategy to include procedures for timely removal of the third-party access when no longer required."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-4.5","id_raw":"DM.ED-4.5","tier_raw":"Statement","tier":3,"seq":249,"title":null,"description":"The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-5.1","id_raw":"DM.ED-5.1","tier_raw":"Statement","tier":3,"seq":250,"title":null,"description":"The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-5.2","id_raw":"DM.ED-5.2","tier_raw":"Statement","tier":3,"seq":251,"title":null,"description":"The organization maintains a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-5.3","id_raw":"DM.ED-5.3","tier_raw":"Statement","tier":3,"seq":252,"title":null,"description":"The organization has prioritized functions, activities, products, and services provided by external dependencies based on criticality."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-5.4","id_raw":"DM.ED-5.4","tier_raw":"Statement","tier":3,"seq":253,"title":null,"description":"The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.1","id_raw":"DM.ED-6.1","tier_raw":"Statement","tier":3,"seq":254,"title":null,"description":"The organization has documented minimum cybersecurity requirements for critical third-parties that, at a minimum, meet cybersecurity practices of the organization."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.2","id_raw":"DM.ED-6.2","tier_raw":"Statement","tier":3,"seq":255,"title":null,"description":"The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.3","id_raw":"DM.ED-6.3","tier_raw":"Statement","tier":3,"seq":256,"title":null,"description":"Minimum cybersecurity requirements for third-parties include how the organization will monitor security of its external dependencies to ensure that requirements are continually satisfied."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.4","id_raw":"DM.ED-6.4","tier_raw":"Statement","tier":3,"seq":257,"title":null,"description":"Minimum cybersecurity requirements for third-parties include consideration of whether the third-party is responsible for the security of the organization's confidential data and of geographic limits on where data can be stored and transmitted."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.5","id_raw":"DM.ED-6.5","tier_raw":"Statement","tier":3,"seq":258,"title":null,"description":"Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including:\n1) Joint maintenance of contingency plans;\n2) Responsibilities for responding to cybersecurity incident; \n3) Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and\n4) Incorporating potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.6","id_raw":"DM.ED-6.6","tier_raw":"Statement","tier":3,"seq":259,"title":null,"description":"Minimum cybersecurity requirements for third-parties identify conditions of and the recourse available to the organization should the third-party fail to meet their cybersecurity requirements. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-6.7","id_raw":"DM.ED-6.7","tier_raw":"Statement","tier":3,"seq":260,"title":null,"description":"Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, including return or destruction of data during cloud or virtualization use and upon relationship termination."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-7.1","id_raw":"DM.ED-7.1","tier_raw":"Statement","tier":3,"seq":261,"title":null,"description":"The organization has a formal program for third-party due diligence and monitoring."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-7.2","id_raw":"DM.ED-7.2","tier_raw":"Statement","tier":3,"seq":262,"title":null,"description":"The organization conducts regular third-party reviews for critical vendors to validate that appropriate security controls have been implemented."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-7.3","id_raw":"DM.ED-7.3","tier_raw":"Statement","tier":3,"seq":263,"title":null,"description":"A process is in place to confirm that the organization's third-party service providers conduct due diligence of their own third-parties (e.g., subcontractors)."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.ed-7.4","id_raw":"DM.ED-7.4","tier_raw":"Statement","tier":3,"seq":264,"title":null,"description":"A process is in place to confirm that the organization's third-party service providers conduct periodic resiliency testing or justify why it is not needed."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-1.1","id_raw":"DM.RS-1.1","tier_raw":"Statement","tier":3,"seq":265,"title":null,"description":"The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-1.2","id_raw":"DM.RS-1.2","tier_raw":"Statement","tier":3,"seq":266,"title":null,"description":"The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-1.3","id_raw":"DM.RS-1.3","tier_raw":"Statement","tier":3,"seq":267,"title":null,"description":"The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data).  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2.1","id_raw":"DM.RS-2.1","tier_raw":"Statement","tier":3,"seq":268,"title":null,"description":"The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2.2","id_raw":"DM.RS-2.2","tier_raw":"Statement","tier":3,"seq":269,"title":null,"description":"The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on multiple elements of interconnected critical infrastructure, such as energy and telecommunications. "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2.3","id_raw":"DM.RS-2.3","tier_raw":"Statement","tier":3,"seq":270,"title":null,"description":"The organization designs and tests its cyber resilience plans, and exercises to support financial sector's sector-wide resilience and address external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2.4","id_raw":"DM.RS-2.4","tier_raw":"Statement","tier":3,"seq":271,"title":null,"description":"The organization periodically identifies and tests alternative solutions in case an external partner fails to perform as expected.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.rs-2.5","id_raw":"DM.RS-2.5","tier_raw":"Statement","tier":3,"seq":272,"title":null,"description":"When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-1.1","id_raw":"DM.BE-1.1","tier_raw":"Statement","tier":3,"seq":273,"title":null,"description":"The cyber risk strategy identifies and communicates the organization's role as it relates to other critical infrastructures and as a component of the financial services sector.  "}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-1.2","id_raw":"DM.BE-1.2","tier_raw":"Statement","tier":3,"seq":274,"title":null,"description":"A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-2.1","id_raw":"DM.BE-2.1","tier_raw":"Statement","tier":3,"seq":275,"title":null,"description":"The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-2.2","id_raw":"DM.BE-2.2","tier_raw":"Statement","tier":3,"seq":276,"title":null,"description":"The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector."}
+{"source":"fsscc_profile_v1.0","id":"fsscc_profile_v1.0:dm.be-3.1","id_raw":"DM.BE-3.1","tier_raw":"Statement","tier":3,"seq":277,"title":null,"description":"Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1","id_raw":"D1","tier_raw":"Domain","tier":0,"seq":1,"title":"Cyber Risk Management & Oversight","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2","id_raw":"D2","tier_raw":"Domain","tier":0,"seq":2,"title":"Threat Intelligence & Collaboration","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3","id_raw":"D3","tier_raw":"Domain","tier":0,"seq":3,"title":"Cybersecurity Controls","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4","id_raw":"D4","tier_raw":"Domain","tier":0,"seq":4,"title":"External Dependency Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5","id_raw":"D5","tier_raw":"Domain","tier":0,"seq":5,"title":"Cyber Incident Management and Resilience","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g","id_raw":"D1.G","tier_raw":"Factor","tier":1,"seq":1,"title":"Governance","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm","id_raw":"D1.RM","tier_raw":"Factor","tier":1,"seq":2,"title":"Risk Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r","id_raw":"D1.R","tier_raw":"Factor","tier":1,"seq":3,"title":"Resources","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc","id_raw":"D1.TC","tier_raw":"Factor","tier":1,"seq":4,"title":"Training & Culture","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti","id_raw":"D2.TI","tier_raw":"Factor","tier":1,"seq":5,"title":"Threat Intelligence","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma","id_raw":"D2.MA","tier_raw":"Factor","tier":1,"seq":6,"title":"Monitoring & Analyzing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is","id_raw":"D2.IS","tier_raw":"Factor","tier":1,"seq":7,"title":"Information Sharing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc","id_raw":"D3.PC","tier_raw":"Factor","tier":1,"seq":8,"title":"Preventative Controls","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc","id_raw":"D3.DC","tier_raw":"Factor","tier":1,"seq":9,"title":"Detective Controls","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc","id_raw":"D3.CC","tier_raw":"Factor","tier":1,"seq":10,"title":"Corrective Controls","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c","id_raw":"D4.C","tier_raw":"Factor","tier":1,"seq":11,"title":"Connections","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm","id_raw":"D4.RM","tier_raw":"Factor","tier":1,"seq":12,"title":"Relationship Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir","id_raw":"D5.IR","tier_raw":"Factor","tier":1,"seq":13,"title":"Incident Resilience Planning and Strategy","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr","id_raw":"D5.DR","tier_raw":"Factor","tier":1,"seq":14,"title":"Detection, Response, and Mitigation","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er","id_raw":"D5.ER","tier_raw":"Factor","tier":1,"seq":15,"title":"Escalation and Reporting","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov","id_raw":"D1.G.Ov","tier_raw":"Component","tier":2,"seq":1,"title":"Oversight","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp","id_raw":"D1.G.SP","tier_raw":"Component","tier":2,"seq":2,"title":"Strategy / Policies","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it","id_raw":"D1.G.IT","tier_raw":"Component","tier":2,"seq":3,"title":"IT Asset Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp","id_raw":"D1.RM.RMP","tier_raw":"Component","tier":2,"seq":4,"title":"Risk Management Program","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra","id_raw":"D1.RM.RA","tier_raw":"Component","tier":2,"seq":5,"title":"Risk Assessment","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au","id_raw":"D1.RM.Au","tier_raw":"Component","tier":2,"seq":6,"title":"Audit","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st","id_raw":"D1.R.St","tier_raw":"Component","tier":2,"seq":7,"title":"Staffing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr","id_raw":"D1.TC.Tr","tier_raw":"Component","tier":2,"seq":8,"title":"Training","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu","id_raw":"D1.TC.Cu","tier_raw":"Component","tier":2,"seq":9,"title":"Culture","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti","id_raw":"D2.TI.Ti","tier_raw":"Component","tier":2,"seq":10,"title":"Threat Intelligence and Information","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma","id_raw":"D2.MA.Ma","tier_raw":"Component","tier":2,"seq":11,"title":"Monitoring and Analyzing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is","id_raw":"D2.IS.Is","tier_raw":"Component","tier":2,"seq":12,"title":"Information Sharing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im","id_raw":"D3.PC.Im","tier_raw":"Component","tier":2,"seq":13,"title":"Infrastructure Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am","id_raw":"D3.PC.Am","tier_raw":"Component","tier":2,"seq":14,"title":"Access and Data Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de","id_raw":"D3.PC.De","tier_raw":"Component","tier":2,"seq":15,"title":"Device / End-Point Security","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se","id_raw":"D3.PC.Se","tier_raw":"Component","tier":2,"seq":16,"title":"Secure Coding","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th","id_raw":"D3.DC.Th","tier_raw":"Component","tier":2,"seq":17,"title":"Threat and Vulnerability Detection","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an","id_raw":"D3.DC.An","tier_raw":"Component","tier":2,"seq":18,"title":"Anomalous Activity Detection","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev","id_raw":"D3.DC.Ev","tier_raw":"Component","tier":2,"seq":19,"title":"Event Detection","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa","id_raw":"D3.CC.Pa","tier_raw":"Component","tier":2,"seq":20,"title":"Patch Management","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re","id_raw":"D3.CC.Re","tier_raw":"Component","tier":2,"seq":21,"title":"Remediation","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co","id_raw":"D4.C.Co","tier_raw":"Component","tier":2,"seq":22,"title":"Connections","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd","id_raw":"D4.RM.Dd","tier_raw":"Component","tier":2,"seq":23,"title":"Due Diligence","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co","id_raw":"D4.RM.Co","tier_raw":"Component","tier":2,"seq":24,"title":"Contracts","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om","id_raw":"D4.RM.Om","tier_raw":"Component","tier":2,"seq":25,"title":"Ongoing Monitoring","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl","id_raw":"D5.IR.Pl","tier_raw":"Component","tier":2,"seq":26,"title":"Planning","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te","id_raw":"D5.IR.Te","tier_raw":"Component","tier":2,"seq":27,"title":"Testing","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de","id_raw":"D5.DR.De","tier_raw":"Component","tier":2,"seq":28,"title":"Detection","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re","id_raw":"D5.DR.Re","tier_raw":"Component","tier":2,"seq":29,"title":"Response and Mitigation","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es","id_raw":"D5.ER.Es","tier_raw":"Component","tier":2,"seq":30,"title":"Escalation and Reporting","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b","id_raw":"D1.G.Ov.B","tier_raw":"Maturity Level","tier":3,"seq":1,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.e","id_raw":"D1.G.Ov.E","tier_raw":"Maturity Level","tier":3,"seq":2,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int","id_raw":"D1.G.Ov.Int","tier_raw":"Maturity Level","tier":3,"seq":3,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a","id_raw":"D1.G.Ov.A","tier_raw":"Maturity Level","tier":3,"seq":4,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.inn","id_raw":"D1.G.Ov.Inn","tier_raw":"Maturity Level","tier":3,"seq":5,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b","id_raw":"D1.G.SP.B","tier_raw":"Maturity Level","tier":3,"seq":6,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.e","id_raw":"D1.G.SP.E","tier_raw":"Maturity Level","tier":3,"seq":7,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int","id_raw":"D1.G.SP.Int","tier_raw":"Maturity Level","tier":3,"seq":8,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a","id_raw":"D1.G.SP.A","tier_raw":"Maturity Level","tier":3,"seq":9,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.inn","id_raw":"D1.G.SP.Inn","tier_raw":"Maturity Level","tier":3,"seq":10,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.b","id_raw":"D1.G.IT.B","tier_raw":"Maturity Level","tier":3,"seq":11,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.e","id_raw":"D1.G.IT.E","tier_raw":"Maturity Level","tier":3,"seq":12,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.int","id_raw":"D1.G.IT.Int","tier_raw":"Maturity Level","tier":3,"seq":13,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.a","id_raw":"D1.G.IT.A","tier_raw":"Maturity Level","tier":3,"seq":14,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.inn","id_raw":"D1.G.IT.Inn","tier_raw":"Maturity Level","tier":3,"seq":15,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.b","id_raw":"D1.RM.RMP.B","tier_raw":"Maturity Level","tier":3,"seq":16,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.e","id_raw":"D1.RM.RMP.E","tier_raw":"Maturity Level","tier":3,"seq":17,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int","id_raw":"D1.RM.RMP.Int","tier_raw":"Maturity Level","tier":3,"seq":18,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a","id_raw":"D1.RM.RMP.A","tier_raw":"Maturity Level","tier":3,"seq":19,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.inn","id_raw":"D1.RM.RMP.Inn","tier_raw":"Maturity Level","tier":3,"seq":20,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.b","id_raw":"D1.RM.RA.B","tier_raw":"Maturity Level","tier":3,"seq":21,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.e","id_raw":"D1.RM.RA.E","tier_raw":"Maturity Level","tier":3,"seq":22,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.int","id_raw":"D1.RM.RA.Int","tier_raw":"Maturity Level","tier":3,"seq":23,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.a","id_raw":"D1.RM.RA.A","tier_raw":"Maturity Level","tier":3,"seq":24,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.inn","id_raw":"D1.RM.RA.Inn","tier_raw":"Maturity Level","tier":3,"seq":25,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.b","id_raw":"D1.RM.Au.B","tier_raw":"Maturity Level","tier":3,"seq":26,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e","id_raw":"D1.RM.Au.E","tier_raw":"Maturity Level","tier":3,"seq":27,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.int","id_raw":"D1.RM.Au.Int","tier_raw":"Maturity Level","tier":3,"seq":28,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.a","id_raw":"D1.RM.Au.A","tier_raw":"Maturity Level","tier":3,"seq":29,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.inn","id_raw":"D1.RM.Au.Inn","tier_raw":"Maturity Level","tier":3,"seq":30,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.b","id_raw":"D1.R.St.B","tier_raw":"Maturity Level","tier":3,"seq":31,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.e","id_raw":"D1.R.St.E","tier_raw":"Maturity Level","tier":3,"seq":32,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.int","id_raw":"D1.R.St.Int","tier_raw":"Maturity Level","tier":3,"seq":33,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.a","id_raw":"D1.R.St.A","tier_raw":"Maturity Level","tier":3,"seq":34,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.inn","id_raw":"D1.R.St.Inn","tier_raw":"Maturity Level","tier":3,"seq":35,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.b","id_raw":"D1.TC.Tr.B","tier_raw":"Maturity Level","tier":3,"seq":36,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e","id_raw":"D1.TC.Tr.E","tier_raw":"Maturity Level","tier":3,"seq":37,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.int","id_raw":"D1.TC.Tr.Int","tier_raw":"Maturity Level","tier":3,"seq":38,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.a","id_raw":"D1.TC.Tr.A","tier_raw":"Maturity Level","tier":3,"seq":39,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.inn","id_raw":"D1.TC.Tr.Inn","tier_raw":"Maturity Level","tier":3,"seq":40,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.b","id_raw":"D1.TC.Cu.B","tier_raw":"Maturity Level","tier":3,"seq":41,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.e","id_raw":"D1.TC.Cu.E","tier_raw":"Maturity Level","tier":3,"seq":42,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.int","id_raw":"D1.TC.Cu.Int","tier_raw":"Maturity Level","tier":3,"seq":43,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.a","id_raw":"D1.TC.Cu.A","tier_raw":"Maturity Level","tier":3,"seq":44,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.inn","id_raw":"D1.TC.Cu.Inn","tier_raw":"Maturity Level","tier":3,"seq":45,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.b","id_raw":"D2.TI.Ti.B","tier_raw":"Maturity Level","tier":3,"seq":46,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.e","id_raw":"D2.TI.Ti.E","tier_raw":"Maturity Level","tier":3,"seq":47,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.int","id_raw":"D2.TI.Ti.Int","tier_raw":"Maturity Level","tier":3,"seq":48,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.a","id_raw":"D2.TI.Ti.A","tier_raw":"Maturity Level","tier":3,"seq":49,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.inn","id_raw":"D2.TI.Ti.Inn","tier_raw":"Maturity Level","tier":3,"seq":50,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.b","id_raw":"D2.MA.Ma.B","tier_raw":"Maturity Level","tier":3,"seq":51,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.e","id_raw":"D2.MA.Ma.E","tier_raw":"Maturity Level","tier":3,"seq":52,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.int","id_raw":"D2.MA.Ma.Int","tier_raw":"Maturity Level","tier":3,"seq":53,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a","id_raw":"D2.MA.Ma.A","tier_raw":"Maturity Level","tier":3,"seq":54,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.inn","id_raw":"D2.MA.Ma.Inn","tier_raw":"Maturity Level","tier":3,"seq":55,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.b","id_raw":"D2.IS.Is.B","tier_raw":"Maturity Level","tier":3,"seq":56,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.e","id_raw":"D2.IS.Is.E","tier_raw":"Maturity Level","tier":3,"seq":57,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.int","id_raw":"D2.IS.Is.Int","tier_raw":"Maturity Level","tier":3,"seq":58,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.a","id_raw":"D2.IS.Is.A","tier_raw":"Maturity Level","tier":3,"seq":59,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.inn","id_raw":"D2.IS.Is.Inn","tier_raw":"Maturity Level","tier":3,"seq":60,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b","id_raw":"D3.PC.Im.B","tier_raw":"Maturity Level","tier":3,"seq":61,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e","id_raw":"D3.PC.Im.E","tier_raw":"Maturity Level","tier":3,"seq":62,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int","id_raw":"D3.PC.Im.Int","tier_raw":"Maturity Level","tier":3,"seq":63,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.a","id_raw":"D3.PC.Im.A","tier_raw":"Maturity Level","tier":3,"seq":64,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.inn","id_raw":"D3.PC.Im.Inn","tier_raw":"Maturity Level","tier":3,"seq":65,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b","id_raw":"D3.PC.Am.B","tier_raw":"Maturity Level","tier":3,"seq":66,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e","id_raw":"D3.PC.Am.E","tier_raw":"Maturity Level","tier":3,"seq":67,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int","id_raw":"D3.PC.Am.Int","tier_raw":"Maturity Level","tier":3,"seq":68,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.a","id_raw":"D3.PC.Am.A","tier_raw":"Maturity Level","tier":3,"seq":69,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn","id_raw":"D3.PC.Am.Inn","tier_raw":"Maturity Level","tier":3,"seq":70,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.b","id_raw":"D3.PC.De.B","tier_raw":"Maturity Level","tier":3,"seq":71,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e","id_raw":"D3.PC.De.E","tier_raw":"Maturity Level","tier":3,"seq":72,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.int","id_raw":"D3.PC.De.Int","tier_raw":"Maturity Level","tier":3,"seq":73,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.a","id_raw":"D3.PC.De.A","tier_raw":"Maturity Level","tier":3,"seq":74,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.inn","id_raw":"D3.PC.De.Inn","tier_raw":"Maturity Level","tier":3,"seq":75,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.b","id_raw":"D3.PC.Se.B","tier_raw":"Maturity Level","tier":3,"seq":76,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.e","id_raw":"D3.PC.Se.E","tier_raw":"Maturity Level","tier":3,"seq":77,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.int","id_raw":"D3.PC.Se.Int","tier_raw":"Maturity Level","tier":3,"seq":78,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.a","id_raw":"D3.PC.Se.A","tier_raw":"Maturity Level","tier":3,"seq":79,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.inn","id_raw":"D3.PC.Se.Inn","tier_raw":"Maturity Level","tier":3,"seq":80,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.b","id_raw":"D3.DC.Th.B","tier_raw":"Maturity Level","tier":3,"seq":81,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e","id_raw":"D3.DC.Th.E","tier_raw":"Maturity Level","tier":3,"seq":82,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.int","id_raw":"D3.DC.Th.Int","tier_raw":"Maturity Level","tier":3,"seq":83,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.a","id_raw":"D3.DC.Th.A","tier_raw":"Maturity Level","tier":3,"seq":84,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.inn","id_raw":"D3.DC.Th.Inn","tier_raw":"Maturity Level","tier":3,"seq":85,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b","id_raw":"D3.DC.An.B","tier_raw":"Maturity Level","tier":3,"seq":86,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.e","id_raw":"D3.DC.An.E","tier_raw":"Maturity Level","tier":3,"seq":87,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int","id_raw":"D3.DC.An.Int","tier_raw":"Maturity Level","tier":3,"seq":88,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a","id_raw":"D3.DC.An.A","tier_raw":"Maturity Level","tier":3,"seq":89,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.inn","id_raw":"D3.DC.An.Inn","tier_raw":"Maturity Level","tier":3,"seq":90,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b","id_raw":"D3.DC.Ev.B","tier_raw":"Maturity Level","tier":3,"seq":91,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.e","id_raw":"D3.DC.Ev.E","tier_raw":"Maturity Level","tier":3,"seq":92,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.int","id_raw":"D3.DC.Ev.Int","tier_raw":"Maturity Level","tier":3,"seq":93,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.a","id_raw":"D3.DC.Ev.A","tier_raw":"Maturity Level","tier":3,"seq":94,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.inn","id_raw":"D3.DC.Ev.Inn","tier_raw":"Maturity Level","tier":3,"seq":95,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.b","id_raw":"D3.CC.Pa.B","tier_raw":"Maturity Level","tier":3,"seq":96,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e","id_raw":"D3.CC.Pa.E","tier_raw":"Maturity Level","tier":3,"seq":97,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.int","id_raw":"D3.CC.Pa.Int","tier_raw":"Maturity Level","tier":3,"seq":98,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.a","id_raw":"D3.CC.Pa.A","tier_raw":"Maturity Level","tier":3,"seq":99,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.inn","id_raw":"D3.CC.Pa.Inn","tier_raw":"Maturity Level","tier":3,"seq":100,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.b","id_raw":"D3.CC.Re.B","tier_raw":"Maturity Level","tier":3,"seq":101,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.e","id_raw":"D3.CC.Re.E","tier_raw":"Maturity Level","tier":3,"seq":102,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int","id_raw":"D3.CC.Re.Int","tier_raw":"Maturity Level","tier":3,"seq":103,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.a","id_raw":"D3.CC.Re.A","tier_raw":"Maturity Level","tier":3,"seq":104,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.inn","id_raw":"D3.CC.Re.Inn","tier_raw":"Maturity Level","tier":3,"seq":105,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.b","id_raw":"D4.C.Co.B","tier_raw":"Maturity Level","tier":3,"seq":106,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.e","id_raw":"D4.C.Co.E","tier_raw":"Maturity Level","tier":3,"seq":107,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.int","id_raw":"D4.C.Co.Int","tier_raw":"Maturity Level","tier":3,"seq":108,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.a","id_raw":"D4.C.Co.A","tier_raw":"Maturity Level","tier":3,"seq":109,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.inn","id_raw":"D4.C.Co.Inn","tier_raw":"Maturity Level","tier":3,"seq":110,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.b","id_raw":"D4.RM.Dd.B","tier_raw":"Maturity Level","tier":3,"seq":111,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.e","id_raw":"D4.RM.Dd.E","tier_raw":"Maturity Level","tier":3,"seq":112,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.int","id_raw":"D4.RM.Dd.Int","tier_raw":"Maturity Level","tier":3,"seq":113,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.a","id_raw":"D4.RM.Dd.A","tier_raw":"Maturity Level","tier":3,"seq":114,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.inn","id_raw":"D4.RM.Dd.Inn","tier_raw":"Maturity Level","tier":3,"seq":115,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b","id_raw":"D4.RM.Co.B","tier_raw":"Maturity Level","tier":3,"seq":116,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.e","id_raw":"D4.RM.Co.E","tier_raw":"Maturity Level","tier":3,"seq":117,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.int","id_raw":"D4.RM.Co.Int","tier_raw":"Maturity Level","tier":3,"seq":118,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.a","id_raw":"D4.RM.Co.A","tier_raw":"Maturity Level","tier":3,"seq":119,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.inn","id_raw":"D4.RM.Co.Inn","tier_raw":"Maturity Level","tier":3,"seq":120,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.b","id_raw":"D4.RM.Om.B","tier_raw":"Maturity Level","tier":3,"seq":121,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.e","id_raw":"D4.RM.Om.E","tier_raw":"Maturity Level","tier":3,"seq":122,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.int","id_raw":"D4.RM.Om.Int","tier_raw":"Maturity Level","tier":3,"seq":123,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.a","id_raw":"D4.RM.Om.A","tier_raw":"Maturity Level","tier":3,"seq":124,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.inn","id_raw":"D4.RM.Om.Inn","tier_raw":"Maturity Level","tier":3,"seq":125,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b","id_raw":"D5.IR.Pl.B","tier_raw":"Maturity Level","tier":3,"seq":126,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e","id_raw":"D5.IR.Pl.E","tier_raw":"Maturity Level","tier":3,"seq":127,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.int","id_raw":"D5.IR.Pl.Int","tier_raw":"Maturity Level","tier":3,"seq":128,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.a","id_raw":"D5.IR.Pl.A","tier_raw":"Maturity Level","tier":3,"seq":129,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.inn","id_raw":"D5.IR.Pl.Inn","tier_raw":"Maturity Level","tier":3,"seq":130,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.b","id_raw":"D5.IR.Te.B","tier_raw":"Maturity Level","tier":3,"seq":131,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.e","id_raw":"D5.IR.Te.E","tier_raw":"Maturity Level","tier":3,"seq":132,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int","id_raw":"D5.IR.Te.Int","tier_raw":"Maturity Level","tier":3,"seq":133,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a","id_raw":"D5.IR.Te.A","tier_raw":"Maturity Level","tier":3,"seq":134,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.inn","id_raw":"D5.IR.Te.Inn","tier_raw":"Maturity Level","tier":3,"seq":135,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.b","id_raw":"D5.DR.De.B","tier_raw":"Maturity Level","tier":3,"seq":136,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.e","id_raw":"D5.DR.De.E","tier_raw":"Maturity Level","tier":3,"seq":137,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int","id_raw":"D5.DR.De.Int","tier_raw":"Maturity Level","tier":3,"seq":138,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.a","id_raw":"D5.DR.De.A","tier_raw":"Maturity Level","tier":3,"seq":139,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.inn","id_raw":"D5.DR.De.Inn","tier_raw":"Maturity Level","tier":3,"seq":140,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.b","id_raw":"D5.DR.Re.B","tier_raw":"Maturity Level","tier":3,"seq":141,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e","id_raw":"D5.DR.Re.E","tier_raw":"Maturity Level","tier":3,"seq":142,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.int","id_raw":"D5.DR.Re.Int","tier_raw":"Maturity Level","tier":3,"seq":143,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.a","id_raw":"D5.DR.Re.A","tier_raw":"Maturity Level","tier":3,"seq":144,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.inn","id_raw":"D5.DR.Re.Inn","tier_raw":"Maturity Level","tier":3,"seq":145,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.b","id_raw":"D5.ER.Es.B","tier_raw":"Maturity Level","tier":3,"seq":146,"title":"Baseline","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.e","id_raw":"D5.ER.Es.E","tier_raw":"Maturity Level","tier":3,"seq":147,"title":"Evolving","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.int","id_raw":"D5.ER.Es.Int","tier_raw":"Maturity Level","tier":3,"seq":148,"title":"Intermediate","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.a","id_raw":"D5.ER.Es.A","tier_raw":"Maturity Level","tier":3,"seq":149,"title":"Advanced","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.inn","id_raw":"D5.ER.Es.Inn","tier_raw":"Maturity Level","tier":3,"seq":150,"title":"Innovative","description":null}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b.1","id_raw":"D1.G.Ov.B.1","tier_raw":"Statement","tier":4,"seq":1,"title":null,"description":"Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b.2","id_raw":"D1.G.Ov.B.2","tier_raw":"Statement","tier":4,"seq":2,"title":null,"description":"Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. (FFIEC Information Security Booklet, page 6)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b.3","id_raw":"D1.G.Ov.B.3","tier_raw":"Statement","tier":4,"seq":3,"title":null,"description":"Management provides a written report on the overall status of the information security and business continuity programs to the board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b.4","id_raw":"D1.G.Ov.B.4","tier_raw":"Statement","tier":4,"seq":4,"title":null,"description":"The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.b.5","id_raw":"D1.G.Ov.B.5","tier_raw":"Statement","tier":4,"seq":5,"title":null,"description":"Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC Business Continuity Planning Booklet, page J-12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.e.1","id_raw":"D1.G.Ov.E.1","tier_raw":"Statement","tier":4,"seq":6,"title":null,"description":"At least annually, the board or an appropriate board committee reviews\nand approves the institution’s cybersecurity program."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.e.2","id_raw":"D1.G.Ov.E.2","tier_raw":"Statement","tier":4,"seq":7,"title":null,"description":"Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.e.3","id_raw":"D1.G.Ov.E.3","tier_raw":"Statement","tier":4,"seq":8,"title":null,"description":"Cybersecurity tools and staff are requested through the budget process."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.e.4","id_raw":"D1.G.Ov.E.4","tier_raw":"Statement","tier":4,"seq":9,"title":null,"description":"There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the budgeting process."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.1","id_raw":"D1.G.Ov.Int.1","tier_raw":"Statement","tier":4,"seq":10,"title":null,"description":"The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.2","id_raw":"D1.G.Ov.Int.2","tier_raw":"Statement","tier":4,"seq":11,"title":null,"description":"The standard board meeting package includes reports and metrics that go beyond events and incidents to address threat intelligence trends and the institution’s security posture."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.3","id_raw":"D1.G.Ov.Int.3","tier_raw":"Statement","tier":4,"seq":12,"title":null,"description":"The institution has a cyber risk appetite statement approved by the board or an appropriate board committee."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.4","id_raw":"D1.G.Ov.Int.4","tier_raw":"Statement","tier":4,"seq":13,"title":null,"description":"Cyber risks that exceed the risk appetite are escalated to management. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.5","id_raw":"D1.G.Ov.Int.5","tier_raw":"Statement","tier":4,"seq":14,"title":null,"description":"The board or an appropriate board committee ensures management’s annual cybersecurity self-assessment evaluates the institution’s ability to meet its cyber risk management standards."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.6","id_raw":"D1.G.Ov.Int.6","tier_raw":"Statement","tier":4,"seq":15,"title":null,"description":"The board or an appropriate board committee reviews and approves management’s prioritization and resource allocation decisions based on the results of the cyber assessments."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.7","id_raw":"D1.G.Ov.Int.7","tier_raw":"Statement","tier":4,"seq":16,"title":null,"description":"The board or an appropriate board committee ensures management takes appropriate actions to address changing cyber risks or significant cybersecurity issues."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.int.8","id_raw":"D1.G.Ov.Int.8","tier_raw":"Statement","tier":4,"seq":17,"title":null,"description":"The budget process for requesting additional cybersecurity staff and tools is integrated into business units’ budget processes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.1","id_raw":"D1.G.Ov.A.1","tier_raw":"Statement","tier":4,"seq":18,"title":null,"description":"The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.2","id_raw":"D1.G.Ov.A.2","tier_raw":"Statement","tier":4,"seq":19,"title":null,"description":"Management has a formal process to continuously improve cybersecurity oversight."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.3","id_raw":"D1.G.Ov.A.3","tier_raw":"Statement","tier":4,"seq":20,"title":null,"description":"The budget process for requesting additional cybersecurity staff and tools maps current resources and tools to the cybersecurity strategy."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.4","id_raw":"D1.G.Ov.A.4","tier_raw":"Statement","tier":4,"seq":21,"title":null,"description":"Management and the board or an appropriate board committee hold business units accountable for effectively managing all cyber risks associated with their activities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.5","id_raw":"D1.G.Ov.A.5","tier_raw":"Statement","tier":4,"seq":22,"title":null,"description":"Management identifies root cause(s) when cyber attacks result in material loss."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.a.6","id_raw":"D1.G.Ov.A.6","tier_raw":"Statement","tier":4,"seq":23,"title":null,"description":"The board or an appropriate board committee ensures that management’s actions consider the cyber risks that the institution poses to the financial sector."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.inn.1","id_raw":"D1.G.Ov.Inn.1","tier_raw":"Statement","tier":4,"seq":24,"title":null,"description":"The board or an appropriate board committee discusses ways for management to develop cybersecurity improvements that may be adopted sector-wide."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.ov.inn.2","id_raw":"D1.G.Ov.Inn.2","tier_raw":"Statement","tier":4,"seq":25,"title":null,"description":"The board or an appropriate board committee verifies that management’s actions consider the cyber risks that the institution poses to other critical infrastructures (e.g., telecommunications, energy)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.1","id_raw":"D1.G.SP.B.1","tier_raw":"Statement","tier":4,"seq":26,"title":null,"description":"The institution has an information security strategy that integrates technology, policies, procedures, and training to mitigate risk. (FFIEC Information Security Booklet, page 3)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.2","id_raw":"D1.G.SP.B.2","tier_raw":"Statement","tier":4,"seq":27,"title":null,"description":"The institution has policies commensurate with its risk and complexity that address the concepts of information technology risk management. (FFIEC Information Security Booklet, page, 16)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.3","id_raw":"D1.G.SP.B.3","tier_raw":"Statement","tier":4,"seq":28,"title":null,"description":"The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC E- Banking Booklet, page 28)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.4","id_raw":"D1.G.SP.B.4","tier_raw":"Statement","tier":4,"seq":29,"title":null,"description":"The institution has board-approved policies commensurate with its risk and complexity that address information security. (FFIEC Information Security Booklet, page 16)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.5","id_raw":"D1.G.SP.B.5","tier_raw":"Statement","tier":4,"seq":30,"title":null,"description":"The institution has policies commensurate with its risk and complexity that address the concepts of external dependency or third-party management. (FFIEC Outsourcing Booklet, page 2)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.6","id_raw":"D1.G.SP.B.6","tier_raw":"Statement","tier":4,"seq":31,"title":null,"description":"The institution has policies commensurate with its risk and complexity that address the concepts of incident response and resilience. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.b.7","id_raw":"D1.G.SP.B.7","tier_raw":"Statement","tier":4,"seq":32,"title":null,"description":"All elements of the information security program are coordinated enterprise-wide. (FFIEC Information Security Booklet, page 7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.e.1","id_raw":"D1.G.SP.E.1","tier_raw":"Statement","tier":4,"seq":33,"title":null,"description":"The institution augmented its information security strategy to incorporate cybersecurity and resilience."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.e.2","id_raw":"D1.G.SP.E.2","tier_raw":"Statement","tier":4,"seq":34,"title":null,"description":"The institution has a formal cybersecurity program that is based on technology and security industry standards or benchmarks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.e.3","id_raw":"D1.G.SP.E.3","tier_raw":"Statement","tier":4,"seq":35,"title":null,"description":"A formal process is in place to update policies as the institution’s inherent risk profile changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int.1","id_raw":"D1.G.SP.Int.1","tier_raw":"Statement","tier":4,"seq":36,"title":null,"description":"The institution has a comprehensive set of policies commensurate with its risk and complexity that address the concepts of threat intelligence."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int.2","id_raw":"D1.G.SP.Int.2","tier_raw":"Statement","tier":4,"seq":37,"title":null,"description":"Management periodically reviews the cybersecurity strategy to address evolving cyber threats and changes to the institution’s inherent risk profile."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int.3","id_raw":"D1.G.SP.Int.3","tier_raw":"Statement","tier":4,"seq":38,"title":null,"description":"The cybersecurity strategy is incorporated into, or conceptually fits within, the institution’s enterprise-wide risk management strategy. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int.4","id_raw":"D1.G.SP.Int.4","tier_raw":"Statement","tier":4,"seq":39,"title":null,"description":"Management links strategic cybersecurity objectives to tactical goals."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.int.5","id_raw":"D1.G.SP.Int.5","tier_raw":"Statement","tier":4,"seq":40,"title":null,"description":"A formal process is in place to cross-reference and simultaneously update all policies related to cyber risks across business lines."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a.1","id_raw":"D1.G.SP.A.1","tier_raw":"Statement","tier":4,"seq":41,"title":null,"description":"The cybersecurity strategy outlines the institution’s future state of\ncybersecurity with short-term and long-term perspectives."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a.2","id_raw":"D1.G.SP.A.2","tier_raw":"Statement","tier":4,"seq":42,"title":null,"description":"Industry-recognized cybersecurity standards are used as sources during the analysis of cybersecurity program gaps."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a.3","id_raw":"D1.G.SP.A.3","tier_raw":"Statement","tier":4,"seq":43,"title":null,"description":"The cybersecurity strategy identifies and communicates the institution’s role as a component of critical infrastructure in the financial services industry."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a.4","id_raw":"D1.G.SP.A.4","tier_raw":"Statement","tier":4,"seq":44,"title":null,"description":"The risk appetite is informed by the institution’s role in critical infrastructure."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.a.5","id_raw":"D1.G.SP.A.5","tier_raw":"Statement","tier":4,"seq":45,"title":null,"description":"Management is continuously improving the existing cybersecurity program to adapt as the desired cybersecurity target state changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.sp.inn.1","id_raw":"D1.G.SP.Inn.1","tier_raw":"Statement","tier":4,"seq":46,"title":null,"description":"The cybersecurity strategy identifies and communicates the institution's role as it relates to other critical infrastructures."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.b.1","id_raw":"D1.G.IT.B.1","tier_raw":"Statement","tier":4,"seq":47,"title":null,"description":"An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. (FFIEC Information Security Booklet, page 9)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.b.2","id_raw":"D1.G.IT.B.2","tier_raw":"Statement","tier":4,"seq":48,"title":null,"description":"Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value. (FFIEC Information Security Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.b.3","id_raw":"D1.G.IT.B.3","tier_raw":"Statement","tier":4,"seq":49,"title":null,"description":"Management assigns accountability for maintaining an inventory of organizational assets. (FFIEC Information Security Booklet, page 9)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.b.4","id_raw":"D1.G.IT.B.4","tier_raw":"Statement","tier":4,"seq":50,"title":null,"description":"A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools. (FFIEC Information Security Booklet, page 56)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.e.1","id_raw":"D1.G.IT.E.1","tier_raw":"Statement","tier":4,"seq":51,"title":null,"description":"The asset inventory, including identification of critical assets, is updated at least annually to address new, relocated, re-purposed, and sunset assets."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.e.2","id_raw":"D1.G.IT.E.2","tier_raw":"Statement","tier":4,"seq":52,"title":null,"description":"The institution has a documented asset life-cycle process that considers whether assets to be acquired have appropriate security safeguards."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.e.3","id_raw":"D1.G.IT.E.3","tier_raw":"Statement","tier":4,"seq":53,"title":null,"description":"The institution proactively manages system EOL (e.g., replacement) to limit security risks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.e.4","id_raw":"D1.G.IT.E.4","tier_raw":"Statement","tier":4,"seq":54,"title":null,"description":"Changes are formally approved by an individual or committee with appropriate authority and with separation of duties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.int.1","id_raw":"D1.G.IT.Int.1","tier_raw":"Statement","tier":4,"seq":55,"title":null,"description":"Baseline configurations cannot be altered without a formal change request, documented approval, and an assessment of security implications."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.int.2","id_raw":"D1.G.IT.Int.2","tier_raw":"Statement","tier":4,"seq":56,"title":null,"description":"A formal IT change management process requires cybersecurity risk to be evaluated during the analysis, approval, testing, and reporting of changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.a.1","id_raw":"D1.G.IT.A.1","tier_raw":"Statement","tier":4,"seq":57,"title":null,"description":"Supply chain risk is reviewed before the acquisition of mission-critical information systems including system components."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.a.2","id_raw":"D1.G.IT.A.2","tier_raw":"Statement","tier":4,"seq":58,"title":null,"description":"Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.a.3","id_raw":"D1.G.IT.A.3","tier_raw":"Statement","tier":4,"seq":59,"title":null,"description":"Automated processes are in place to detect and block unauthorized changes to software and hardware."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.a.4","id_raw":"D1.G.IT.A.4","tier_raw":"Statement","tier":4,"seq":60,"title":null,"description":"The change management system uses thresholds to determine when a risk assessment of the impact of the change is required."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.inn.1","id_raw":"D1.G.IT.Inn.1","tier_raw":"Statement","tier":4,"seq":61,"title":null,"description":"A formal change management function governs decentralized or highly distributed change requests and identifies and measures security risks that may cause increased exposure to cyber attack."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.g.it.inn.2","id_raw":"D1.G.IT.Inn.2","tier_raw":"Statement","tier":4,"seq":62,"title":null,"description":"Comprehensive automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.b.1","id_raw":"D1.RM.RMP.B.1","tier_raw":"Statement","tier":4,"seq":63,"title":null,"description":"An information security and business continuity risk management function(s) exists within the institution. (FFIEC Information Security Booklet, page 68)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.e.1","id_raw":"D1.RM.RMP.E.1","tier_raw":"Statement","tier":4,"seq":64,"title":null,"description":"The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.e.2","id_raw":"D1.RM.RMP.E.2","tier_raw":"Statement","tier":4,"seq":65,"title":null,"description":"Management reviews and uses the results of audits to improve existing cybersecurity policies, procedures, and controls."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.e.3","id_raw":"D1.RM.RMP.E.3","tier_raw":"Statement","tier":4,"seq":66,"title":null,"description":"Management monitors moderate and high residual risk issues from the cybersecurity risk assessment until items are addressed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int.1","id_raw":"D1.RM.RMP.Int.1","tier_raw":"Statement","tier":4,"seq":67,"title":null,"description":"The cybersecurity function has a clear reporting line that does not present a conflict of interest."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int.2","id_raw":"D1.RM.RMP.Int.2","tier_raw":"Statement","tier":4,"seq":68,"title":null,"description":"The risk management program specifically addresses cyber risks beyond the boundaries of the technological impacts (e.g., financial, strategic, regulatory, compliance)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int.3","id_raw":"D1.RM.RMP.Int.3","tier_raw":"Statement","tier":4,"seq":69,"title":null,"description":"Benchmarks or target performance metrics have been established for showing improvements or regressions of the security posture over time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int.4","id_raw":"D1.RM.RMP.Int.4","tier_raw":"Statement","tier":4,"seq":70,"title":null,"description":"Management uses the results of independent audits and reviews to improve cybersecurity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.int.5","id_raw":"D1.RM.RMP.Int.5","tier_raw":"Statement","tier":4,"seq":71,"title":null,"description":"There is a process to analyze and assign potential losses and related expenses, by cost center, associated with cybersecurity incidents."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a.1","id_raw":"D1.RM.RMP.A.1","tier_raw":"Statement","tier":4,"seq":72,"title":null,"description":"Cybersecurity metrics are used to facilitate strategic decision-making and funding in areas of need."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a.2","id_raw":"D1.RM.RMP.A.2","tier_raw":"Statement","tier":4,"seq":73,"title":null,"description":"Independent risk management sets and monitors cyber-related risk limits for business units."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a.3","id_raw":"D1.RM.RMP.A.3","tier_raw":"Statement","tier":4,"seq":74,"title":null,"description":"Independent risk management staff escalates to management and the board or an appropriate board committee significant discrepancies from business unit’s assessments of cyber-related risk."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a.4","id_raw":"D1.RM.RMP.A.4","tier_raw":"Statement","tier":4,"seq":75,"title":null,"description":"A process is in place to analyze the financial impact cyber incidents have on the institution’s capital."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.a.5","id_raw":"D1.RM.RMP.A.5","tier_raw":"Statement","tier":4,"seq":76,"title":null,"description":"The cyber risk data aggregation and real-time reporting capabilities support the institution’s ongoing reporting needs, particularly during cyber incidents."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.inn.1","id_raw":"D1.RM.RMP.Inn.1","tier_raw":"Statement","tier":4,"seq":77,"title":null,"description":"The risk management function identifies and analyzes commonalities in cyber events that occur both at the institution and across other sectors to enable more predictive risk management."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.rmp.inn.2","id_raw":"D1.RM.RMP.Inn.2","tier_raw":"Statement","tier":4,"seq":78,"title":null,"description":"A process is in place to analyze the financial impact that a cyber incident at the institution may have across the financial sector."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.b.1","id_raw":"D1.RM.RA.B.1","tier_raw":"Statement","tier":4,"seq":79,"title":null,"description":"A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. (FFIEC Information Security Booklet, page 8)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.b.2","id_raw":"D1.RM.RA.B.2","tier_raw":"Statement","tier":4,"seq":80,"title":null,"description":"The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls. (FFIEC Information Security Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.b.3","id_raw":"D1.RM.RA.B.3","tier_raw":"Statement","tier":4,"seq":81,"title":null,"description":"The risk assessment is updated to address new technologies, products, services, and connections before deployment. (FFIEC Information Security Booklet, page 13)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.e.1","id_raw":"D1.RM.RA.E.1","tier_raw":"Statement","tier":4,"seq":82,"title":null,"description":"Risk assessments are used to identify the cybersecurity risks stemming from new products, services, or relationships."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.e.2","id_raw":"D1.RM.RA.E.2","tier_raw":"Statement","tier":4,"seq":83,"title":null,"description":"The focus of the risk assessment has expanded beyond customer information to address all information assets."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.e.3","id_raw":"D1.RM.RA.E.3","tier_raw":"Statement","tier":4,"seq":84,"title":null,"description":"The risk assessment considers the risk of using EOL software and hardware components."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.int.1","id_raw":"D1.RM.RA.Int.1","tier_raw":"Statement","tier":4,"seq":85,"title":null,"description":"The risk assessment is adjusted to consider widely known risks or risk management practices."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.a.1","id_raw":"D1.RM.RA.A.1","tier_raw":"Statement","tier":4,"seq":86,"title":null,"description":"An enterprise-wide risk management function incorporates cyber threat analysis and specific risk exposure as part of the enterprise risk assessment."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.inn.1","id_raw":"D1.RM.RA.Inn.1","tier_raw":"Statement","tier":4,"seq":87,"title":null,"description":"The risk assessment is updated in real time as changes to the risk profile occur, new applicable standards are released or updated, and new exposures are anticipated."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.inn.2","id_raw":"D1.RM.RA.Inn.2","tier_raw":"Statement","tier":4,"seq":88,"title":null,"description":"The institution uses information from risk assessments to predict threats and drive real-time responses."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.ra.inn.3","id_raw":"D1.RM.RA.Inn.3","tier_raw":"Statement","tier":4,"seq":89,"title":null,"description":"Advanced or automated analytics offer predictive information and real- time risk metrics."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.b.1","id_raw":"D1.RM.Au.B.1","tier_raw":"Statement","tier":4,"seq":90,"title":null,"description":"Independent audit or review evaluates policies, procedures, and controls across the institution for significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, and information systems. (FFIEC Audit Booklet, page 4)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.b.2","id_raw":"D1.RM.Au.B.2","tier_raw":"Statement","tier":4,"seq":91,"title":null,"description":"The independent audit function validates controls related to the storage or transmission of confidential data. (FFIEC Audit Booklet, page 1)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.b.3","id_raw":"D1.RM.Au.B.3","tier_raw":"Statement","tier":4,"seq":92,"title":null,"description":"Logging practices are independently reviewed periodically to ensure appropriate log management (e.g., access controls, retention, and maintenance). (FFIEC Operations Booklet, page 29)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.b.4","id_raw":"D1.RM.Au.B.4","tier_raw":"Statement","tier":4,"seq":93,"title":null,"description":"Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. (FFIEC Information Security Booklet, page 6)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e.1","id_raw":"D1.RM.Au.E.1","tier_raw":"Statement","tier":4,"seq":94,"title":null,"description":"The independent audit function validates that the risk management\nfunction is commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e.2","id_raw":"D1.RM.Au.E.2","tier_raw":"Statement","tier":4,"seq":95,"title":null,"description":"The independent audit function validates that the institution’s threat information sharing is commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e.3","id_raw":"D1.RM.Au.E.3","tier_raw":"Statement","tier":4,"seq":96,"title":null,"description":"The independent audit function validates that the institution’s cybersecurity controls function is commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e.4","id_raw":"D1.RM.Au.E.4","tier_raw":"Statement","tier":4,"seq":97,"title":null,"description":"The independent audit function validates that the institution’s third-party relationship management is commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.e.5","id_raw":"D1.RM.Au.E.5","tier_raw":"Statement","tier":4,"seq":98,"title":null,"description":"The independent audit function validates that the institution’s incident response program and resilience are commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.int.1","id_raw":"D1.RM.Au.Int.1","tier_raw":"Statement","tier":4,"seq":99,"title":null,"description":"A formal process is in place for the independent audit function to update\nits procedures based on changes to the institution’s inherent risk profile."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.int.2","id_raw":"D1.RM.Au.Int.2","tier_raw":"Statement","tier":4,"seq":100,"title":null,"description":"The independent audit function validates that the institution’s threat intelligence and collaboration are commensurate with the institution’s risk and complexity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.int.3","id_raw":"D1.RM.Au.Int.3","tier_raw":"Statement","tier":4,"seq":101,"title":null,"description":"The independent audit function regularly reviews management’s cyber risk appetite statement."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.int.4","id_raw":"D1.RM.Au.Int.4","tier_raw":"Statement","tier":4,"seq":102,"title":null,"description":"Independent audits or reviews are used to identify gaps in existing security capabilities and expertise."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.a.1","id_raw":"D1.RM.Au.A.1","tier_raw":"Statement","tier":4,"seq":103,"title":null,"description":"A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.a.2","id_raw":"D1.RM.Au.A.2","tier_raw":"Statement","tier":4,"seq":104,"title":null,"description":"The independent audit function regularly reviews the institution’s cyber risk appetite statement in comparison to assessment results and incorporates gaps into the audit strategy."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.a.3","id_raw":"D1.RM.Au.A.3","tier_raw":"Statement","tier":4,"seq":105,"title":null,"description":"Independent audits or reviews are used to identify cybersecurity weaknesses, root causes, and the potential impact to business units."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.inn.1","id_raw":"D1.RM.Au.Inn.1","tier_raw":"Statement","tier":4,"seq":106,"title":null,"description":"A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.rm.au.inn.2","id_raw":"D1.RM.Au.Inn.2","tier_raw":"Statement","tier":4,"seq":107,"title":null,"description":"The independent audit function uses sophisticated data mining tools to perform continuous monitoring of cybersecurity processes or controls."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.b.1","id_raw":"D1.R.St.B.1","tier_raw":"Statement","tier":4,"seq":108,"title":null,"description":"Information security roles and responsibilities have been identified.\n(FFIEC Information Security Booklet, page 7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.b.2","id_raw":"D1.R.St.B.2","tier_raw":"Statement","tier":4,"seq":109,"title":null,"description":"Processes are in place to identify additional expertise needed to improve information security defenses. (FFIEC Information Security Work Program, Objective I: 2-8)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.e.1","id_raw":"D1.R.St.E.1","tier_raw":"Statement","tier":4,"seq":110,"title":null,"description":"A formal process is used to identify cybersecurity tools and expertise that may be needed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.e.2","id_raw":"D1.R.St.E.2","tier_raw":"Statement","tier":4,"seq":111,"title":null,"description":"Management with appropriate knowledge and experience leads the institution's cybersecurity efforts."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.e.3","id_raw":"D1.R.St.E.3","tier_raw":"Statement","tier":4,"seq":112,"title":null,"description":"Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.e.4","id_raw":"D1.R.St.E.4","tier_raw":"Statement","tier":4,"seq":113,"title":null,"description":"Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.int.1","id_raw":"D1.R.St.Int.1","tier_raw":"Statement","tier":4,"seq":114,"title":null,"description":"The institution has a program for talent recruitment, retention, and succession planning for the cybersecurity and resilience staffs."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.a.1","id_raw":"D1.R.St.A.1","tier_raw":"Statement","tier":4,"seq":115,"title":null,"description":"The institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.a.2","id_raw":"D1.R.St.A.2","tier_raw":"Statement","tier":4,"seq":116,"title":null,"description":"Dedicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.r.st.inn.1","id_raw":"D1.R.St.Inn.1","tier_raw":"Statement","tier":4,"seq":117,"title":null,"description":"The institution actively partners with industry associations and academia to inform curricula based on future cybersecurity staffing needs of the industry."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.b.1","id_raw":"D1.TC.Tr.B.1","tier_raw":"Statement","tier":4,"seq":118,"title":null,"description":"Annual information security training is provided. (FFIEC Information\nSecurity Booklet, page 66)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.b.2","id_raw":"D1.TC.Tr.B.2","tier_raw":"Statement","tier":4,"seq":119,"title":null,"description":"Annual information security training includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues. (FFIEC Information Security Booklet, page 66)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.b.3","id_raw":"D1.TC.Tr.B.3","tier_raw":"Statement","tier":4,"seq":120,"title":null,"description":"Situational awareness materials are made available to employees when prompted by highly visible cyber events or by regulatory alerts. \n(FFIEC Information Security Booklet, page 7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.b.4","id_raw":"D1.TC.Tr.B.4","tier_raw":"Statement","tier":4,"seq":121,"title":null,"description":"Customer awareness materials are readily available (e.g., DHS’ Cybersecurity Awareness Month materials). (FFIEC E-Banking Work Program, Objective 6-3)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e.1","id_raw":"D1.TC.Tr.E.1","tier_raw":"Statement","tier":4,"seq":122,"title":null,"description":"The institution has a program for continuing cybersecurity training and skill development for cybersecurity staff."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e.2","id_raw":"D1.TC.Tr.E.2","tier_raw":"Statement","tier":4,"seq":123,"title":null,"description":"Management is provided cybersecurity training relevant to their job responsibilities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e.3","id_raw":"D1.TC.Tr.E.3","tier_raw":"Statement","tier":4,"seq":124,"title":null,"description":"Employees with privileged account permissions receive additional cybersecurity training commensurate with their levels of responsibility."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e.4","id_raw":"D1.TC.Tr.E.4","tier_raw":"Statement","tier":4,"seq":125,"title":null,"description":"Business units are provided cybersecurity training relevant to their particular business risks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.e.5","id_raw":"D1.TC.Tr.E.5","tier_raw":"Statement","tier":4,"seq":126,"title":null,"description":"The institution validates the effectiveness of training (e.g., social engineering or phishing tests)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.int.1","id_raw":"D1.TC.Tr.Int.1","tier_raw":"Statement","tier":4,"seq":127,"title":null,"description":"Management incorporates lessons learned from social engineering and phishing exercises to improve the employee awareness programs."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.int.2","id_raw":"D1.TC.Tr.Int.2","tier_raw":"Statement","tier":4,"seq":128,"title":null,"description":"Cybersecurity awareness information is provided to retail customers and commercial clients at least annually."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.int.3","id_raw":"D1.TC.Tr.Int.3","tier_raw":"Statement","tier":4,"seq":129,"title":null,"description":"Business units are provided cybersecurity training relevant to their particular business risks, over and above what is required of the institution as a whole."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.int.4","id_raw":"D1.TC.Tr.Int.4","tier_raw":"Statement","tier":4,"seq":130,"title":null,"description":"The institution routinely updates its training to security staff to adapt to new threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.a.1","id_raw":"D1.TC.Tr.A.1","tier_raw":"Statement","tier":4,"seq":131,"title":null,"description":"Independent directors are provided with cybersecurity training that addresses how complex products, services, and lines of business affect the institution's cyber risk."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.tr.inn.1","id_raw":"D1.TC.Tr.Inn.1","tier_raw":"Statement","tier":4,"seq":132,"title":null,"description":"Key performance indicators are used to determine whether training and awareness programs positively influence behavior."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.b.1","id_raw":"D1.TC.Cu.B.1","tier_raw":"Statement","tier":4,"seq":133,"title":null,"description":"Management holds employees accountable for complying with the information security program. (FFIEC Information Security Booklet, page\n7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.e.1","id_raw":"D1.TC.Cu.E.1","tier_raw":"Statement","tier":4,"seq":134,"title":null,"description":"The institution has formal standards of conduct that hold all employees accountable for complying with cybersecurity policies and procedures."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.e.2","id_raw":"D1.TC.Cu.E.2","tier_raw":"Statement","tier":4,"seq":135,"title":null,"description":"Cyber risks are actively discussed at business unit meetings. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.e.3","id_raw":"D1.TC.Cu.E.3","tier_raw":"Statement","tier":4,"seq":136,"title":null,"description":"Employees have a clear understanding of how to identify and escalate potential cybersecurity issues."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.int.1","id_raw":"D1.TC.Cu.Int.1","tier_raw":"Statement","tier":4,"seq":137,"title":null,"description":"Management ensures performance plans are tied to compliance with cybersecurity policies and standards in order to hold employees accountable."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.int.2","id_raw":"D1.TC.Cu.Int.2","tier_raw":"Statement","tier":4,"seq":138,"title":null,"description":"The risk culture requires formal consideration of cyber risks in all business decisions."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.int.3","id_raw":"D1.TC.Cu.Int.3","tier_raw":"Statement","tier":4,"seq":139,"title":null,"description":"Cyber risk reporting is presented and discussed at the independent risk management meetings."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.a.1","id_raw":"D1.TC.Cu.A.1","tier_raw":"Statement","tier":4,"seq":140,"title":null,"description":"Management ensures continuous improvement of cyber risk cultural awareness."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d1.tc.cu.inn.1","id_raw":"D1.TC.Cu.Inn.1","tier_raw":"Statement","tier":4,"seq":141,"title":null,"description":"The institution leads efforts to promote cybersecurity culture across the sector and to other sectors that they depend upon."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.b.1","id_raw":"D2.TI.Ti.B.1","tier_raw":"Statement","tier":4,"seq":142,"title":null,"description":"The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E- Banking Work Program, page 28)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.b.2","id_raw":"D2.TI.Ti.B.2","tier_raw":"Statement","tier":4,"seq":143,"title":null,"description":"Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.b.3","id_raw":"D2.TI.Ti.B.3","tier_raw":"Statement","tier":4,"seq":144,"title":null,"description":"Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.e.1","id_raw":"D2.TI.Ti.E.1","tier_raw":"Statement","tier":4,"seq":145,"title":null,"description":"Threat information received by the institution includes analysis of tactics, patterns, and risk mitigation recommendations."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.int.1","id_raw":"D2.TI.Ti.Int.1","tier_raw":"Statement","tier":4,"seq":146,"title":null,"description":"A formal threat intelligence program is implemented and includes subscription to threat feeds from external providers and internal sources."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.int.2","id_raw":"D2.TI.Ti.Int.2","tier_raw":"Statement","tier":4,"seq":147,"title":null,"description":"Protocols are implemented for collecting information from industry peers and government."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.int.3","id_raw":"D2.TI.Ti.Int.3","tier_raw":"Statement","tier":4,"seq":148,"title":null,"description":"A read-only, central repository of cyber threat intelligence is maintained."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.a.1","id_raw":"D2.TI.Ti.A.1","tier_raw":"Statement","tier":4,"seq":149,"title":null,"description":"A cyber intelligence model is used for gathering threat information."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.a.2","id_raw":"D2.TI.Ti.A.2","tier_raw":"Statement","tier":4,"seq":150,"title":null,"description":"Threat intelligence is automatically received from multiple sources in real time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.a.3","id_raw":"D2.TI.Ti.A.3","tier_raw":"Statement","tier":4,"seq":151,"title":null,"description":"The institution’s threat intelligence includes information related to geopolitical events that could increase cybersecurity threat levels."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.inn.1","id_raw":"D2.TI.Ti.Inn.1","tier_raw":"Statement","tier":4,"seq":152,"title":null,"description":"A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ti.ti.inn.2","id_raw":"D2.TI.Ti.Inn.2","tier_raw":"Statement","tier":4,"seq":153,"title":null,"description":"The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.b.1","id_raw":"D2.MA.Ma.B.1","tier_raw":"Statement","tier":4,"seq":154,"title":null,"description":"Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.b.2","id_raw":"D2.MA.Ma.B.2","tier_raw":"Statement","tier":4,"seq":155,"title":null,"description":"Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.e.1","id_raw":"D2.MA.Ma.E.1","tier_raw":"Statement","tier":4,"seq":156,"title":null,"description":"A process is implemented to monitor threat information to discover emerging threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.e.2","id_raw":"D2.MA.Ma.E.2","tier_raw":"Statement","tier":4,"seq":157,"title":null,"description":"The threat information and analysis process is assigned to a specific group or individual."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.e.3","id_raw":"D2.MA.Ma.E.3","tier_raw":"Statement","tier":4,"seq":158,"title":null,"description":"Security processes and technology are centralized and coordinated in a Security Operations Center (SOC) or equivalent."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.e.4","id_raw":"D2.MA.Ma.E.4","tier_raw":"Statement","tier":4,"seq":159,"title":null,"description":"Monitoring systems operate continuously with adequate support for efficient incident handling."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.int.1","id_raw":"D2.MA.Ma.Int.1","tier_raw":"Statement","tier":4,"seq":160,"title":null,"description":"A threat intelligence team is in place that evaluates threat intelligence from multiple sources for credibility, relevance, and exposure."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.int.2","id_raw":"D2.MA.Ma.Int.2","tier_raw":"Statement","tier":4,"seq":161,"title":null,"description":"A profile is created for each threat that identifies the likely intent, capability, and target of the threat."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.int.3","id_raw":"D2.MA.Ma.Int.3","tier_raw":"Statement","tier":4,"seq":162,"title":null,"description":"Threat information sources that address all components of the threat profile are prioritized and monitored."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.int.4","id_raw":"D2.MA.Ma.Int.4","tier_raw":"Statement","tier":4,"seq":163,"title":null,"description":"Threat intelligence is analyzed to develop cyber threat summaries including risks to the institution and specific actions for the institution to consider."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a.1","id_raw":"D2.MA.Ma.A.1","tier_raw":"Statement","tier":4,"seq":164,"title":null,"description":"A dedicated cyber threat identification and analysis committee or team exists to centralize and coordinate initiatives and communications."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a.2","id_raw":"D2.MA.Ma.A.2","tier_raw":"Statement","tier":4,"seq":165,"title":null,"description":"Formal processes have been defined to resolve potential conflicts in information received from sharing and analysis centers or other sources."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a.3","id_raw":"D2.MA.Ma.A.3","tier_raw":"Statement","tier":4,"seq":166,"title":null,"description":"Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a.4","id_raw":"D2.MA.Ma.A.4","tier_raw":"Statement","tier":4,"seq":167,"title":null,"description":"Threat intelligence is viewed within the context of the institution's risk profile and risk appetite to prioritize mitigating actions in anticipation of threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.a.5","id_raw":"D2.MA.Ma.A.5","tier_raw":"Statement","tier":4,"seq":168,"title":null,"description":"Threat intelligence is used to update architecture and configuration standards."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.inn.1","id_raw":"D2.MA.Ma.Inn.1","tier_raw":"Statement","tier":4,"seq":169,"title":null,"description":"The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.inn.2","id_raw":"D2.MA.Ma.Inn.2","tier_raw":"Statement","tier":4,"seq":170,"title":null,"description":"Highest risk scenarios are used to predict threats against specific business targets."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.ma.ma.inn.3","id_raw":"D2.MA.Ma.Inn.3","tier_raw":"Statement","tier":4,"seq":171,"title":null,"description":"IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.b.1","id_raw":"D2.IS.Is.B.1","tier_raw":"Statement","tier":4,"seq":172,"title":null,"description":"Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.b.2","id_raw":"D2.IS.Is.B.2","tier_raw":"Statement","tier":4,"seq":173,"title":null,"description":"Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Work Program, Objective I: 5-1)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.b.3","id_raw":"D2.IS.Is.B.3","tier_raw":"Statement","tier":4,"seq":174,"title":null,"description":"Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.e.1","id_raw":"D2.IS.Is.E.1","tier_raw":"Statement","tier":4,"seq":175,"title":null,"description":"A formal and secure process is in place to share threat and vulnerability information with other entities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.e.2","id_raw":"D2.IS.Is.E.2","tier_raw":"Statement","tier":4,"seq":176,"title":null,"description":"A representative from the institution participates in law enforcement or information-sharing organization meetings."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.int.1","id_raw":"D2.IS.Is.Int.1","tier_raw":"Statement","tier":4,"seq":177,"title":null,"description":"A formal protocol is in place for sharing threat, vulnerability, and incident information to employees based on their specific job function."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.int.2","id_raw":"D2.IS.Is.Int.2","tier_raw":"Statement","tier":4,"seq":178,"title":null,"description":"Information-sharing agreements are used as needed or required to facilitate sharing threat information with other financial sector organizations or third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.int.3","id_raw":"D2.IS.Is.Int.3","tier_raw":"Statement","tier":4,"seq":179,"title":null,"description":"Information is shared proactively with the industry, law enforcement, regulators, and information-sharing forums."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.int.4","id_raw":"D2.IS.Is.Int.4","tier_raw":"Statement","tier":4,"seq":180,"title":null,"description":"A process is in place to communicate and collaborate with the public sector regarding cyber threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.a.1","id_raw":"D2.IS.Is.A.1","tier_raw":"Statement","tier":4,"seq":181,"title":null,"description":"Management communicates threat intelligence with business risk context and specific risk management recommendations to the business units."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.a.2","id_raw":"D2.IS.Is.A.2","tier_raw":"Statement","tier":4,"seq":182,"title":null,"description":"Relationships exist with employees of peer institutions for sharing cyber threat intelligence."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.a.3","id_raw":"D2.IS.Is.A.3","tier_raw":"Statement","tier":4,"seq":183,"title":null,"description":"A network of trust relationships (formal and/or informal) has been established to evaluate information about cyber threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.inn.1","id_raw":"D2.IS.Is.Inn.1","tier_raw":"Statement","tier":4,"seq":184,"title":null,"description":"A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.inn.2","id_raw":"D2.IS.Is.Inn.2","tier_raw":"Statement","tier":4,"seq":185,"title":null,"description":"A system automatically informs management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d2.is.is.inn.3","id_raw":"D2.IS.Is.Inn.3","tier_raw":"Statement","tier":4,"seq":186,"title":null,"description":"The institution is leading efforts to create new sector-wide information- sharing channels to address gaps in external-facing information-sharing mechanisms."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.1","id_raw":"D3.PC.Im.B.1","tier_raw":"Statement","tier":4,"seq":187,"title":null,"description":"Network perimeter defense tools (e.g., border router and firewall) are used. (FFIEC Information Security Booklet, page 33)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.2","id_raw":"D3.PC.Im.B.2","tier_raw":"Statement","tier":4,"seq":188,"title":null,"description":"Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. (FFIEC Information Security Booklet, page 46)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.3","id_raw":"D3.PC.Im.B.3","tier_raw":"Statement","tier":4,"seq":189,"title":null,"description":"All ports are monitored. (FFIEC Information Security Booklet, page 50)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.4","id_raw":"D3.PC.Im.B.4","tier_raw":"Statement","tier":4,"seq":190,"title":null,"description":"Up to date antivirus and anti-malware tools are used. (FFIEC Information Security Booklet, page 78)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.5","id_raw":"D3.PC.Im.B.5","tier_raw":"Statement","tier":4,"seq":191,"title":null,"description":"Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. (FFIEC Information Security Booklet, page 56)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.6","id_raw":"D3.PC.Im.B.6","tier_raw":"Statement","tier":4,"seq":192,"title":null,"description":"Ports, functions, protocols and services are prohibited if no longer needed for business purposes. (FFIEC Information Security Booklet, page 50)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.7","id_raw":"D3.PC.Im.B.7","tier_raw":"Statement","tier":4,"seq":193,"title":null,"description":"Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. (FFIEC Information Security Booklet, page 56)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.8","id_raw":"D3.PC.Im.B.8","tier_raw":"Statement","tier":4,"seq":194,"title":null,"description":"Programs that can override system, object, network, virtual machine, and application controls are restricted. (FFIEC Information Security Booklet, page 41)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.9","id_raw":"D3.PC.Im.B.9","tier_raw":"Statement","tier":4,"seq":195,"title":null,"description":"System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. (FFIEC Information Security Booklet, page 23)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.b.10","id_raw":"D3.PC.Im.B.10","tier_raw":"Statement","tier":4,"seq":196,"title":null,"description":"Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) (FFIEC Information Security Booklet, page 40)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.1","id_raw":"D3.PC.Im.E.1","tier_raw":"Statement","tier":4,"seq":197,"title":null,"description":"There is a firewall at each Internet connection and between any\nDemilitarized Zone (DMZ) and internal network(s)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.2","id_raw":"D3.PC.Im.E.2","tier_raw":"Statement","tier":4,"seq":198,"title":null,"description":"Antivirus and intrusion detection/prevention systems (IDS/IPS) detect and block actual and attempted attacks or intrusions."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.3","id_raw":"D3.PC.Im.E.3","tier_raw":"Statement","tier":4,"seq":199,"title":null,"description":"Technical controls prevent unauthorized devices, including rogue wireless access devices and removable media, from connecting to the internal network(s)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.4","id_raw":"D3.PC.Im.E.4","tier_raw":"Statement","tier":4,"seq":200,"title":null,"description":"A risk-based solution is in place at the institution or Internet hosting provider to mitigate disruptive cyber attacks (e.g., DDoS attacks)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.5","id_raw":"D3.PC.Im.E.5","tier_raw":"Statement","tier":4,"seq":201,"title":null,"description":"Guest wireless networks are fully segregated from the internal network(s). (*N/A if there are no wireless networks.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.6","id_raw":"D3.PC.Im.E.6","tier_raw":"Statement","tier":4,"seq":202,"title":null,"description":"Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.7","id_raw":"D3.PC.Im.E.7","tier_raw":"Statement","tier":4,"seq":203,"title":null,"description":"Critical systems supported by legacy technologies are regularly reviewed to identify for potential vulnerabilities, upgrade opportunities, or new defense layers."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.e.8","id_raw":"D3.PC.Im.E.8","tier_raw":"Statement","tier":4,"seq":204,"title":null,"description":"Controls for unsupported systems are implemented and tested."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.1","id_raw":"D3.PC.Im.Int.1","tier_raw":"Statement","tier":4,"seq":205,"title":null,"description":"The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.2","id_raw":"D3.PC.Im.Int.2","tier_raw":"Statement","tier":4,"seq":206,"title":null,"description":"Security controls are used for remote access to all administrative consoles, including restricted virtual systems."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.3","id_raw":"D3.PC.Im.Int.3","tier_raw":"Statement","tier":4,"seq":207,"title":null,"description":"Wireless network environments have perimeter firewalls that are implemented and configured to restrict unauthorized traffic. (*N/A if there are no wireless networks.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.4","id_raw":"D3.PC.Im.Int.4","tier_raw":"Statement","tier":4,"seq":208,"title":null,"description":"Wireless networks use strong encryption with encryption keys that are changed frequently. (*N/A if there are no wireless networks.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.5","id_raw":"D3.PC.Im.Int.5","tier_raw":"Statement","tier":4,"seq":209,"title":null,"description":"The broadcast range of the wireless network(s) is confined to institution- controlled boundaries. (*N/A if there are no wireless networks.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.int.6","id_raw":"D3.PC.Im.Int.6","tier_raw":"Statement","tier":4,"seq":210,"title":null,"description":"Technical measures are in place to prevent the execution of unauthorized code on institution owned or managed devices, network infrastructure, and systems components."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.a.1","id_raw":"D3.PC.Im.A.1","tier_raw":"Statement","tier":4,"seq":211,"title":null,"description":"Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted zones."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.a.2","id_raw":"D3.PC.Im.A.2","tier_raw":"Statement","tier":4,"seq":212,"title":null,"description":"Only one primary function is permitted per server to prevent functions that require different security levels from co-existing on the same server."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.a.3","id_raw":"D3.PC.Im.A.3","tier_raw":"Statement","tier":4,"seq":213,"title":null,"description":"Anti-spoofing measures are in place to detect and block forged source IP addresses from entering the network."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.inn.1","id_raw":"D3.PC.Im.Inn.1","tier_raw":"Statement","tier":4,"seq":214,"title":null,"description":"The institution risk scores all of its infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.inn.2","id_raw":"D3.PC.Im.Inn.2","tier_raw":"Statement","tier":4,"seq":215,"title":null,"description":"Automated controls are put in place based on risk scores to infrastructure assets, including automatically disconnecting affected assets."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.inn.3","id_raw":"D3.PC.Im.Inn.3","tier_raw":"Statement","tier":4,"seq":216,"title":null,"description":"The institution proactively seeks to identify control gaps that may be used as part of a zero-day attack."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.im.inn.4","id_raw":"D3.PC.Im.Inn.4","tier_raw":"Statement","tier":4,"seq":217,"title":null,"description":"Public-facing servers are routinely rotated and restored to a known clean\nstate to limit the window of time a system is exposed to potential threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.1","id_raw":"D3.PC.Am.B.1","tier_raw":"Statement","tier":4,"seq":218,"title":null,"description":"Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. (FFIEC Information Security Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.2","id_raw":"D3.PC.Am.B.2","tier_raw":"Statement","tier":4,"seq":219,"title":null,"description":"Employee access to systems and confidential data provides for separation of duties. (FFIEC Information Security Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.3","id_raw":"D3.PC.Am.B.3","tier_raw":"Statement","tier":4,"seq":220,"title":null,"description":"Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). (FFIEC Information Security Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.4","id_raw":"D3.PC.Am.B.4","tier_raw":"Statement","tier":4,"seq":221,"title":null,"description":"User access reviews are performed periodically for all systems and applications based on the risk to the application or system. (FFIEC Information Security Booklet, page 18)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.5","id_raw":"D3.PC.Am.B.5","tier_raw":"Statement","tier":4,"seq":222,"title":null,"description":"Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. (FFIEC Information Security Booklet, page 18)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.6","id_raw":"D3.PC.Am.B.6","tier_raw":"Statement","tier":4,"seq":223,"title":null,"description":"Identification and authentication are required and managed for access to systems, applications, and hardware. (FFIEC Information Security Booklet, page 21)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.7","id_raw":"D3.PC.Am.B.7","tier_raw":"Statement","tier":4,"seq":224,"title":null,"description":"Access controls include password complexity and limits to password attempts and reuse. (FFIEC Information Security Booklet, page 66)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.8","id_raw":"D3.PC.Am.B.8","tier_raw":"Statement","tier":4,"seq":225,"title":null,"description":"All default passwords and unnecessary default accounts are changed before system implementation. (FFIEC Information Security Booklet, page 61)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.9","id_raw":"D3.PC.Am.B.9","tier_raw":"Statement","tier":4,"seq":226,"title":null,"description":"Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. (FFIEC Information Security Booklet, page 21)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.10","id_raw":"D3.PC.Am.B.10","tier_raw":"Statement","tier":4,"seq":227,"title":null,"description":"Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) (FFIEC Information Security Booklet, page 64)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.11","id_raw":"D3.PC.Am.B.11","tier_raw":"Statement","tier":4,"seq":228,"title":null,"description":"Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. (FFIEC Information Security Booklet, page 47)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.12","id_raw":"D3.PC.Am.B.12","tier_raw":"Statement","tier":4,"seq":229,"title":null,"description":"All passwords are encrypted in storage and in transit. (FFIEC Information Security Booklet, page 21)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.13","id_raw":"D3.PC.Am.B.13","tier_raw":"Statement","tier":4,"seq":230,"title":null,"description":"Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). (FFIEC Information Security Booklet, page 51)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.14","id_raw":"D3.PC.Am.B.14","tier_raw":"Statement","tier":4,"seq":231,"title":null,"description":"Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (FFIEC Information Security Booklet, page 51)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.15","id_raw":"D3.PC.Am.B.15","tier_raw":"Statement","tier":4,"seq":232,"title":null,"description":"Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (FFIEC Information Security Booklet, page 45)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.16","id_raw":"D3.PC.Am.B.16","tier_raw":"Statement","tier":4,"seq":233,"title":null,"description":"Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. (FFIEC Information Security Booklet, page 25)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.17","id_raw":"D3.PC.Am.B.17","tier_raw":"Statement","tier":4,"seq":234,"title":null,"description":"Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. (FFIEC Information Security Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.b.18","id_raw":"D3.PC.Am.B.18","tier_raw":"Statement","tier":4,"seq":235,"title":null,"description":"Data is disposed of or destroyed according to documented requirements and within expected time frames. (FFIEC Information Security Booklet, page 66)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e.1","id_raw":"D3.PC.Am.E.1","tier_raw":"Statement","tier":4,"seq":236,"title":null,"description":"Changes to user access permissions trigger automated notices to appropriate personnel."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e.2","id_raw":"D3.PC.Am.E.2","tier_raw":"Statement","tier":4,"seq":237,"title":null,"description":"Administrators have two accounts: one for administrative use and one for general purpose, non-administrative tasks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e.3","id_raw":"D3.PC.Am.E.3","tier_raw":"Statement","tier":4,"seq":238,"title":null,"description":"Use of customer data in non-production environments complies with legal, regulatory, and internal policy requirements for concealing or removing of sensitive data elements."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e.4","id_raw":"D3.PC.Am.E.4","tier_raw":"Statement","tier":4,"seq":239,"title":null,"description":"Physical access to high-risk or confidential systems is restricted, logged, and unauthorized access is blocked."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.e.5","id_raw":"D3.PC.Am.E.5","tier_raw":"Statement","tier":4,"seq":240,"title":null,"description":"Controls are in place to prevent unauthorized access to cryptographic keys."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.1","id_raw":"D3.PC.Am.Int.1","tier_raw":"Statement","tier":4,"seq":241,"title":null,"description":"The institution has implemented tools to prevent unauthorized access to or exfiltration of confidential data."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.2","id_raw":"D3.PC.Am.Int.2","tier_raw":"Statement","tier":4,"seq":242,"title":null,"description":"Controls are in place to prevent unauthorized escalation of user privileges."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.3","id_raw":"D3.PC.Am.Int.3","tier_raw":"Statement","tier":4,"seq":243,"title":null,"description":"Access controls are in place for database administrators to prevent unauthorized downloading or transmission of confidential data."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.4","id_raw":"D3.PC.Am.Int.4","tier_raw":"Statement","tier":4,"seq":244,"title":null,"description":"All physical and logical access is removed immediately upon notification of involuntary termination and within 24 hours of an employee’s voluntary departure."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.5","id_raw":"D3.PC.Am.Int.5","tier_raw":"Statement","tier":4,"seq":245,"title":null,"description":"Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.6","id_raw":"D3.PC.Am.Int.6","tier_raw":"Statement","tier":4,"seq":246,"title":null,"description":"Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s). (*N/A if no high risk systems.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.7","id_raw":"D3.PC.Am.Int.7","tier_raw":"Statement","tier":4,"seq":247,"title":null,"description":"Confidential data are encrypted in transit across private connections (e.g., frame relay and T1) and within the institution’s trusted zones."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.int.8","id_raw":"D3.PC.Am.Int.8","tier_raw":"Statement","tier":4,"seq":248,"title":null,"description":"Controls are in place to prevent unauthorized access to collaborative computing devices and applications (e.g., networked white boards, cameras, microphones, online applications such as instant messaging and document sharing). (* N/A if collaborative computing devices are not used.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.a.1","id_raw":"D3.PC.Am.A.1","tier_raw":"Statement","tier":4,"seq":249,"title":null,"description":"Encryption of select data at rest is determined by the institution’s data classification and risk assessment."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.a.2","id_raw":"D3.PC.Am.A.2","tier_raw":"Statement","tier":4,"seq":250,"title":null,"description":"Customer authentication for high-risk transactions includes methods to prevent malware and man-in-the-middle attacks (e.g., using visual transaction signing)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn.1","id_raw":"D3.PC.Am.Inn.1","tier_raw":"Statement","tier":4,"seq":251,"title":null,"description":"Adaptive access controls de-provision or isolate an employee, third-party, or customer credentials to minimize potential damage if malicious behavior is suspected."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn.2","id_raw":"D3.PC.Am.Inn.2","tier_raw":"Statement","tier":4,"seq":252,"title":null,"description":"Unstructured confidential data are tracked and secured through an identity-aware, cross-platform storage system that protects against internal threats, monitors user access, and tracks changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn.3","id_raw":"D3.PC.Am.Inn.3","tier_raw":"Statement","tier":4,"seq":253,"title":null,"description":"Tokenization is used to substitute unique values for confidential information (e.g., virtual credit card)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn.4","id_raw":"D3.PC.Am.Inn.4","tier_raw":"Statement","tier":4,"seq":254,"title":null,"description":"The institution is leading efforts to create new technologies and processes for managing customer, employee, and third-party authentication and access."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.am.inn.5","id_raw":"D3.PC.Am.Inn.5","tier_raw":"Statement","tier":4,"seq":255,"title":null,"description":"Real-time risk mitigation is taken based on automated risk scoring of user credentials."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.b.1","id_raw":"D3.PC.De.B.1","tier_raw":"Statement","tier":4,"seq":256,"title":null,"description":"Controls are in place to restrict the use of removable media to authorized personnel. (FFIEC Information Security Work Program, Objective I: 4-1)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.1","id_raw":"D3.PC.De.E.1","tier_raw":"Statement","tier":4,"seq":257,"title":null,"description":"Tools automatically block attempted access from unpatched employee and third-party devices."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.2","id_raw":"D3.PC.De.E.2","tier_raw":"Statement","tier":4,"seq":258,"title":null,"description":"Tools automatically block attempted access by unregistered devices to internal networks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.3","id_raw":"D3.PC.De.E.3","tier_raw":"Statement","tier":4,"seq":259,"title":null,"description":"The institution has controls to prevent the unauthorized addition of new connections."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.4","id_raw":"D3.PC.De.E.4","tier_raw":"Statement","tier":4,"seq":260,"title":null,"description":"Controls are in place to prevent unauthorized individuals from copying confidential data to removable media."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.5","id_raw":"D3.PC.De.E.5","tier_raw":"Statement","tier":4,"seq":261,"title":null,"description":"Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.6","id_raw":"D3.PC.De.E.6","tier_raw":"Statement","tier":4,"seq":262,"title":null,"description":"Mobile devices with access to the institution’s data are centrally managed for antivirus and patch deployment. (*N/A if mobile devices are not used.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.e.7","id_raw":"D3.PC.De.E.7","tier_raw":"Statement","tier":4,"seq":263,"title":null,"description":"The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A if mobile devices are not used.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.int.1","id_raw":"D3.PC.De.Int.1","tier_raw":"Statement","tier":4,"seq":264,"title":null,"description":"Data loss prevention controls or devices are implemented for inbound and outbound communications (e.g., e-mail, FTP, Telnet, prevention of large file transfers)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.int.2","id_raw":"D3.PC.De.Int.2","tier_raw":"Statement","tier":4,"seq":265,"title":null,"description":"Mobile device management includes integrity scanning (e.g., jailbreak/rooted detection). (*N/A if mobile devices are not used.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.int.3","id_raw":"D3.PC.De.Int.3","tier_raw":"Statement","tier":4,"seq":266,"title":null,"description":"Mobile devices connecting to the corporate network for storing and accessing company information allow for remote software version/patch validation. (*N/A if mobile devices are not used.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.a.1","id_raw":"D3.PC.De.A.1","tier_raw":"Statement","tier":4,"seq":267,"title":null,"description":"Employees’ and third parties’ devices (including mobile) without the latest security patches are quarantined and patched before the device is granted access to the network."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.a.2","id_raw":"D3.PC.De.A.2","tier_raw":"Statement","tier":4,"seq":268,"title":null,"description":"Confidential data and applications on mobile devices are only accessible via a secure, isolated sandbox or a secure container."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.de.inn.1","id_raw":"D3.PC.De.Inn.1","tier_raw":"Statement","tier":4,"seq":269,"title":null,"description":"A centralized end-point management tool provides fully integrated patch, configuration, and vulnerability management, while also being able to detect malware upon arrival to prevent an exploit."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.b.1","id_raw":"D3.PC.Se.B.1","tier_raw":"Statement","tier":4,"seq":270,"title":null,"description":"Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. (FFIEC Information Security Booklet, page 56)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.b.2","id_raw":"D3.PC.Se.B.2","tier_raw":"Statement","tier":4,"seq":271,"title":null,"description":"The security controls of internally developed software are periodically reviewed and tested. (*N/A if there is no software development.) (FFIEC Information Security Booklet, page 59)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.b.3","id_raw":"D3.PC.Se.B.3","tier_raw":"Statement","tier":4,"seq":272,"title":null,"description":"The security controls in internally developed software code are independently reviewed before migrating the code to production. (*N/A if there is no software development.) (FFIEC Development and Acquisition Booklet, page 2)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.b.4","id_raw":"D3.PC.Se.B.4","tier_raw":"Statement","tier":4,"seq":273,"title":null,"description":"Intellectual property and production code are held in escrow. (*N/A if there is no production code to hold in escrow.) (FFIEC Development and Acquisition Booklet, page 39)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.e.1","id_raw":"D3.PC.Se.E.1","tier_raw":"Statement","tier":4,"seq":274,"title":null,"description":"Security testing occurs at all post-design phases of the SDLC for all applications, including mobile applications. (*N/A if there is no software development.)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.int.1","id_raw":"D3.PC.Se.Int.1","tier_raw":"Statement","tier":4,"seq":275,"title":null,"description":"Processes are in place to mitigate vulnerabilities identified as part of the secure development of systems and applications."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.int.2","id_raw":"D3.PC.Se.Int.2","tier_raw":"Statement","tier":4,"seq":276,"title":null,"description":"The security of applications, including Web-based applications connected to the Internet, is tested against known types of cyber attacks (e.g., SQL injection, cross-site scripting, buffer overflow) before implementation or following significant changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.int.3","id_raw":"D3.PC.Se.Int.3","tier_raw":"Statement","tier":4,"seq":277,"title":null,"description":"Software code executables and scripts are digitally signed to confirm the software author and guarantee that the code has not been altered or corrupted."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.int.4","id_raw":"D3.PC.Se.Int.4","tier_raw":"Statement","tier":4,"seq":278,"title":null,"description":"A risk-based, independent information assurance function evaluates the security of internal applications."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.a.1","id_raw":"D3.PC.Se.A.1","tier_raw":"Statement","tier":4,"seq":279,"title":null,"description":"Vulnerabilities identified through a static code analysis are remediated before implementing newly developed or changed applications into production."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.a.2","id_raw":"D3.PC.Se.A.2","tier_raw":"Statement","tier":4,"seq":280,"title":null,"description":"All interdependencies between applications and services have been identified."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.a.3","id_raw":"D3.PC.Se.A.3","tier_raw":"Statement","tier":4,"seq":281,"title":null,"description":"Independent code reviews are completed on internally developed or vendor-provided custom applications to ensure there are no security gaps."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.pc.se.inn.1","id_raw":"D3.PC.Se.Inn.1","tier_raw":"Statement","tier":4,"seq":282,"title":null,"description":"Software code is actively scanned by automated tools in the development environment so that security weaknesses can be resolved immediately during the design phase."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.b.1","id_raw":"D3.DC.Th.B.1","tier_raw":"Statement","tier":4,"seq":283,"title":null,"description":"Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external- facing systems and the internal network. (FFIEC Information Security Booklet, page 61)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.b.2","id_raw":"D3.DC.Th.B.2","tier_raw":"Statement","tier":4,"seq":284,"title":null,"description":"Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.b.3","id_raw":"D3.DC.Th.B.3","tier_raw":"Statement","tier":4,"seq":285,"title":null,"description":"Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.b.4","id_raw":"D3.DC.Th.B.4","tier_raw":"Statement","tier":4,"seq":286,"title":null,"description":"E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links). (FFIEC Information Security Booklet, page 39)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.1","id_raw":"D3.DC.Th.E.1","tier_raw":"Statement","tier":4,"seq":287,"title":null,"description":"Independent penetration testing of network boundary and critical Web- facing applications is performed routinely to identify security control gaps."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.2","id_raw":"D3.DC.Th.E.2","tier_raw":"Statement","tier":4,"seq":288,"title":null,"description":"Independent penetration testing is performed on Internet-facing applications or systems before they are launched or undergo significant change."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.3","id_raw":"D3.DC.Th.E.3","tier_raw":"Statement","tier":4,"seq":289,"title":null,"description":"Antivirus and anti-malware tools are updated automatically."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.4","id_raw":"D3.DC.Th.E.4","tier_raw":"Statement","tier":4,"seq":290,"title":null,"description":"Firewall rules are updated routinely."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.5","id_raw":"D3.DC.Th.E.5","tier_raw":"Statement","tier":4,"seq":291,"title":null,"description":"Vulnerability scanning is conducted and analyzed before deployment/redeployment of new/existing devices."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.e.6","id_raw":"D3.DC.Th.E.6","tier_raw":"Statement","tier":4,"seq":292,"title":null,"description":"Processes are in place to monitor potential insider activity that could lead to data theft or destruction."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.int.1","id_raw":"D3.DC.Th.Int.1","tier_raw":"Statement","tier":4,"seq":293,"title":null,"description":"Audit or risk management resources review the penetration testing scope and results to help determine the need for rotating companies based on the quality of the work."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.int.2","id_raw":"D3.DC.Th.Int.2","tier_raw":"Statement","tier":4,"seq":294,"title":null,"description":"E-mails and attachments are automatically scanned to detect malware and are blocked when malware is present."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.a.1","id_raw":"D3.DC.Th.A.1","tier_raw":"Statement","tier":4,"seq":295,"title":null,"description":"Weekly vulnerability scanning is rotated among environments to scan all environments throughout the year."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.a.2","id_raw":"D3.DC.Th.A.2","tier_raw":"Statement","tier":4,"seq":296,"title":null,"description":"Penetration tests include cyber attack simulations and/or real-world tactics and techniques such as red team testing to detect control gaps in employee behavior, security defenses, policies, and resources."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.a.3","id_raw":"D3.DC.Th.A.3","tier_raw":"Statement","tier":4,"seq":297,"title":null,"description":"Automated tool(s) proactively identifies high-risk behavior signaling an employee who may pose an insider threat."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.inn.1","id_raw":"D3.DC.Th.Inn.1","tier_raw":"Statement","tier":4,"seq":298,"title":null,"description":"User tasks and content (e.g., opening an e-mail attachment) are automatically isolated in a secure container or virtual environment so that malware can be analyzed but cannot access vital data, end-point operating systems, or applications on the institution’s network."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.th.inn.2","id_raw":"D3.DC.Th.Inn.2","tier_raw":"Statement","tier":4,"seq":299,"title":null,"description":"Vulnerability scanning is performed on a weekly basis across all environments."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b.1","id_raw":"D3.DC.An.B.1","tier_raw":"Statement","tier":4,"seq":300,"title":null,"description":"The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b.2","id_raw":"D3.DC.An.B.2","tier_raw":"Statement","tier":4,"seq":301,"title":null,"description":"Customer transactions generating anomalous activity alerts are monitored and reviewed. (FFIEC Wholesale Payments Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b.3","id_raw":"D3.DC.An.B.3","tier_raw":"Statement","tier":4,"seq":302,"title":null,"description":"Logs of physical and/or logical access are reviewed following events. (FFIEC Information Security Booklet, page 73)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b.4","id_raw":"D3.DC.An.B.4","tier_raw":"Statement","tier":4,"seq":303,"title":null,"description":"Access to critical systems by third parties is monitored for unauthorized or unusual activity. (FFIEC Outsourcing Booklet, page 26)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.b.5","id_raw":"D3.DC.An.B.5","tier_raw":"Statement","tier":4,"seq":304,"title":null,"description":"Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.e.1","id_raw":"D3.DC.An.E.1","tier_raw":"Statement","tier":4,"seq":305,"title":null,"description":"Systems are in place to detect anomalous behavior automatically during customer, employee, and third-party authentication."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.e.2","id_raw":"D3.DC.An.E.2","tier_raw":"Statement","tier":4,"seq":306,"title":null,"description":"Security logs are reviewed regularly."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.e.3","id_raw":"D3.DC.An.E.3","tier_raw":"Statement","tier":4,"seq":307,"title":null,"description":"Logs provide traceability for all system access by individual users. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.e.4","id_raw":"D3.DC.An.E.4","tier_raw":"Statement","tier":4,"seq":308,"title":null,"description":"Thresholds have been established to determine activity within logs that would warrant management response."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.1","id_raw":"D3.DC.An.Int.1","tier_raw":"Statement","tier":4,"seq":309,"title":null,"description":"Online customer transactions are actively monitored for anomalous behavior."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.2","id_raw":"D3.DC.An.Int.2","tier_raw":"Statement","tier":4,"seq":310,"title":null,"description":"Tools to detect unauthorized data mining are used."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.3","id_raw":"D3.DC.An.Int.3","tier_raw":"Statement","tier":4,"seq":311,"title":null,"description":"Tools actively monitor security logs for anomalous behavior and alert within established parameters."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.4","id_raw":"D3.DC.An.Int.4","tier_raw":"Statement","tier":4,"seq":312,"title":null,"description":"Audit logs are backed up to a centralized log server or media that is difficult to alter."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.5","id_raw":"D3.DC.An.Int.5","tier_raw":"Statement","tier":4,"seq":313,"title":null,"description":"Thresholds for security logging are evaluated periodically."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.int.6","id_raw":"D3.DC.An.Int.6","tier_raw":"Statement","tier":4,"seq":314,"title":null,"description":"Anomalous activity and other network and system alerts are correlated across business units to detect and prevent multifaceted attacks (e.g., simultaneous account takeover and DDoS attack)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a.1","id_raw":"D3.DC.An.A.1","tier_raw":"Statement","tier":4,"seq":315,"title":null,"description":"An automated tool triggers system and/or fraud alerts when customer logins occur within a short period of time but from physically distant IP locations."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a.2","id_raw":"D3.DC.An.A.2","tier_raw":"Statement","tier":4,"seq":316,"title":null,"description":"External transfers from customer accounts generate alerts and require review and authorization if anomalous behavior is detected."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a.3","id_raw":"D3.DC.An.A.3","tier_raw":"Statement","tier":4,"seq":317,"title":null,"description":"A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a.4","id_raw":"D3.DC.An.A.4","tier_raw":"Statement","tier":4,"seq":318,"title":null,"description":"An automated tool(s) is in place to detect and prevent data mining by insider threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.a.5","id_raw":"D3.DC.An.A.5","tier_raw":"Statement","tier":4,"seq":319,"title":null,"description":"Tags on fictitious confidential data or files are used to provide advanced alerts of potential malicious activity when the data is accessed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.inn.1","id_raw":"D3.DC.An.Inn.1","tier_raw":"Statement","tier":4,"seq":320,"title":null,"description":"The institution has a mechanism for real-time automated risk scoring of threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.an.inn.2","id_raw":"D3.DC.An.Inn.2","tier_raw":"Statement","tier":4,"seq":321,"title":null,"description":"The institution is developing new technologies that will detect potential insider threats and block activity in real time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b.1","id_raw":"D3.DC.Ev.B.1","tier_raw":"Statement","tier":4,"seq":322,"title":null,"description":"A normal network activity baseline is established. (FFIEC Information\nSecurity Booklet, page 77)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b.2","id_raw":"D3.DC.Ev.B.2","tier_raw":"Statement","tier":4,"seq":323,"title":null,"description":"Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. (FFIEC Information Security Booklet, page 78)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b.3","id_raw":"D3.DC.Ev.B.3","tier_raw":"Statement","tier":4,"seq":324,"title":null,"description":"Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M-9)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b.4","id_raw":"D3.DC.Ev.B.4","tier_raw":"Statement","tier":4,"seq":325,"title":null,"description":"Responsibilities for monitoring and reporting suspicious systems activity have been assigned. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.b.5","id_raw":"D3.DC.Ev.B.5","tier_raw":"Statement","tier":4,"seq":326,"title":null,"description":"The physical environment is monitored to detect potential unauthorized access. (FFIEC Information Security Booklet, page 47)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.e.1","id_raw":"D3.DC.Ev.E.1","tier_raw":"Statement","tier":4,"seq":327,"title":null,"description":"A process is in place to correlate event information from multiple sources\n(e.g., network, application, or firewall)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.int.1","id_raw":"D3.DC.Ev.Int.1","tier_raw":"Statement","tier":4,"seq":328,"title":null,"description":"Controls or tools (e.g., data loss prevention) are in place to detect potential unauthorized or unintentional transmissions of confidential data."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.int.2","id_raw":"D3.DC.Ev.Int.2","tier_raw":"Statement","tier":4,"seq":329,"title":null,"description":"Event detection processes are proven reliable."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.int.3","id_raw":"D3.DC.Ev.Int.3","tier_raw":"Statement","tier":4,"seq":330,"title":null,"description":"Specialized security monitoring is used for critical assets throughout the infrastructure."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.a.1","id_raw":"D3.DC.Ev.A.1","tier_raw":"Statement","tier":4,"seq":331,"title":null,"description":"Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.a.2","id_raw":"D3.DC.Ev.A.2","tier_raw":"Statement","tier":4,"seq":332,"title":null,"description":"Real-time network monitoring and detection is implemented and incorporates sector-wide event information."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.a.3","id_raw":"D3.DC.Ev.A.3","tier_raw":"Statement","tier":4,"seq":333,"title":null,"description":"Real-time alerts are automatically sent when unauthorized software, hardware, or changes occur."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.a.4","id_raw":"D3.DC.Ev.A.4","tier_raw":"Statement","tier":4,"seq":334,"title":null,"description":"Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.inn.1","id_raw":"D3.DC.Ev.Inn.1","tier_raw":"Statement","tier":4,"seq":335,"title":null,"description":"The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.dc.ev.inn.2","id_raw":"D3.DC.Ev.Inn.2","tier_raw":"Statement","tier":4,"seq":336,"title":null,"description":"The institution is leading the development effort to design new technologies that will detect potential insider threats and block activity in real time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.b.1","id_raw":"D3.CC.Pa.B.1","tier_raw":"Statement","tier":4,"seq":337,"title":null,"description":"A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. (FFIEC Information Security Booklet, page 62)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.b.2","id_raw":"D3.CC.Pa.B.2","tier_raw":"Statement","tier":4,"seq":338,"title":null,"description":"Patches are tested before being applied to systems and/or software.  (FFIEC Operations Booklet, page 22)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.b.3","id_raw":"D3.CC.Pa.B.3","tier_raw":"Statement","tier":4,"seq":339,"title":null,"description":"Patch management reports are reviewed and reflect missing security patches. (FFIEC Development and Acquisition Booklet, page 50)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e.1","id_raw":"D3.CC.Pa.E.1","tier_raw":"Statement","tier":4,"seq":340,"title":null,"description":"A formal process is in place to acquire, test, and deploy software patches based on criticality."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e.2","id_raw":"D3.CC.Pa.E.2","tier_raw":"Statement","tier":4,"seq":341,"title":null,"description":"Systems are configured to retrieve patches automatically. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e.3","id_raw":"D3.CC.Pa.E.3","tier_raw":"Statement","tier":4,"seq":342,"title":null,"description":"Operational impact is evaluated before deploying security patches."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e.4","id_raw":"D3.CC.Pa.E.4","tier_raw":"Statement","tier":4,"seq":343,"title":null,"description":"An automated tool(s) is used to identify missing security patches as well as the number of days since each patch became available."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.e.5","id_raw":"D3.CC.Pa.E.5","tier_raw":"Statement","tier":4,"seq":344,"title":null,"description":"Missing patches across all environments are prioritized and tracked."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.int.1","id_raw":"D3.CC.Pa.Int.1","tier_raw":"Statement","tier":4,"seq":345,"title":null,"description":"Patches for high-risk vulnerabilities are tested and applied when released or the risk is accepted and accountability assigned."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.a.1","id_raw":"D3.CC.Pa.A.1","tier_raw":"Statement","tier":4,"seq":346,"title":null,"description":"Patch monitoring software is installed on all servers to identify any missing patches for the operating system software, middleware, database, and other key software."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.a.2","id_raw":"D3.CC.Pa.A.2","tier_raw":"Statement","tier":4,"seq":347,"title":null,"description":"The institution monitors patch management reports to ensure security patches are tested and implemented within aggressive time frames (e.g., 0-30 days)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.inn.1","id_raw":"D3.CC.Pa.Inn.1","tier_raw":"Statement","tier":4,"seq":348,"title":null,"description":"The institution develops security patches or bug fixes or contributes to open source code development for systems it uses."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.pa.inn.2","id_raw":"D3.CC.Pa.Inn.2","tier_raw":"Statement","tier":4,"seq":349,"title":null,"description":"Segregated or separate systems are in place that mirror production systems allowing for rapid testing and implementation of patches and provide for rapid fallback when needed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.b.1","id_raw":"D3.CC.Re.B.1","tier_raw":"Statement","tier":4,"seq":350,"title":null,"description":"Issues identified in assessments are prioritized and resolved based on criticality and within the time frames established in the response to the assessment report. (FFIEC Information Security Booklet, page 87)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.e.1","id_raw":"D3.CC.Re.E.1","tier_raw":"Statement","tier":4,"seq":351,"title":null,"description":"Data is destroyed or wiped on hardware and portable/mobile media when a device is missing, stolen, or no longer needed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.e.2","id_raw":"D3.CC.Re.E.2","tier_raw":"Statement","tier":4,"seq":352,"title":null,"description":"Formal processes are in place to resolve weaknesses identified during penetration testing."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.1","id_raw":"D3.CC.Re.Int.1","tier_raw":"Statement","tier":4,"seq":353,"title":null,"description":"Remediation efforts are confirmed by conducting a follow-up vulnerability scan."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.2","id_raw":"D3.CC.Re.Int.2","tier_raw":"Statement","tier":4,"seq":354,"title":null,"description":"Penetration testing is repeated to confirm that medium- and high-risk, exploitable vulnerabilities have been resolved."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.3","id_raw":"D3.CC.Re.Int.3","tier_raw":"Statement","tier":4,"seq":355,"title":null,"description":"Security investigations, forensic analysis, and remediation are performed by qualified staff or third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.4","id_raw":"D3.CC.Re.Int.4","tier_raw":"Statement","tier":4,"seq":356,"title":null,"description":"Generally accepted and appropriate forensic procedures, including chain of custody, are used to gather and present evidence to support potential legal action."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.5","id_raw":"D3.CC.Re.Int.5","tier_raw":"Statement","tier":4,"seq":357,"title":null,"description":"The maintenance and repair of organizational assets are performed by authorized individuals with approved and controlled tools."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.int.6","id_raw":"D3.CC.Re.Int.6","tier_raw":"Statement","tier":4,"seq":358,"title":null,"description":"The maintenance and repair of organizational assets are logged in a timely manner."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.a.1","id_raw":"D3.CC.Re.A.1","tier_raw":"Statement","tier":4,"seq":359,"title":null,"description":"All medium and high risk issues identified in penetration testing, vulnerability scanning, and other independent testing are escalated to the board or an appropriate board committee for risk acceptance if not resolved in a timely manner."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d3.cc.re.inn.1","id_raw":"D3.CC.Re.Inn.1","tier_raw":"Statement","tier":4,"seq":360,"title":null,"description":"The institution is developing technologies that will remediate systems damaged by zero-day attacks to maintain current recovery time objectives."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.b.1","id_raw":"D4.C.Co.B.1","tier_raw":"Statement","tier":4,"seq":361,"title":null,"description":"The critical business processes that are dependent on external connectivity have been identified. (FFIEC Information Security Booklet, page 9)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.b.2","id_raw":"D4.C.Co.B.2","tier_raw":"Statement","tier":4,"seq":362,"title":null,"description":"The institution ensures that third-party connections are authorized. (FFIEC Information Security Booklet, page 17)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.b.3","id_raw":"D4.C.Co.B.3","tier_raw":"Statement","tier":4,"seq":363,"title":null,"description":"A network diagram is in place and identifies all external connections. (FFIEC Information Security Booklet, page 9)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.b.4","id_raw":"D4.C.Co.B.4","tier_raw":"Statement","tier":4,"seq":364,"title":null,"description":"Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.e.1","id_raw":"D4.C.Co.E.1","tier_raw":"Statement","tier":4,"seq":365,"title":null,"description":"Critical business processes have been mapped to the supporting external connections."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.e.2","id_raw":"D4.C.Co.E.2","tier_raw":"Statement","tier":4,"seq":366,"title":null,"description":"The network diagram is updated when connections with third parties change or at least annually."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.e.3","id_raw":"D4.C.Co.E.3","tier_raw":"Statement","tier":4,"seq":367,"title":null,"description":"Network and systems diagrams are stored in a secure manner with proper restrictions on access."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.e.4","id_raw":"D4.C.Co.E.4","tier_raw":"Statement","tier":4,"seq":368,"title":null,"description":"Controls for primary and backup third-party connections are monitored and tested on a regular basis."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.int.1","id_raw":"D4.C.Co.Int.1","tier_raw":"Statement","tier":4,"seq":369,"title":null,"description":"A validated asset inventory is used to create comprehensive diagrams depicting data repositories, data flow, infrastructure, and connectivity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.int.2","id_raw":"D4.C.Co.Int.2","tier_raw":"Statement","tier":4,"seq":370,"title":null,"description":"Security controls are designed and verified to detect and prevent intrusions from third-party connections."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.int.3","id_raw":"D4.C.Co.Int.3","tier_raw":"Statement","tier":4,"seq":371,"title":null,"description":"Monitoring controls cover all external connections (e.g., third-party service providers, business partners, customers)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.int.4","id_raw":"D4.C.Co.Int.4","tier_raw":"Statement","tier":4,"seq":372,"title":null,"description":"Monitoring controls cover all internal network-to-network connections."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.a.1","id_raw":"D4.C.Co.A.1","tier_raw":"Statement","tier":4,"seq":373,"title":null,"description":"The security architecture is validated and documented before network connection infrastructure changes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.a.2","id_raw":"D4.C.Co.A.2","tier_raw":"Statement","tier":4,"seq":374,"title":null,"description":"The institution works closely with third-party service providers to maintain and improve the security of external connections."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.inn.1","id_raw":"D4.C.Co.Inn.1","tier_raw":"Statement","tier":4,"seq":375,"title":null,"description":"Diagram(s) of external connections is interactive, shows real-time changes to the network connection infrastructure, new connections, and volume fluctuations, and alerts when risks arise."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.c.co.inn.2","id_raw":"D4.C.Co.Inn.2","tier_raw":"Statement","tier":4,"seq":376,"title":null,"description":"The institution's connections can be segmented or severed instantaneously to prevent contagion from cyber attacks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.b.1","id_raw":"D4.RM.Dd.B.1","tier_raw":"Statement","tier":4,"seq":377,"title":null,"description":"Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (FFIEC Information Security Booklet, page 69)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.b.2","id_raw":"D4.RM.Dd.B.2","tier_raw":"Statement","tier":4,"seq":378,"title":null,"description":"A list of third-party service providers is maintained. (FFIEC Outsourcing Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.b.3","id_raw":"D4.RM.Dd.B.3","tier_raw":"Statement","tier":4,"seq":379,"title":null,"description":"A risk assessment is conducted to identify criticality of service providers. (FFIEC Outsourcing Booklet, page 6)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.e.1","id_raw":"D4.RM.Dd.E.1","tier_raw":"Statement","tier":4,"seq":380,"title":null,"description":"A formal process exists to analyze assessments of third-party cybersecurity controls."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.e.2","id_raw":"D4.RM.Dd.E.2","tier_raw":"Statement","tier":4,"seq":381,"title":null,"description":"The board or an appropriate board committee reviews a summary of due diligence results including management’s recommendations to use third parties that will affect the institution’s inherent risk profile."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.int.1","id_raw":"D4.RM.Dd.Int.1","tier_raw":"Statement","tier":4,"seq":382,"title":null,"description":"A process is in place to confirm that the institution’s third-party service providers conduct due diligence of their third parties (e.g., subcontractors)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.int.2","id_raw":"D4.RM.Dd.Int.2","tier_raw":"Statement","tier":4,"seq":383,"title":null,"description":"Pre-contract, physical site visits of high-risk vendors are conducted by the institution or by a qualified third party."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.a.1","id_raw":"D4.RM.Dd.A.1","tier_raw":"Statement","tier":4,"seq":384,"title":null,"description":"A continuous process improvement program is in place for third-party due diligence activity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.a.2","id_raw":"D4.RM.Dd.A.2","tier_raw":"Statement","tier":4,"seq":385,"title":null,"description":"Audits of high-risk vendors are conducted on an annual basis."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.inn.1","id_raw":"D4.RM.Dd.Inn.1","tier_raw":"Statement","tier":4,"seq":386,"title":null,"description":"The institution promotes sector-wide efforts to build due diligence mechanisms that lead to in-depth and efficient security and resilience reviews."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.dd.inn.2","id_raw":"D4.RM.Dd.Inn.2","tier_raw":"Statement","tier":4,"seq":387,"title":null,"description":"The institution is leading efforts to develop new auditable processes and for conducting due diligence and ongoing monitoring of cybersecurity risks posed by third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.1","id_raw":"D4.RM.Co.B.1","tier_raw":"Statement","tier":4,"seq":388,"title":null,"description":"Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. (FFIEC Information Security Booklet, page 7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.2","id_raw":"D4.RM.Co.B.2","tier_raw":"Statement","tier":4,"seq":389,"title":null,"description":"Contracts acknowledge that the third party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits. (FFIEC Information Security Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.3","id_raw":"D4.RM.Co.B.3","tier_raw":"Statement","tier":4,"seq":390,"title":null,"description":"Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. (FFIEC Information Security Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.4","id_raw":"D4.RM.Co.B.4","tier_raw":"Statement","tier":4,"seq":391,"title":null,"description":"Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. (FFIEC Outsourcing Booklet, page 12)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.5","id_raw":"D4.RM.Co.B.5","tier_raw":"Statement","tier":4,"seq":392,"title":null,"description":"Contracts establish responsibilities for responding to security incidents. (FFIEC E-Banking Booklet, page 22)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.b.6","id_raw":"D4.RM.Co.B.6","tier_raw":"Statement","tier":4,"seq":393,"title":null,"description":"Contracts specify the security requirements for the return or destruction of data upon contract termination. (FFIEC Outsourcing Booklet, page 15)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.e.1","id_raw":"D4.RM.Co.E.1","tier_raw":"Statement","tier":4,"seq":394,"title":null,"description":"Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.e.2","id_raw":"D4.RM.Co.E.2","tier_raw":"Statement","tier":4,"seq":395,"title":null,"description":"Responsibility for notification of direct and indirect security incidents and vulnerabilities is documented in contracts or service-level agreements (SLAs)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.e.3","id_raw":"D4.RM.Co.E.3","tier_raw":"Statement","tier":4,"seq":396,"title":null,"description":"Contracts stipulate geographic limits on where data can be stored or transmitted."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.int.1","id_raw":"D4.RM.Co.Int.1","tier_raw":"Statement","tier":4,"seq":397,"title":null,"description":"Third-party SLAs or similar means are in place that require timely notification of security events."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.a.1","id_raw":"D4.RM.Co.A.1","tier_raw":"Statement","tier":4,"seq":398,"title":null,"description":"Contracts require third-party service provider’s security policies meet or\nexceed those of the institution."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.a.2","id_raw":"D4.RM.Co.A.2","tier_raw":"Statement","tier":4,"seq":399,"title":null,"description":"A third-party termination/exit strategy has been established and validated with management."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.co.inn.1","id_raw":"D4.RM.Co.Inn.1","tier_raw":"Statement","tier":4,"seq":400,"title":null,"description":"The institution promotes a sector-wide effort to influence contractual requirements for critical third parties to the industry."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.b.1","id_raw":"D4.RM.Om.B.1","tier_raw":"Statement","tier":4,"seq":401,"title":null,"description":"The third-party risk assessment is updated regularly. (FFIEC Outsourcing Booklet, page 3)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.b.2","id_raw":"D4.RM.Om.B.2","tier_raw":"Statement","tier":4,"seq":402,"title":null,"description":"Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. (FFIEC Information Security Booklet, page 86)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.b.3","id_raw":"D4.RM.Om.B.3","tier_raw":"Statement","tier":4,"seq":403,"title":null,"description":"Ongoing monitoring practices include reviewing critical third-parties’ resilience plans. (FFIEC Outsourcing Booklet, page 19)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.e.1","id_raw":"D4.RM.Om.E.1","tier_raw":"Statement","tier":4,"seq":404,"title":null,"description":"A process to identify new third-party relationships is in place, including identifying new relationships that were established without formal approval."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.e.2","id_raw":"D4.RM.Om.E.2","tier_raw":"Statement","tier":4,"seq":405,"title":null,"description":"A formal program assigns responsibility for ongoing oversight of third- party access."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.e.3","id_raw":"D4.RM.Om.E.3","tier_raw":"Statement","tier":4,"seq":406,"title":null,"description":"Monitoring of third parties is scaled, in terms of depth and frequency, according to the risk of the third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.e.4","id_raw":"D4.RM.Om.E.4","tier_raw":"Statement","tier":4,"seq":407,"title":null,"description":"Automated reminders or ticklers are in place to identify when required third-party information needs to be obtained or analyzed."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.int.1","id_raw":"D4.RM.Om.Int.1","tier_raw":"Statement","tier":4,"seq":408,"title":null,"description":"Third-party employee access to the institution's confidential data are tracked actively based on the principles of least privilege."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.int.2","id_raw":"D4.RM.Om.Int.2","tier_raw":"Statement","tier":4,"seq":409,"title":null,"description":"Periodic on-site assessments of high-risk vendors are conducted to ensure appropriate security controls are in place."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.a.1","id_raw":"D4.RM.Om.A.1","tier_raw":"Statement","tier":4,"seq":410,"title":null,"description":"Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d4.rm.om.inn.1","id_raw":"D4.RM.Om.Inn.1","tier_raw":"Statement","tier":4,"seq":411,"title":null,"description":"The institution is leading efforts to develop new auditable processes for ongoing monitoring of cybersecurity risks posed by third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.1","id_raw":"D5.IR.Pl.B.1","tier_raw":"Statement","tier":4,"seq":412,"title":null,"description":"The institution has documented how it will react and respond to cyber incidents. (FFIEC Business Continuity Planning Booklet, page 4)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.2","id_raw":"D5.IR.Pl.B.2","tier_raw":"Statement","tier":4,"seq":413,"title":null,"description":"Communication channels exist to provide employees a means for reporting information security events in a timely manner. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.3","id_raw":"D5.IR.Pl.B.3","tier_raw":"Statement","tier":4,"seq":414,"title":null,"description":"Roles and responsibilities for incident response team members are defined. (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.4","id_raw":"D5.IR.Pl.B.4","tier_raw":"Statement","tier":4,"seq":415,"title":null,"description":"The response team includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution (e.g., management, legal, public relations, as well as information technology). (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.5","id_raw":"D5.IR.Pl.B.5","tier_raw":"Statement","tier":4,"seq":416,"title":null,"description":"A formal backup and recovery plan exists for all critical business lines. (FFIEC Business Continuity Planning Booklet, page 4)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.b.6","id_raw":"D5.IR.Pl.B.6","tier_raw":"Statement","tier":4,"seq":417,"title":null,"description":"The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. (FFIEC Information Security Booklet, page 71)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e.1","id_raw":"D5.IR.Pl.E.1","tier_raw":"Statement","tier":4,"seq":418,"title":null,"description":"The remediation plan and process outlines the mitigating actions, resources, and time parameters."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e.2","id_raw":"D5.IR.Pl.E.2","tier_raw":"Statement","tier":4,"seq":419,"title":null,"description":"The corporate disaster recovery, business continuity, and crisis management plans have integrated consideration of cyber incidents."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e.3","id_raw":"D5.IR.Pl.E.3","tier_raw":"Statement","tier":4,"seq":420,"title":null,"description":"Alternative processes have been established to continue critical activity within a reasonable time period."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e.4","id_raw":"D5.IR.Pl.E.4","tier_raw":"Statement","tier":4,"seq":421,"title":null,"description":"Business impact analyses have been updated to include cybersecurity."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.e.5","id_raw":"D5.IR.Pl.E.5","tier_raw":"Statement","tier":4,"seq":422,"title":null,"description":"Due diligence has been performed on technical sources, consultants, or forensic service firms that could be called to assist the institution during or following an incident."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.int.1","id_raw":"D5.IR.Pl.Int.1","tier_raw":"Statement","tier":4,"seq":423,"title":null,"description":"A strategy is in place to coordinate and communicate with internal and external stakeholders during or following a cyber attack."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.int.2","id_raw":"D5.IR.Pl.Int.2","tier_raw":"Statement","tier":4,"seq":424,"title":null,"description":"Plans are in place to re-route or substitute critical functions and/or services that may be affected by a successful attack on Internet-facing systems."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.int.3","id_raw":"D5.IR.Pl.Int.3","tier_raw":"Statement","tier":4,"seq":425,"title":null,"description":"A direct cooperative or contractual agreement(s) is in place with an incident response organization(s) or provider(s) to assist rapidly with mitigation efforts."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.int.4","id_raw":"D5.IR.Pl.Int.4","tier_raw":"Statement","tier":4,"seq":426,"title":null,"description":"Lessons learned from real-life cyber incidents and attacks on the institution and other organizations are used to improve the institution’s risk mitigation capabilities and response plan."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.a.1","id_raw":"D5.IR.Pl.A.1","tier_raw":"Statement","tier":4,"seq":427,"title":null,"description":"Methods for responding to and recovering from cyber incidents are tightly woven throughout the business units’ disaster recovery, business continuity, and crisis management plans."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.a.2","id_raw":"D5.IR.Pl.A.2","tier_raw":"Statement","tier":4,"seq":428,"title":null,"description":"Multiple systems, programs, or processes are implemented into a comprehensive cyber resilience program to sustain, minimize, and recover operations from an array of potentially disruptive and destructive cyber incidents."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.a.3","id_raw":"D5.IR.Pl.A.3","tier_raw":"Statement","tier":4,"seq":429,"title":null,"description":"A process is in place to continuously improve the resilience plan."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.inn.1","id_raw":"D5.IR.Pl.Inn.1","tier_raw":"Statement","tier":4,"seq":430,"title":null,"description":"The incident response plan is designed to ensure recovery from disruption of services, assurance of data integrity, and recovery of lost or corrupted data following a cybersecurity incident."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.pl.inn.2","id_raw":"D5.IR.Pl.Inn.2","tier_raw":"Statement","tier":4,"seq":431,"title":null,"description":"The incident response process includes detailed actions and rule- based triggers for automated response."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.b.1","id_raw":"D5.IR.Te.B.1","tier_raw":"Statement","tier":4,"seq":432,"title":null,"description":"Scenarios are used to improve incident detection and response.\n(FFIEC Information Security Booklet, page 71)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.b.2","id_raw":"D5.IR.Te.B.2","tier_raw":"Statement","tier":4,"seq":433,"title":null,"description":"Business continuity testing involves collaboration with critical third parties. (FFIEC Business Continuity Planning Booklet, page J-6)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.b.3","id_raw":"D5.IR.Te.B.3","tier_raw":"Statement","tier":4,"seq":434,"title":null,"description":"Systems, applications, and data recovery is tested at least annually.  (FFIEC Business Continuity Planning Booklet, page J-7)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.e.1","id_raw":"D5.IR.Te.E.1","tier_raw":"Statement","tier":4,"seq":435,"title":null,"description":"Recovery scenarios include plans to recover from data destruction and impacts to data integrity, data loss, and system and data availability."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.e.2","id_raw":"D5.IR.Te.E.2","tier_raw":"Statement","tier":4,"seq":436,"title":null,"description":"Widely reported events are used to evaluate and improve the institution's response."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.e.3","id_raw":"D5.IR.Te.E.3","tier_raw":"Statement","tier":4,"seq":437,"title":null,"description":"Information backups are tested periodically to verify they are accessible and readable."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int.1","id_raw":"D5.IR.Te.Int.1","tier_raw":"Statement","tier":4,"seq":438,"title":null,"description":"Cyber-attack scenarios are analyzed to determine potential impact to critical business processes."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int.2","id_raw":"D5.IR.Te.Int.2","tier_raw":"Statement","tier":4,"seq":439,"title":null,"description":"The institution participates in sector-specific cyber exercises or scenarios (e.g., FS-ISAC Cyber Attack (against) Payment Processors (CAPP))."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int.3","id_raw":"D5.IR.Te.Int.3","tier_raw":"Statement","tier":4,"seq":440,"title":null,"description":"Resilience testing is based on analysis and identification of realistic and highly likely threats as well as new and emerging threats facing the institution."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int.4","id_raw":"D5.IR.Te.Int.4","tier_raw":"Statement","tier":4,"seq":441,"title":null,"description":"The critical online systems and processes are tested to withstand stresses for extended periods (e.g., DDoS)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.int.5","id_raw":"D5.IR.Te.Int.5","tier_raw":"Statement","tier":4,"seq":442,"title":null,"description":"The results of cyber event exercises are used to improve the incident response plan and automated triggers."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a.1","id_raw":"D5.IR.Te.A.1","tier_raw":"Statement","tier":4,"seq":443,"title":null,"description":"Resilience testing is comprehensive and coordinated across all critical business functions."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a.2","id_raw":"D5.IR.Te.A.2","tier_raw":"Statement","tier":4,"seq":444,"title":null,"description":"The institution validates that it is able to recover from cyber events similar to by known sophisticated attacks at other organizations."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a.3","id_raw":"D5.IR.Te.A.3","tier_raw":"Statement","tier":4,"seq":445,"title":null,"description":"Incident response testing evaluates the institution from an attacker's perspective to determine how the institution or its assets at critical third parties may be targeted."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a.4","id_raw":"D5.IR.Te.A.4","tier_raw":"Statement","tier":4,"seq":446,"title":null,"description":"The institution corrects root causes for problems discovered during cybersecurity resilience testing."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.a.5","id_raw":"D5.IR.Te.A.5","tier_raw":"Statement","tier":4,"seq":447,"title":null,"description":"Cybersecurity incident scenarios involving significant financial loss are used to stress test the institution's risk management."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.inn.1","id_raw":"D5.IR.Te.Inn.1","tier_raw":"Statement","tier":4,"seq":448,"title":null,"description":"The institution tests the ability to shift business processes or functions between different processing centers or technology systems for cyber incidents without interruption to business or loss of productivity or data."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.inn.2","id_raw":"D5.IR.Te.Inn.2","tier_raw":"Statement","tier":4,"seq":449,"title":null,"description":"The institution has validated that it is able to remediate systems damaged by zero-day attacks to maintain current recovery time objectives."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.inn.3","id_raw":"D5.IR.Te.Inn.3","tier_raw":"Statement","tier":4,"seq":450,"title":null,"description":"The institution is leading the development of more realistic test environments."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.ir.te.inn.4","id_raw":"D5.IR.Te.Inn.4","tier_raw":"Statement","tier":4,"seq":451,"title":null,"description":"Cyber incident scenarios are used to stress test potential financial losses across the sector."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.b.1","id_raw":"D5.DR.De.B.1","tier_raw":"Statement","tier":4,"seq":452,"title":null,"description":"Alert parameters are set for detecting information security incidents that prompt mitigating actions. (FFIEC Information Security Booklet, page 43)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.b.2","id_raw":"D5.DR.De.B.2","tier_raw":"Statement","tier":4,"seq":453,"title":null,"description":"System performance reports contain information that can be used as a risk indicator to detect information security incidents. (FFIEC Information Security Booklet, page 86)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.b.3","id_raw":"D5.DR.De.B.3","tier_raw":"Statement","tier":4,"seq":454,"title":null,"description":"Tools and processes are in place to detect, alert, and trigger the incident response program. (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.e.1","id_raw":"D5.DR.De.E.1","tier_raw":"Statement","tier":4,"seq":455,"title":null,"description":"The institution has processes to detect and alert the incident response team when potential insider activity manifests that could lead to data theft or destruction."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int.1","id_raw":"D5.DR.De.Int.1","tier_raw":"Statement","tier":4,"seq":456,"title":null,"description":"The incident response program is triggered when anomalous behaviors and attack patterns or signatures are detected."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int.2","id_raw":"D5.DR.De.Int.2","tier_raw":"Statement","tier":4,"seq":457,"title":null,"description":"The institution has the ability to discover infiltration, before the attacker traverses across systems, establishes a foothold, steals information, or causes damage to data and systems."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int.3","id_raw":"D5.DR.De.Int.3","tier_raw":"Statement","tier":4,"seq":458,"title":null,"description":"Incidents are detected in real time through automated processes that include instant alerts to appropriate personnel who can respond."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int.4","id_raw":"D5.DR.De.Int.4","tier_raw":"Statement","tier":4,"seq":459,"title":null,"description":"Network and system alerts are correlated across business units to better detect and prevent multifaceted attacks (e.g., simultaneous DDoS attack and account takeover)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.int.5","id_raw":"D5.DR.De.Int.5","tier_raw":"Statement","tier":4,"seq":460,"title":null,"description":"Incident detection processes are capable of correlating events across the enterprise."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.a.1","id_raw":"D5.DR.De.A.1","tier_raw":"Statement","tier":4,"seq":461,"title":null,"description":"Sophisticated and adaptive technologies are deployed that can detect and alert the incident response team of specific tasks when threat indicators across the enterprise indicate potential external and internal threats."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.a.2","id_raw":"D5.DR.De.A.2","tier_raw":"Statement","tier":4,"seq":462,"title":null,"description":"Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert incident response teams in real time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.de.inn.1","id_raw":"D5.DR.De.Inn.1","tier_raw":"Statement","tier":4,"seq":463,"title":null,"description":"The institution is able to detect and block zero-day attempts and inform management and the incident response team in real time."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.b.1","id_raw":"D5.DR.Re.B.1","tier_raw":"Statement","tier":4,"seq":464,"title":null,"description":"Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer information. (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.1","id_raw":"D5.DR.Re.E.1","tier_raw":"Statement","tier":4,"seq":465,"title":null,"description":"The incident response plan is designed to prioritize incidents, enabling a rapid response for significant cybersecurity incidents or vulnerabilities."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.2","id_raw":"D5.DR.Re.E.2","tier_raw":"Statement","tier":4,"seq":466,"title":null,"description":"A process is in place to help contain incidents and restore operations with minimal service disruption."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.3","id_raw":"D5.DR.Re.E.3","tier_raw":"Statement","tier":4,"seq":467,"title":null,"description":"Containment and mitigation strategies are developed for multiple incident types (e.g., DDoS, malware)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.4","id_raw":"D5.DR.Re.E.4","tier_raw":"Statement","tier":4,"seq":468,"title":null,"description":"Procedures include containment strategies and notifying potentially impacted third parties."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.5","id_raw":"D5.DR.Re.E.5","tier_raw":"Statement","tier":4,"seq":469,"title":null,"description":"Processes are in place to trigger the incident response program when an incident occurs at a third party."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.6","id_raw":"D5.DR.Re.E.6","tier_raw":"Statement","tier":4,"seq":470,"title":null,"description":"Records are generated to support incident investigation and mitigation. "}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.7","id_raw":"D5.DR.Re.E.7","tier_raw":"Statement","tier":4,"seq":471,"title":null,"description":"The institution calls upon third parties, as needed, to provide mitigation services"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.e.8","id_raw":"D5.DR.Re.E.8","tier_raw":"Statement","tier":4,"seq":472,"title":null,"description":"Analysis of events is used to improve the institution's security measures and policies."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.int.1","id_raw":"D5.DR.Re.Int.1","tier_raw":"Statement","tier":4,"seq":473,"title":null,"description":"Analysis of security incidents is performed in the early stages of an intrusion to minimize the impact of the incident."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.int.2","id_raw":"D5.DR.Re.Int.2","tier_raw":"Statement","tier":4,"seq":474,"title":null,"description":"Any changes to systems/applications or to access entitlements necessary for incident management are reviewed by management for formal approval before implementation."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.int.3","id_raw":"D5.DR.Re.Int.3","tier_raw":"Statement","tier":4,"seq":475,"title":null,"description":"Processes are in place to ensure assets affected by a security incident that cannot be returned to operational status are quarantined, removed, disposed of, and/or replaced."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.int.4","id_raw":"D5.DR.Re.Int.4","tier_raw":"Statement","tier":4,"seq":476,"title":null,"description":"Processes are in place to ensure that restored assets are appropriately reconfigured and thoroughly tested before being placed back into operation."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.a.1","id_raw":"D5.DR.Re.A.1","tier_raw":"Statement","tier":4,"seq":477,"title":null,"description":"The incident management function collaborates effectively with the cyber threat intelligence function during an incident."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.a.2","id_raw":"D5.DR.Re.A.2","tier_raw":"Statement","tier":4,"seq":478,"title":null,"description":"Links between threat intelligence, network operations, and incident response allow for proactive response to potential incidents."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.a.3","id_raw":"D5.DR.Re.A.3","tier_raw":"Statement","tier":4,"seq":479,"title":null,"description":"Technical measures apply defense-in-depth techniques such as deep- packet inspection and black holing for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns and/or DDoS attacks."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.inn.1","id_raw":"D5.DR.Re.Inn.1","tier_raw":"Statement","tier":4,"seq":480,"title":null,"description":"The institution’s risk management of significant cyber incidents results in\nlimited to no disruptions to critical services."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.dr.re.inn.2","id_raw":"D5.DR.Re.Inn.2","tier_raw":"Statement","tier":4,"seq":481,"title":null,"description":"The technology infrastructure has been engineered to limit the effects of a cyber attack on the production environment from migrating to the backup environment (e.g., air-gapped environment and processes)."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.b.1","id_raw":"D5.ER.Es.B.1","tier_raw":"Statement","tier":4,"seq":482,"title":null,"description":"A process exists to contact personnel who are responsible for analyzing and responding to an incident. (FFIEC Information Security Booklet, page 83)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.b.2","id_raw":"D5.ER.Es.B.2","tier_raw":"Statement","tier":4,"seq":483,"title":null,"description":"Procedures exist to notify customers, regulators, and law enforcement as required or necessary when the institution becomes aware of an incident involving the unauthorized access to or use of sensitive customer information. (FFIEC Information Security Booklet, page 84)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.b.3","id_raw":"D5.ER.Es.B.3","tier_raw":"Statement","tier":4,"seq":484,"title":null,"description":"The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. (FFIEC Information Security Booklet, page 5)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.b.4","id_raw":"D5.ER.Es.B.4","tier_raw":"Statement","tier":4,"seq":485,"title":null,"description":"Incidents are classified, logged, and tracked. (FFIEC Operations Booklet, page 28)"}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.e.1","id_raw":"D5.ER.Es.E.1","tier_raw":"Statement","tier":4,"seq":486,"title":null,"description":"Criteria have been established for escalating cyber incidents or vulnerabilities to the board and senior management based on the potential impact and criticality of the risk."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.e.2","id_raw":"D5.ER.Es.E.2","tier_raw":"Statement","tier":4,"seq":487,"title":null,"description":"Regulators, law enforcement, and service providers, as appropriate, are notified when the institution is aware of any unauthorized access to systems or a cyber incident occurs that could result in degradation of services."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.e.3","id_raw":"D5.ER.Es.E.3","tier_raw":"Statement","tier":4,"seq":488,"title":null,"description":"Tracked cyber incidents are correlated for trend analysis and reporting."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.int.1","id_raw":"D5.ER.Es.Int.1","tier_raw":"Statement","tier":4,"seq":489,"title":null,"description":"Employees that are essential to mitigate the risk (e.g., fraud, business resilience) know their role in incident escalation."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.int.2","id_raw":"D5.ER.Es.Int.2","tier_raw":"Statement","tier":4,"seq":490,"title":null,"description":"A communication plan is used to notify other organizations, including third parties, of incidents that may affect them or their customers."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.int.3","id_raw":"D5.ER.Es.Int.3","tier_raw":"Statement","tier":4,"seq":491,"title":null,"description":"An external communication plan is used for notifying media regarding incidents when applicable."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.a.1","id_raw":"D5.ER.Es.A.1","tier_raw":"Statement","tier":4,"seq":492,"title":null,"description":"The institution has established quantitative and qualitative metrics for the cybersecurity incident response process."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.a.2","id_raw":"D5.ER.Es.A.2","tier_raw":"Statement","tier":4,"seq":493,"title":null,"description":"Detailed metrics, dashboards, and/or scorecards outlining cyber incidents and events are provided to management and are part of the board meeting package."}
+{"source":"ffiec_cat_v2017.05","id":"ffiec_cat_v2017.05:d5.er.es.inn.1","id_raw":"D5.ER.Es.Inn.1","tier_raw":"Statement","tier":4,"seq":494,"title":null,"description":"A mechanism is in place to provide instantaneous notification of incidents to management and essential employees through multiple communication channels with tracking and verification of receipt."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc","id_raw":"CC","tier_raw":"Category","tier":0,"seq":1,"title":"Common Criteria","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a","id_raw":"A","tier_raw":"Category","tier":0,"seq":2,"title":"Availability","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c","id_raw":"C","tier_raw":"Category","tier":0,"seq":3,"title":"Confidentiality","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi","id_raw":"PI","tier_raw":"Category","tier":0,"seq":4,"title":"Processing Integrity","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p","id_raw":"P","tier_raw":"Category","tier":0,"seq":5,"title":"Privacy","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1","id_raw":"CC1","tier_raw":"Group","tier":1,"seq":1,"title":"Control Environment","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2","id_raw":"CC2","tier_raw":"Group","tier":1,"seq":2,"title":"Communication and Information","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3","id_raw":"CC3","tier_raw":"Group","tier":1,"seq":3,"title":"Risk Assessment","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4","id_raw":"CC4","tier_raw":"Group","tier":1,"seq":4,"title":"Monitoring Activities","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5","id_raw":"CC5","tier_raw":"Group","tier":1,"seq":5,"title":"Control Activities","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6","id_raw":"CC6","tier_raw":"Group","tier":1,"seq":6,"title":"Logical and Physical Access Controls","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7","id_raw":"CC7","tier_raw":"Group","tier":1,"seq":7,"title":"System Operations","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8","id_raw":"CC8","tier_raw":"Group","tier":1,"seq":8,"title":"Change Management","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9","id_raw":"CC9","tier_raw":"Group","tier":1,"seq":9,"title":"Risk Mitigation","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1","id_raw":"A1","tier_raw":"Group","tier":1,"seq":10,"title":"Availability","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1","id_raw":"C1","tier_raw":"Group","tier":1,"seq":11,"title":"Confidentiality","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1","id_raw":"PI1","tier_raw":"Group","tier":1,"seq":12,"title":"Processing Integrity","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1","id_raw":"P1","tier_raw":"Group","tier":1,"seq":13,"title":"Notice and Communication of Objectives Related to Privacy","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2","id_raw":"P2","tier_raw":"Group","tier":1,"seq":14,"title":"Choice and Consent","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3","id_raw":"P3","tier_raw":"Group","tier":1,"seq":15,"title":"Collection","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4","id_raw":"P4","tier_raw":"Group","tier":1,"seq":16,"title":"Use, Retention, and Disposal","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5","id_raw":"P5","tier_raw":"Group","tier":1,"seq":17,"title":"Access","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6","id_raw":"P6","tier_raw":"Group","tier":1,"seq":18,"title":"Disclosure and Notification","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p7","id_raw":"P7","tier_raw":"Group","tier":1,"seq":19,"title":"Quality","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8","id_raw":"P8","tier_raw":"Group","tier":1,"seq":20,"title":"Monitoring and Enforcement","description":null}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1","id_raw":"CC1.1","tier_raw":"Criteria","tier":2,"seq":1,"title":null,"description":"COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.2","id_raw":"CC1.2","tier_raw":"Criteria","tier":2,"seq":2,"title":null,"description":"COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3","id_raw":"CC1.3","tier_raw":"Criteria","tier":2,"seq":3,"title":null,"description":"COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4","id_raw":"CC1.4","tier_raw":"Criteria","tier":2,"seq":4,"title":null,"description":"COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5","id_raw":"CC1.5","tier_raw":"Criteria","tier":2,"seq":5,"title":null,"description":"COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.1","id_raw":"CC2.1","tier_raw":"Criteria","tier":2,"seq":6,"title":null,"description":"COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2","id_raw":"CC2.2","tier_raw":"Criteria","tier":2,"seq":7,"title":null,"description":"COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3","id_raw":"CC2.3","tier_raw":"Criteria","tier":2,"seq":8,"title":null,"description":"COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1","id_raw":"CC3.1","tier_raw":"Criteria","tier":2,"seq":9,"title":null,"description":"COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2","id_raw":"CC3.2","tier_raw":"Criteria","tier":2,"seq":10,"title":null,"description":"COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3","id_raw":"CC3.3","tier_raw":"Criteria","tier":2,"seq":11,"title":null,"description":"COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4","id_raw":"CC3.4","tier_raw":"Criteria","tier":2,"seq":12,"title":null,"description":"COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1","id_raw":"CC4.1","tier_raw":"Criteria","tier":2,"seq":13,"title":null,"description":"COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.2","id_raw":"CC4.2","tier_raw":"Criteria","tier":2,"seq":14,"title":null,"description":"COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1","id_raw":"CC5.1","tier_raw":"Criteria","tier":2,"seq":15,"title":null,"description":"COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.2","id_raw":"CC5.2","tier_raw":"Criteria","tier":2,"seq":16,"title":null,"description":"COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3","id_raw":"CC5.3","tier_raw":"Criteria","tier":2,"seq":17,"title":null,"description":"COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1","id_raw":"CC6.1","tier_raw":"Criteria","tier":2,"seq":18,"title":null,"description":"The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.2","id_raw":"CC6.2","tier_raw":"Criteria","tier":2,"seq":19,"title":null,"description":"Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For\nthose users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.3","id_raw":"CC6.3","tier_raw":"Criteria","tier":2,"seq":20,"title":null,"description":"The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.4","id_raw":"CC6.4","tier_raw":"Criteria","tier":2,"seq":21,"title":null,"description":"The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.5","id_raw":"CC6.5","tier_raw":"Criteria","tier":2,"seq":22,"title":null,"description":"The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6 ","id_raw":"CC6.6 ","tier_raw":"Criteria","tier":2,"seq":23,"title":null,"description":"The entity implements logical access security measures to protect against threats from sources outside its system boundaries."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6","id_raw":"CC6.6","tier_raw":"Criteria","tier":2,"seq":24,"title":null,"description":"The entity implements logical access security measures to protect against threats from sources outside its system boundaries."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.7","id_raw":"CC6.7","tier_raw":"Criteria","tier":2,"seq":25,"title":null,"description":"The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8","id_raw":"CC6.8","tier_raw":"Criteria","tier":2,"seq":26,"title":null,"description":"The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1","id_raw":"CC7.1","tier_raw":"Criteria","tier":2,"seq":27,"title":null,"description":"To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.2","id_raw":"CC7.2","tier_raw":"Criteria","tier":2,"seq":28,"title":null,"description":"The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3","id_raw":"CC7.3","tier_raw":"Criteria","tier":2,"seq":29,"title":null,"description":"The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4","id_raw":"CC7.4","tier_raw":"Criteria","tier":2,"seq":30,"title":null,"description":"The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5","id_raw":"CC7.5","tier_raw":"Criteria","tier":2,"seq":31,"title":null,"description":"The entity identifies, develops, and implements activities to recover from identified security incidents."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1","id_raw":"CC8.1","tier_raw":"Criteria","tier":2,"seq":32,"title":null,"description":"The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.1","id_raw":"CC9.1","tier_raw":"Criteria","tier":2,"seq":33,"title":null,"description":"The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2","id_raw":"CC9.2","tier_raw":"Criteria","tier":2,"seq":34,"title":null,"description":"The entity assesses and manages risks associated with vendors and business partners."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.1","id_raw":"A1.1","tier_raw":"Criteria","tier":2,"seq":35,"title":null,"description":"The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2","id_raw":"A1.2","tier_raw":"Criteria","tier":2,"seq":36,"title":null,"description":"The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.3","id_raw":"A1.3","tier_raw":"Criteria","tier":2,"seq":37,"title":null,"description":"The entity tests recovery plan procedures supporting system recovery to meet its objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.1","id_raw":"C1.1","tier_raw":"Criteria","tier":2,"seq":38,"title":null,"description":"The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.2","id_raw":"C1.2","tier_raw":"Criteria","tier":2,"seq":39,"title":null,"description":"The entity disposes of confidential information to meet the entity’s objectives related to confidentiality."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.1","id_raw":"PI1.1","tier_raw":"Criteria","tier":2,"seq":40,"title":null,"description":"Identifies Information Specifications—The entity identifies information specifications required to support the use of products and services.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.2","id_raw":"PI1.2","tier_raw":"Criteria","tier":2,"seq":41,"title":null,"description":"The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the\nentity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3","id_raw":"PI1.3","tier_raw":"Criteria","tier":2,"seq":42,"title":null,"description":"The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.4","id_raw":"PI1.4","tier_raw":"Criteria","tier":2,"seq":43,"title":null,"description":"The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.5","id_raw":"PI1.5","tier_raw":"Criteria","tier":2,"seq":44,"title":null,"description":"The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1.1","id_raw":"P1.1","tier_raw":"Criteria","tier":2,"seq":45,"title":null,"description":"The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1","id_raw":"P2.1","tier_raw":"Criteria","tier":2,"seq":46,"title":null,"description":"The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.1","id_raw":"P3.1","tier_raw":"Criteria","tier":2,"seq":47,"title":null,"description":"Personal information is collected consistent with the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.2","id_raw":"P3.2","tier_raw":"Criteria","tier":2,"seq":48,"title":null,"description":"For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.1","id_raw":"P4.1","tier_raw":"Criteria","tier":2,"seq":49,"title":null,"description":"The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.2","id_raw":"P4.2","tier_raw":"Criteria","tier":2,"seq":50,"title":null,"description":"The entity retains personal information consistent with the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.3","id_raw":"P4.3","tier_raw":"Criteria","tier":2,"seq":51,"title":null,"description":"The entity securely disposes of personal information to meet the entity’s objectives related to privacy"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.1","id_raw":"P5.1","tier_raw":"Criteria","tier":2,"seq":52,"title":null,"description":"The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.2","id_raw":"P5.2","tier_raw":"Criteria","tier":2,"seq":53,"title":null,"description":"The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.1","id_raw":"P6.1","tier_raw":"Criteria","tier":2,"seq":54,"title":null,"description":"The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.2","id_raw":"P6.2","tier_raw":"Criteria","tier":2,"seq":55,"title":null,"description":"The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.3","id_raw":"P6.3","tier_raw":"Criteria","tier":2,"seq":56,"title":null,"description":"The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.4","id_raw":"P6.4","tier_raw":"Criteria","tier":2,"seq":57,"title":null,"description":"The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.5","id_raw":"P6.5","tier_raw":"Criteria","tier":2,"seq":58,"title":null,"description":"The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in\naccordance with established incident response procedures to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.6","id_raw":"P6.6","tier_raw":"Criteria","tier":2,"seq":59,"title":null,"description":"The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.7","id_raw":"P6.7","tier_raw":"Criteria","tier":2,"seq":60,"title":null,"description":"The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p7.1","id_raw":"P7.1","tier_raw":"Criteria","tier":2,"seq":61,"title":null,"description":"The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy"}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1","id_raw":"P8.1","tier_raw":"Criteria","tier":2,"seq":62,"title":null,"description":"The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1.1","id_raw":"CC1.1.1","tier_raw":"Point of Focus","tier":3,"seq":1,"title":"Sets the Tone at the Top","description":"The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1.2","id_raw":"CC1.1.2","tier_raw":"Point of Focus","tier":3,"seq":2,"title":"Establishes Standards of Conduct","description":"The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1.3","id_raw":"CC1.1.3","tier_raw":"Point of Focus","tier":3,"seq":3,"title":"Evaluates Adherence to Standards of Conduct","description":"Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1.4","id_raw":"CC1.1.4","tier_raw":"Point of Focus","tier":3,"seq":4,"title":"Addresses Deviations in a Timely Manner","description":"Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.1.5","id_raw":"CC1.1.5","tier_raw":"Point of Focus","tier":3,"seq":5,"title":"Considers Contractors and Vendor Employees in Demonstrating Its Commitment","description":"Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.2.1","id_raw":"CC1.2.1","tier_raw":"Point of Focus","tier":3,"seq":6,"title":"Establishes Oversight Responsibilities","description":"The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.2.2","id_raw":"CC1.2.2","tier_raw":"Point of Focus","tier":3,"seq":7,"title":"Applies Relevant Expertise","description":"The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.2.3","id_raw":"CC1.2.3","tier_raw":"Point of Focus","tier":3,"seq":8,"title":"Operates Independently","description":"The board of directors has sufficient members who are independent from management and objective in evaluations and decision making."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.2.4","id_raw":"CC1.2.4","tier_raw":"Point of Focus","tier":3,"seq":9,"title":"Supplements Board Expertise","description":"The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3.1","id_raw":"CC1.3.1","tier_raw":"Point of Focus","tier":3,"seq":10,"title":"Considers All Structures of the Entity","description":"Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3.2","id_raw":"CC1.3.2","tier_raw":"Point of Focus","tier":3,"seq":11,"title":"Establishes Reporting Lines","description":"Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3.3","id_raw":"CC1.3.3","tier_raw":"Point of Focus","tier":3,"seq":12,"title":"Defines, Assigns, and Limits Authorities and Responsibilities","description":"Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3.4","id_raw":"CC1.3.4","tier_raw":"Point of Focus","tier":3,"seq":13,"title":"Addresses Specific Requirements When Defining Authorities and Responsibilities","description":"Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.3.5","id_raw":"CC1.3.5","tier_raw":"Point of Focus","tier":3,"seq":14,"title":"Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities","description":"Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.1","id_raw":"CC1.4.1","tier_raw":"Point of Focus","tier":3,"seq":15,"title":"Establishes Policies and Practices","description":"Policies and practices reflect expectations of competence necessary to support the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.2","id_raw":"CC1.4.2","tier_raw":"Point of Focus","tier":3,"seq":16,"title":"Evaluates Competence and Addresses Shortcomings","description":"The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.3","id_raw":"CC1.4.3","tier_raw":"Point of Focus","tier":3,"seq":17,"title":"Attracts, Develops, and Retains Individuals","description":"The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.4","id_raw":"CC1.4.4","tier_raw":"Point of Focus","tier":3,"seq":18,"title":"Plans and Prepares for Succession","description":"Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.5","id_raw":"CC1.4.5","tier_raw":"Point of Focus","tier":3,"seq":19,"title":"Considers the Background of Individuals","description":"The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.6","id_raw":"CC1.4.6","tier_raw":"Point of Focus","tier":3,"seq":20,"title":"Considers the Technical Competency of Individuals","description":"The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.4.7","id_raw":"CC1.4.7","tier_raw":"Point of Focus","tier":3,"seq":21,"title":"Provides Training to Maintain Technical Competencies","description":"The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5.1","id_raw":"CC1.5.1","tier_raw":"Point of Focus","tier":3,"seq":22,"title":"Enforces Accountability Through Structures, Authorities, and Responsibilities","description":"Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5.2","id_raw":"CC1.5.2","tier_raw":"Point of Focus","tier":3,"seq":23,"title":"Establishes Performance Measures, Incentives, and Rewards","description":"Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5.3","id_raw":"CC1.5.3","tier_raw":"Point of Focus","tier":3,"seq":24,"title":"Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance","description":"Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5.4","id_raw":"CC1.5.4","tier_raw":"Point of Focus","tier":3,"seq":25,"title":"Considers Excessive Pressures","description":"Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc1.5.5","id_raw":"CC1.5.5","tier_raw":"Point of Focus","tier":3,"seq":26,"title":"Evaluates Performance and Rewards or Disciplines Individuals","description":"Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.1.1","id_raw":"CC2.1.1","tier_raw":"Point of Focus","tier":3,"seq":27,"title":"Identifies Information Requirements","description":"A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.1.2","id_raw":"CC2.1.2","tier_raw":"Point of Focus","tier":3,"seq":28,"title":"Captures Internal and External Sources of Data","description":"Information systems capture internal and external sources of data."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.1.3","id_raw":"CC2.1.3","tier_raw":"Point of Focus","tier":3,"seq":29,"title":"Processes Relevant Data Into Information","description":"Information systems process and transform relevant data into information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.1.4","id_raw":"CC2.1.4","tier_raw":"Point of Focus","tier":3,"seq":30,"title":"Maintains Quality Throughout Processing","description":"Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.1","id_raw":"CC2.2.1","tier_raw":"Point of Focus","tier":3,"seq":31,"title":"Communicates Internal Control Information","description":"A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.2","id_raw":"CC2.2.2","tier_raw":"Point of Focus","tier":3,"seq":32,"title":"Communicates With the Board of Directors","description":"Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.3","id_raw":"CC2.2.3","tier_raw":"Point of Focus","tier":3,"seq":33,"title":"Provides Separate Communication Lines","description":"Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.4","id_raw":"CC2.2.4","tier_raw":"Point of Focus","tier":3,"seq":34,"title":"Selects Relevant Method of Communication","description":"The method of communication considers the timing, audience, and nature of the information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.5","id_raw":"CC2.2.5","tier_raw":"Point of Focus","tier":3,"seq":35,"title":"Communicates Responsibilities","description":"Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.6","id_raw":"CC2.2.6","tier_raw":"Point of Focus","tier":3,"seq":36,"title":"Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters","description":"Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.7","id_raw":"CC2.2.7","tier_raw":"Point of Focus","tier":3,"seq":37,"title":"Communicates Objectives and Changes to Objectives ","description":"The entity communicates its objectives and changes to those objectives to personnel in a timely manner. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.8","id_raw":"CC2.2.8","tier_raw":"Point of Focus","tier":3,"seq":38,"title":"Communicates Information to Improve Security Knowledge and Awareness","description":"The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.9","id_raw":"CC2.2.9","tier_raw":"Point of Focus","tier":3,"seq":39,"title":"Communicates Information About System Operation and Boundaries","description":"The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.10","id_raw":"CC2.2.10","tier_raw":"Point of Focus","tier":3,"seq":40,"title":"Communicates System Objectives","description":"The entity communicates its objectives to personnel to enable them to carry out their responsibilities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.2.11","id_raw":"CC2.2.11","tier_raw":"Point of Focus","tier":3,"seq":41,"title":"Communicates System Changes","description":"System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.1","id_raw":"CC2.3.1","tier_raw":"Point of Focus","tier":3,"seq":42,"title":"Communicates to External Parties","description":"Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.2","id_raw":"CC2.3.2","tier_raw":"Point of Focus","tier":3,"seq":43,"title":"Enables Inbound Communications","description":"Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.3","id_raw":"CC2.3.3","tier_raw":"Point of Focus","tier":3,"seq":44,"title":"Communicates With the Board of Directors","description":"Relevant information resulting from assessments conducted by external parties is communicated to the board of directors."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.4","id_raw":"CC2.3.4","tier_raw":"Point of Focus","tier":3,"seq":45,"title":"Provides Separate Communication Lines","description":"Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.5","id_raw":"CC2.3.5","tier_raw":"Point of Focus","tier":3,"seq":46,"title":"Selects Relevant Method of Communication","description":"The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.6","id_raw":"CC2.3.6","tier_raw":"Point of Focus","tier":3,"seq":47,"title":"Communicates Objectives Related to Confidentiality and Changes to Objectives","description":"The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.7","id_raw":"CC2.3.7","tier_raw":"Point of Focus","tier":3,"seq":48,"title":"Communicates Objectives Related to Privacy and Changes to Objectives","description":"The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.8","id_raw":"CC2.3.8","tier_raw":"Point of Focus","tier":3,"seq":49,"title":"Communicates Information About System Operation and Boundaries","description":"The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.9","id_raw":"CC2.3.9","tier_raw":"Point of Focus","tier":3,"seq":50,"title":"Communicates System Objectives","description":"The entity communicates its system objectives to appropriate external users. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.10","id_raw":"CC2.3.10","tier_raw":"Point of Focus","tier":3,"seq":51,"title":"Communicates System Responsibilities","description":"External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc2.3.11","id_raw":"CC2.3.11","tier_raw":"Point of Focus","tier":3,"seq":52,"title":"Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters","description":"External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.1","id_raw":"CC3.1.1","tier_raw":"Point of Focus","tier":3,"seq":53,"title":"Reflects Management's Choices","description":"Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.2","id_raw":"CC3.1.2","tier_raw":"Point of Focus","tier":3,"seq":54,"title":"Considers Tolerances for Risk","description":"Management considers the acceptable levels of variation relative to the achievement of operations objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.3","id_raw":"CC3.1.3","tier_raw":"Point of Focus","tier":3,"seq":55,"title":"Includes Operations and Financial Performance Goals","description":"The organization reflects the desired level of operations and financial performance for the entity within operations objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.4","id_raw":"CC3.1.4","tier_raw":"Point of Focus","tier":3,"seq":56,"title":"Forms a Basis for Committing of Resources","description":"Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.5","id_raw":"CC3.1.5","tier_raw":"Point of Focus","tier":3,"seq":57,"title":"Complies With Applicable Accounting Standards","description":"Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.6","id_raw":"CC3.1.6","tier_raw":"Point of Focus","tier":3,"seq":58,"title":"Considers Materiality","description":"Management considers materiality in financial statement presentation."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.7","id_raw":"CC3.1.7","tier_raw":"Point of Focus","tier":3,"seq":59,"title":"Reflects Entity Activities","description":"External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.8","id_raw":"CC3.1.8","tier_raw":"Point of Focus","tier":3,"seq":60,"title":"Complies With Externally Established Frameworks","description":"Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.9","id_raw":"CC3.1.9","tier_raw":"Point of Focus","tier":3,"seq":61,"title":"Considers the Required Level of Precision","description":"Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.10","id_raw":"CC3.1.10","tier_raw":"Point of Focus","tier":3,"seq":62,"title":"Reflects Entity Activities","description":"External reporting reflects the underlying transactions and events within a range of acceptable limits."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.11","id_raw":"CC3.1.11","tier_raw":"Point of Focus","tier":3,"seq":63,"title":"Reflects Management's Choices","description":"Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.12","id_raw":"CC3.1.12","tier_raw":"Point of Focus","tier":3,"seq":64,"title":"Considers the Required Level of Precision","description":"Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.13","id_raw":"CC3.1.13","tier_raw":"Point of Focus","tier":3,"seq":65,"title":"Reflects Entity Activities","description":"Internal reporting reflects the underlying transactions and events within a range of acceptable limits."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.14","id_raw":"CC3.1.14","tier_raw":"Point of Focus","tier":3,"seq":66,"title":"Reflects External Laws and Regulations","description":"Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.15","id_raw":"CC3.1.15","tier_raw":"Point of Focus","tier":3,"seq":67,"title":"Considers Tolerances for Risk","description":"Management considers the acceptable levels of variation relative to the achievement of operations objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.1.16","id_raw":"CC3.1.16","tier_raw":"Point of Focus","tier":3,"seq":68,"title":"Establishes Sub-objectives to Support Objectives","description":"Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.1","id_raw":"CC3.2.1","tier_raw":"Point of Focus","tier":3,"seq":69,"title":"Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels","description":"The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.2","id_raw":"CC3.2.2","tier_raw":"Point of Focus","tier":3,"seq":70,"title":"Analyzes Internal and External Factors","description":"Risk identification considers both internal and external factors and their impact on the achievement of objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.3","id_raw":"CC3.2.3","tier_raw":"Point of Focus","tier":3,"seq":71,"title":"Involves Appropriate Levels of Management","description":"The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.4","id_raw":"CC3.2.4","tier_raw":"Point of Focus","tier":3,"seq":72,"title":"Estimates Significance of Risks Identified","description":"Identified risks are analyzed through a process that includes estimating the potential significance of the risk. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.5","id_raw":"CC3.2.5","tier_raw":"Point of Focus","tier":3,"seq":73,"title":"Determines How to Respond to Risks","description":"Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.6","id_raw":"CC3.2.6","tier_raw":"Point of Focus","tier":3,"seq":74,"title":"Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities","description":"The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.7","id_raw":"CC3.2.7","tier_raw":"Point of Focus","tier":3,"seq":75,"title":"Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties","description":"The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.2.8","id_raw":"CC3.2.8","tier_raw":"Point of Focus","tier":3,"seq":76,"title":"Considers the Significance of the Risk","description":"The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3.1","id_raw":"CC3.3.1","tier_raw":"Point of Focus","tier":3,"seq":77,"title":"Considers Various Types of Fraud","description":"The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3.2","id_raw":"CC3.3.2","tier_raw":"Point of Focus","tier":3,"seq":78,"title":"Assesses Incentives and Pressures","description":"The assessment of fraud risks considers incentives and pressures."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3.3","id_raw":"CC3.3.3","tier_raw":"Point of Focus","tier":3,"seq":79,"title":"Assesses Opportunities","description":"The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3.4","id_raw":"CC3.3.4","tier_raw":"Point of Focus","tier":3,"seq":80,"title":"Assesses Attitudes and Rationalizations","description":"The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.3.5","id_raw":"CC3.3.5","tier_raw":"Point of Focus","tier":3,"seq":81,"title":"Considers the Risks Related to the Use of IT and Access to Information","description":"The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4.1","id_raw":"CC3.4.1","tier_raw":"Point of Focus","tier":3,"seq":82,"title":"Assesses Changes in the External Environment","description":"The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4.2","id_raw":"CC3.4.2","tier_raw":"Point of Focus","tier":3,"seq":83,"title":"Assesses Changes in the Business Model","description":"The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4.3","id_raw":"CC3.4.3","tier_raw":"Point of Focus","tier":3,"seq":84,"title":"Assesses Changes in Leadership","description":"The entity considers changes in management and respective attitudes and philosophies on the system of internal control."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4.4","id_raw":"CC3.4.4","tier_raw":"Point of Focus","tier":3,"seq":85,"title":"Assess Changes in Systems and Technology","description":"The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc3.4.5","id_raw":"CC3.4.5","tier_raw":"Point of Focus","tier":3,"seq":86,"title":"Assess Changes in Vendor and Business Partner Relationships","description":"The risk identification process considers changes in vendor and business partner relationships. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.1","id_raw":"CC4.1.1","tier_raw":"Point of Focus","tier":3,"seq":87,"title":"Considers a Mix of Ongoing and Separate Evaluations","description":"Management includes a balance of ongoing and separate evaluations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.2","id_raw":"CC4.1.2","tier_raw":"Point of Focus","tier":3,"seq":88,"title":"Considers Rate of Change","description":"Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.3","id_raw":"CC4.1.3","tier_raw":"Point of Focus","tier":3,"seq":89,"title":"Establishes Baseline Understanding","description":"The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.4","id_raw":"CC4.1.4","tier_raw":"Point of Focus","tier":3,"seq":90,"title":"Uses Knowledgeable Personnel","description":"Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.5","id_raw":"CC4.1.5","tier_raw":"Point of Focus","tier":3,"seq":91,"title":"Integrates With Business Processes","description":"Ongoing evaluations are built into the business processes and adjust to changing conditions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.6","id_raw":"CC4.1.6","tier_raw":"Point of Focus","tier":3,"seq":92,"title":"Adjusts Scope and Frequency","description":"Management varies the scope and frequency of separate evaluations depending on risk."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.7","id_raw":"CC4.1.7","tier_raw":"Point of Focus","tier":3,"seq":93,"title":"Objectively Evaluates","description":"Separate evaluations are performed periodically to provide objective feedback."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.1.8","id_raw":"CC4.1.8","tier_raw":"Point of Focus","tier":3,"seq":94,"title":"Considers Different Types of Ongoing and Separate Evaluations","description":"Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.2.1","id_raw":"CC4.2.1","tier_raw":"Point of Focus","tier":3,"seq":95,"title":"Assesses Results","description":"Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.2.2","id_raw":"CC4.2.2","tier_raw":"Point of Focus","tier":3,"seq":96,"title":"Communicates Deficiencies","description":"Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc4.2.3","id_raw":"CC4.2.3","tier_raw":"Point of Focus","tier":3,"seq":97,"title":"Monitors Corrective Action","description":"Management tracks whether deficiencies are remedied on a timely basis."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.1","id_raw":"CC5.1.1","tier_raw":"Point of Focus","tier":3,"seq":98,"title":"Integrates With Risk Assessment","description":"Control activities help ensure that risk responses that address and mitigate risks are carried out.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.2","id_raw":"CC5.1.2","tier_raw":"Point of Focus","tier":3,"seq":99,"title":"Considers Entity-Specific Factors","description":"Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.3","id_raw":"CC5.1.3","tier_raw":"Point of Focus","tier":3,"seq":100,"title":"Determines Relevant Business Processes","description":"Management determines which relevant business processes require control activities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.4","id_raw":"CC5.1.4","tier_raw":"Point of Focus","tier":3,"seq":101,"title":"Evaluates a Mix of Control Activity Types","description":"Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.5","id_raw":"CC5.1.5","tier_raw":"Point of Focus","tier":3,"seq":102,"title":"Considers at What Level Activities Are Applied","description":"Management considers control activities at various levels in the entity."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.1.6","id_raw":"CC5.1.6","tier_raw":"Point of Focus","tier":3,"seq":103,"title":"Addresses Segregation of Duties","description":"Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.2.1","id_raw":"CC5.2.1","tier_raw":"Point of Focus","tier":3,"seq":104,"title":"Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls","description":"Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.2.2","id_raw":"CC5.2.2","tier_raw":"Point of Focus","tier":3,"seq":105,"title":"Establishes Relevant Technology Infrastructure Control Activities","description":"Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.2.3","id_raw":"CC5.2.3","tier_raw":"Point of Focus","tier":3,"seq":106,"title":"Establishes Relevant Security Management Process Controls Activities","description":"Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.2.4","id_raw":"CC5.2.4","tier_raw":"Point of Focus","tier":3,"seq":107,"title":"Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities","description":"Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.1","id_raw":"CC5.3.1","tier_raw":"Point of Focus","tier":3,"seq":108,"title":"Establishes Policies and Procedures to Support Deployment of Management ‘s Directives","description":"Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.2","id_raw":"CC5.3.2","tier_raw":"Point of Focus","tier":3,"seq":109,"title":"Establishes Responsibility and Accountability for Executing Policies and Procedures","description":"Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.3","id_raw":"CC5.3.3","tier_raw":"Point of Focus","tier":3,"seq":110,"title":"Performs in a Timely Manner","description":"Responsible personnel perform control activities in a timely manner as defined by the policies and procedures."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.4","id_raw":"CC5.3.4","tier_raw":"Point of Focus","tier":3,"seq":111,"title":"Takes Corrective Action","description":"Responsible personnel investigate and act on matters identified as a result of executing control activities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.5","id_raw":"CC5.3.5","tier_raw":"Point of Focus","tier":3,"seq":112,"title":"Performs Using Competent Personnel","description":"Competent personnel with sufficient authority perform control activities with diligence and continuing focus."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc5.3.6","id_raw":"CC5.3.6","tier_raw":"Point of Focus","tier":3,"seq":113,"title":"Reassesses Policies and Procedures","description":"Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.1","id_raw":"CC6.1.1","tier_raw":"Point of Focus","tier":3,"seq":114,"title":"Identifies and Manages the Inventory of Information Assets","description":"The entity identifies, inventories, classifies, and manages information assets.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.2","id_raw":"CC6.1.2","tier_raw":"Point of Focus","tier":3,"seq":115,"title":"Restricts  Logical Access","description":"Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.3","id_raw":"CC6.1.3","tier_raw":"Point of Focus","tier":3,"seq":116,"title":"Identifies and Authenticates Users","description":"Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.4","id_raw":"CC6.1.4","tier_raw":"Point of Focus","tier":3,"seq":117,"title":"Considers Network Segmentation","description":"Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.5","id_raw":"CC6.1.5","tier_raw":"Point of Focus","tier":3,"seq":118,"title":"Manages Points of Access","description":"Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.6","id_raw":"CC6.1.6","tier_raw":"Point of Focus","tier":3,"seq":119,"title":"Restricts Access to Information Assets","description":"Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.7","id_raw":"CC6.1.7","tier_raw":"Point of Focus","tier":3,"seq":120,"title":"Manages Identification and Authentication","description":"Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.8","id_raw":"CC6.1.8","tier_raw":"Point of Focus","tier":3,"seq":121,"title":"Manages Credentials for Infrastructure and Software","description":"New internal and external infrastructure and software  are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.9","id_raw":"CC6.1.9","tier_raw":"Point of Focus","tier":3,"seq":122,"title":"Uses Encryption to Protect Data","description":"The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.1.10","id_raw":"CC6.1.10","tier_raw":"Point of Focus","tier":3,"seq":123,"title":"Protects Encryption Keys","description":"Processes are in place to protect encryption keys during generation, storage, use, and destruction."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.2.1","id_raw":"CC6.2.1","tier_raw":"Point of Focus","tier":3,"seq":124,"title":"Controls Access Credentials to Protected Assets","description":"Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.2.2","id_raw":"CC6.2.2","tier_raw":"Point of Focus","tier":3,"seq":125,"title":"Removes Access to Protected Assets When Appropriate","description":"Processes are in place to remove credential access when an individual no longer requires such access."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.2.3","id_raw":"CC6.2.3","tier_raw":"Point of Focus","tier":3,"seq":126,"title":"Reviews Appropriateness of Access Credentials","description":"The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.3.1","id_raw":"CC6.3.1","tier_raw":"Point of Focus","tier":3,"seq":127,"title":"Creates or Modifies Access to Protected Information Assets","description":"Processes are in place to create or modify access to protected information assets based on authorization  from the asset’s owner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.3.2","id_raw":"CC6.3.2","tier_raw":"Point of Focus","tier":3,"seq":128,"title":"Removes Access to Protected Information Assets","description":"Processes are in place to remove access to protected information assets when an individual no longer requires access."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.3.3","id_raw":"CC6.3.3","tier_raw":"Point of Focus","tier":3,"seq":129,"title":"Uses Role-Based Access Controls","description":"Role-based access control is utilized to support segregation of incompatible functions."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.4.1","id_raw":"CC6.4.1","tier_raw":"Point of Focus","tier":3,"seq":130,"title":"Creates or Modifies Physical Access","description":"Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.4.2","id_raw":"CC6.4.2","tier_raw":"Point of Focus","tier":3,"seq":131,"title":"Removes Physical Access","description":"Processes are in place to remove access to physical resources when an individual no longer requires access."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.4.3","id_raw":"CC6.4.3","tier_raw":"Point of Focus","tier":3,"seq":132,"title":"Reviews Physical Access","description":"Processes are in place to periodically review physical access to ensure consistency with job responsibilities."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.5.1","id_raw":"CC6.5.1","tier_raw":"Point of Focus","tier":3,"seq":133,"title":"Identifies Data and Software for Disposal","description":"Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.5.2","id_raw":"CC6.5.2","tier_raw":"Point of Focus","tier":3,"seq":134,"title":"Removes Data and Software From Entity Control","description":"Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6.1","id_raw":"CC6.6.1","tier_raw":"Point of Focus","tier":3,"seq":135,"title":"Restricts Access","description":"The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6.2","id_raw":"CC6.6.2","tier_raw":"Point of Focus","tier":3,"seq":136,"title":"Protects Identification and Authentication Credentials","description":"Identification and authentication credentials are protected during transmission outside its system boundaries."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6.3","id_raw":"CC6.6.3","tier_raw":"Point of Focus","tier":3,"seq":137,"title":"Requires Additional Authentication or Credentials","description":"Additional authentication information or credentials are required when accessing the system from outside its boundaries."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.6.4","id_raw":"CC6.6.4","tier_raw":"Point of Focus","tier":3,"seq":138,"title":"Implements Boundary Protection Systems","description":"Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.7.1","id_raw":"CC6.7.1","tier_raw":"Point of Focus","tier":3,"seq":139,"title":"Restricts the Ability to Perform Transmission","description":"Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.7.2","id_raw":"CC6.7.2","tier_raw":"Point of Focus","tier":3,"seq":140,"title":"Uses Encryption Technologies or Secure Communication Channels to Protect Data","description":"Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.7.3","id_raw":"CC6.7.3","tier_raw":"Point of Focus","tier":3,"seq":141,"title":"Protects Removal Media","description":"Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.7.4","id_raw":"CC6.7.4","tier_raw":"Point of Focus","tier":3,"seq":142,"title":"Protects Mobile Devices","description":"Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8.1","id_raw":"CC6.8.1","tier_raw":"Point of Focus","tier":3,"seq":143,"title":"Restricts Application and Software Installation","description":"The ability to install applications and software is restricted to authorized individuals."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8.2","id_raw":"CC6.8.2","tier_raw":"Point of Focus","tier":3,"seq":144,"title":"Detects Unauthorized Changes to Software and Configuration Parameters","description":"Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8.3","id_raw":"CC6.8.3","tier_raw":"Point of Focus","tier":3,"seq":145,"title":"Uses a Defined Change Control Process","description":"A management-defined change control process is used for the implementation of software. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8.4","id_raw":"CC6.8.4","tier_raw":"Point of Focus","tier":3,"seq":146,"title":"Uses Antivirus and Anti-Malware Software","description":"Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc6.8.5","id_raw":"CC6.8.5","tier_raw":"Point of Focus","tier":3,"seq":147,"title":"Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software","description":"Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1.1","id_raw":"CC7.1.1","tier_raw":"Point of Focus","tier":3,"seq":148,"title":"Uses Defined Configuration Standards","description":"Management has defined configuration standards. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1.2","id_raw":"CC7.1.2","tier_raw":"Point of Focus","tier":3,"seq":149,"title":"Monitors Infrastructure and Software","description":"The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1.3","id_raw":"CC7.1.3","tier_raw":"Point of Focus","tier":3,"seq":150,"title":"Implements Change-Detection Mechanisms","description":"The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1.4","id_raw":"CC7.1.4","tier_raw":"Point of Focus","tier":3,"seq":151,"title":"Detects Unknown or Unauthorized Components","description":"Procedures are in place to detect the introduction of unknown or unauthorized components.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.1.5","id_raw":"CC7.1.5","tier_raw":"Point of Focus","tier":3,"seq":152,"title":"Conducts Vulnerability Scans","description":"The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.2.1","id_raw":"CC7.2.1","tier_raw":"Point of Focus","tier":3,"seq":153,"title":"Implements Detection Policies, Procedures, and Tools","description":"Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.2.2","id_raw":"CC7.2.2","tier_raw":"Point of Focus","tier":3,"seq":154,"title":"Designs Detection Measures","description":"Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.2.3","id_raw":"CC7.2.3","tier_raw":"Point of Focus","tier":3,"seq":155,"title":"Implements Filters to Analyze Anomalies","description":"Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.2.4","id_raw":"CC7.2.4","tier_raw":"Point of Focus","tier":3,"seq":156,"title":"Monitors Detection Tools for Effective Operation","description":"Management has implemented processes to monitor the effectiveness of detection tools."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3.1","id_raw":"CC7.3.1","tier_raw":"Point of Focus","tier":3,"seq":157,"title":"Responds to Security Incidents","description":"Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3.2","id_raw":"CC7.3.2","tier_raw":"Point of Focus","tier":3,"seq":158,"title":"Communicates and Reviews Detected Security Events","description":"Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3.3","id_raw":"CC7.3.3","tier_raw":"Point of Focus","tier":3,"seq":159,"title":"Develops and Implements Procedures to Analyze Security Incidents","description":"Procedures are in place to analyze security incidents and determine system impact."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3.4","id_raw":"CC7.3.4","tier_raw":"Point of Focus","tier":3,"seq":160,"title":"Assesses the Impact on Personal Information","description":"Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.3.5","id_raw":"CC7.3.5","tier_raw":"Point of Focus","tier":3,"seq":161,"title":"Determines Personal Information Used or Disclosed","description":"When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.1","id_raw":"CC7.4.1","tier_raw":"Point of Focus","tier":3,"seq":162,"title":"Assigns Roles and Responsibilities","description":"Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.2","id_raw":"CC7.4.2","tier_raw":"Point of Focus","tier":3,"seq":163,"title":"Contains Security Incidents","description":"Procedures are in place to contain security incidents that actively threaten entity objectives. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.3","id_raw":"CC7.4.3","tier_raw":"Point of Focus","tier":3,"seq":164,"title":"Mitigates Ongoing Security Incidents","description":"Procedures are in place to mitigate the effects of ongoing security incidents."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.4","id_raw":"CC7.4.4","tier_raw":"Point of Focus","tier":3,"seq":165,"title":"Ends Threats Posed by Security Incidents","description":"Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.5","id_raw":"CC7.4.5","tier_raw":"Point of Focus","tier":3,"seq":166,"title":"Restores Operations","description":"Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.6","id_raw":"CC7.4.6","tier_raw":"Point of Focus","tier":3,"seq":167,"title":"Develops and Implements Communication Protocols for Security Incidents","description":"Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.7","id_raw":"CC7.4.7","tier_raw":"Point of Focus","tier":3,"seq":168,"title":"Obtains Understanding of Nature of Incident and Determines Containment Strategy","description":"An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.8","id_raw":"CC7.4.8","tier_raw":"Point of Focus","tier":3,"seq":169,"title":"Remediates Identified Vulnerabilities","description":"Identified vulnerabilities are remediated through the development and execution of remediation activities.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.9","id_raw":"CC7.4.9","tier_raw":"Point of Focus","tier":3,"seq":170,"title":"Communicates Remediation Activities","description":"Remediation activities are documented and communicated in accordance with the incident response program. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.10","id_raw":"CC7.4.10","tier_raw":"Point of Focus","tier":3,"seq":171,"title":"Evaluates the Effectiveness of Incident Response","description":"The design of incident response activities is evaluated for effectiveness on a periodic basis.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.11","id_raw":"CC7.4.11","tier_raw":"Point of Focus","tier":3,"seq":172,"title":"Periodically Evaluates Incidents","description":"Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.12","id_raw":"CC7.4.12","tier_raw":"Point of Focus","tier":3,"seq":173,"title":"Communicates Unauthorized Use and Disclosure","description":"Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.4.13","id_raw":"CC7.4.13","tier_raw":"Point of Focus","tier":3,"seq":174,"title":"Application of Sanctions","description":"The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.1","id_raw":"CC7.5.1","tier_raw":"Point of Focus","tier":3,"seq":175,"title":"Restores the Affected Environment","description":"The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.2","id_raw":"CC7.5.2","tier_raw":"Point of Focus","tier":3,"seq":176,"title":"Communicates Information About the Event","description":"Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external).   "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.3","id_raw":"CC7.5.3","tier_raw":"Point of Focus","tier":3,"seq":177,"title":"Determines Root Cause of the Event","description":"The root cause of the event is determined. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.4","id_raw":"CC7.5.4","tier_raw":"Point of Focus","tier":3,"seq":178,"title":"Implements Changes to Prevent and Detect Recurrences","description":"Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.5","id_raw":"CC7.5.5","tier_raw":"Point of Focus","tier":3,"seq":179,"title":"Improves Response and Recovery Procedures","description":"Lessons learned are analyzed, and the incident response plan and recovery procedures are improved. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc7.5.6","id_raw":"CC7.5.6","tier_raw":"Point of Focus","tier":3,"seq":180,"title":"Implements Incident Recovery Plan Testing","description":"Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.1","id_raw":"CC8.1.1","tier_raw":"Point of Focus","tier":3,"seq":181,"title":"Manages Changes Throughout the System Lifecycle","description":"A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.2","id_raw":"CC8.1.2","tier_raw":"Point of Focus","tier":3,"seq":182,"title":"Authorizes Changes","description":"A process is in place to authorize system changes prior to development."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.3","id_raw":"CC8.1.3","tier_raw":"Point of Focus","tier":3,"seq":183,"title":"Designs and Develops Changes","description":"A process is in place to design and develop system changes."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.4","id_raw":"CC8.1.4","tier_raw":"Point of Focus","tier":3,"seq":184,"title":"Documents Changes","description":"A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.5","id_raw":"CC8.1.5","tier_raw":"Point of Focus","tier":3,"seq":185,"title":"Tracks System Changes","description":"A process is in place to track system changes prior to implementation. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.6","id_raw":"CC8.1.6","tier_raw":"Point of Focus","tier":3,"seq":186,"title":"Configures Software","description":"A process is in place to select and implement the configuration parameters used to control the functionality of software. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.7","id_raw":"CC8.1.7","tier_raw":"Point of Focus","tier":3,"seq":187,"title":"Tests System Changes","description":"A process is in place to test system changes prior to implementation. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.8","id_raw":"CC8.1.8","tier_raw":"Point of Focus","tier":3,"seq":188,"title":"Approves System Changes","description":"A process is in place to approve system changes prior to implementation.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.9","id_raw":"CC8.1.9","tier_raw":"Point of Focus","tier":3,"seq":189,"title":"Deploys System Changes","description":"A process is in place to implement system changes."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.10","id_raw":"CC8.1.10","tier_raw":"Point of Focus","tier":3,"seq":190,"title":"Identifies and Evaluates System Changes","description":"Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.11","id_raw":"CC8.1.11","tier_raw":"Point of Focus","tier":3,"seq":191,"title":"Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents","description":"Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.12","id_raw":"CC8.1.12","tier_raw":"Point of Focus","tier":3,"seq":192,"title":"Creates Baseline Configuration of IT Technology","description":"A baseline configuration of IT and control systems is created and maintained."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.13","id_raw":"CC8.1.13","tier_raw":"Point of Focus","tier":3,"seq":193,"title":"Provides for Changes Necessary in Emergency Situations ","description":"A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.14","id_raw":"CC8.1.14","tier_raw":"Point of Focus","tier":3,"seq":194,"title":"Protects Confidential Information","description":"The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc8.1.15","id_raw":"CC8.1.15","tier_raw":"Point of Focus","tier":3,"seq":195,"title":"Protects Personal Information","description":"The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.1.1","id_raw":"CC9.1.1","tier_raw":"Point of Focus","tier":3,"seq":196,"title":"Considers Mitigation of Risks of Business Disruption","description":"Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.1.2","id_raw":"CC9.1.2","tier_raw":"Point of Focus","tier":3,"seq":197,"title":"Considers the Use of Insurance to Mitigate Financial Impact Risks","description":"The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.1","id_raw":"CC9.2.1","tier_raw":"Point of Focus","tier":3,"seq":198,"title":"Establishes Requirements for Vendor and Business Partner Engagements","description":"The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.2","id_raw":"CC9.2.2","tier_raw":"Point of Focus","tier":3,"seq":199,"title":"Assesses Vendor and Business Partner Risks","description":"The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.3","id_raw":"CC9.2.3","tier_raw":"Point of Focus","tier":3,"seq":200,"title":"Assigns Responsibility and Accountability for Managing Vendors and Business Partners","description":"The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.4","id_raw":"CC9.2.4","tier_raw":"Point of Focus","tier":3,"seq":201,"title":"Establishes Communication Protocols for Vendors and Business Partners","description":"The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.5","id_raw":"CC9.2.5","tier_raw":"Point of Focus","tier":3,"seq":202,"title":"Establishes Exception Handling Procedures From Vendors and Business Partners ","description":"The entity establishes exception handling procedures for service or product issues related to vendors and business partners. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.6","id_raw":"CC9.2.6","tier_raw":"Point of Focus","tier":3,"seq":203,"title":"Assesses Vendor and Business Partner Performance","description":"The entity periodically assesses the performance of vendors and business partners. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.7","id_raw":"CC9.2.7","tier_raw":"Point of Focus","tier":3,"seq":204,"title":"Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments","description":"The entity implements procedures for addressing issues identified with vendor and business partner relationships.   "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.8","id_raw":"CC9.2.8","tier_raw":"Point of Focus","tier":3,"seq":205,"title":"Implements Procedures for Terminating Vendor and Business Partner Relationships ","description":" The entity implements procedures for terminating vendor and business partner relationships."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.9","id_raw":"CC9.2.9","tier_raw":"Point of Focus","tier":3,"seq":206,"title":"Obtains Confidentiality Commitments from Vendors and Business Partners","description":"The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.10","id_raw":"CC9.2.10","tier_raw":"Point of Focus","tier":3,"seq":207,"title":"Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners ","description":"On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.11","id_raw":"CC9.2.11","tier_raw":"Point of Focus","tier":3,"seq":208,"title":"Obtains Privacy Commitments from Vendors and Business Partners","description":"The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:cc9.2.12","id_raw":"CC9.2.12","tier_raw":"Point of Focus","tier":3,"seq":209,"title":"Assesses Compliance with Privacy Commitments of Vendors and Business Partners","description":"On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.1.1","id_raw":"A1.1.1","tier_raw":"Point of Focus","tier":3,"seq":210,"title":"Measures Current Usage","description":"The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.1.2","id_raw":"A1.1.2","tier_raw":"Point of Focus","tier":3,"seq":211,"title":"Forecasts Capacity","description":"The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.1.3","id_raw":"A1.1.3","tier_raw":"Point of Focus","tier":3,"seq":212,"title":"Makes Changes Based on Forecasts","description":"The system change management process is initiated when forecasted usage exceeds capacity tolerances. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.1","id_raw":"A1.2.1","tier_raw":"Point of Focus","tier":3,"seq":213,"title":"Identifies Environmental Threats","description":"As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.2","id_raw":"A1.2.2","tier_raw":"Point of Focus","tier":3,"seq":214,"title":"Designs Detection Measures","description":"Detection measures are implemented to identify anomalies that could result from environmental threat events. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.3","id_raw":"A1.2.3","tier_raw":"Point of Focus","tier":3,"seq":215,"title":"Implements and Maintains Environmental Protection Mechanisms","description":"Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.4","id_raw":"A1.2.4","tier_raw":"Point of Focus","tier":3,"seq":216,"title":"Implements Alerts to Analyze Anomalies","description":"Management implements alerts that are communicated to personnel for analysis to identify environmental threat events."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.5","id_raw":"A1.2.5","tier_raw":"Point of Focus","tier":3,"seq":217,"title":"Responds to Environmental Threat Events","description":"Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem)."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.6","id_raw":"A1.2.6","tier_raw":"Point of Focus","tier":3,"seq":218,"title":"Communicates and Reviews Detected Environmental Threat Events","description":"Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.7","id_raw":"A1.2.7","tier_raw":"Point of Focus","tier":3,"seq":219,"title":"Determines Data Requiring Backup","description":"Data is evaluated to determine whether backup is required. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.8","id_raw":"A1.2.8","tier_raw":"Point of Focus","tier":3,"seq":220,"title":"Performs Data Backup","description":"Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.9","id_raw":"A1.2.9","tier_raw":"Point of Focus","tier":3,"seq":221,"title":"Addresses Offsite Storage","description":"Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.2.10","id_raw":"A1.2.10","tier_raw":"Point of Focus","tier":3,"seq":222,"title":"Implements Alternate Processing Infrastructure","description":"Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.3.1","id_raw":"A1.3.1","tier_raw":"Point of Focus","tier":3,"seq":223,"title":"Implements Business Continuity Plan Testing","description":"Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:a1.3.2","id_raw":"A1.3.2","tier_raw":"Point of Focus","tier":3,"seq":224,"title":"Tests Integrity and Completeness of Back-Up Data","description":"The integrity and completeness of back-up information is tested on a periodic basis. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.1.1","id_raw":"C1.1.1","tier_raw":"Point of Focus","tier":3,"seq":225,"title":"Identifies Confidential information","description":"Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.1.2","id_raw":"C1.1.2","tier_raw":"Point of Focus","tier":3,"seq":226,"title":"Protects Confidential Information from Destruction","description":"Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.2.1","id_raw":"C1.2.1","tier_raw":"Point of Focus","tier":3,"seq":227,"title":"Identifies Confidential Information for Destruction","description":"Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:c1.2.2","id_raw":"C1.2.2","tier_raw":"Point of Focus","tier":3,"seq":228,"title":"Destroys Confidential Information","description":"Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.1.1","id_raw":"PI1.1.1","tier_raw":"Point of Focus","tier":3,"seq":229,"title":"Defines Data Necessary to Support a Product or Service","description":"When data is provided as part of a service or product or as part of a reporting obligation related to a product or service:\n(1)    The definition of the data is available to the users of the data\n(2)    The definition of the data includes the following information:\n—    The population of events or instances included in the data\n—    The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day)\n—    Source(s) of the data\n—    The unit(s) of measurement of data elements (for example, fields)\n—    The accuracy/correctness/precision of measurement\n—    The uncertainty or confidence interval inherent in each data element and in the population of those elements\n—    The date the data was observed or the period of time during which the events relevant to the data occurred\n—    The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population\n(3)    The definition is complete and accurate.\n(4)    The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (meta-data) that has not been included within the data.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.2.1","id_raw":"PI1.2.1","tier_raw":"Point of Focus","tier":3,"seq":230,"title":"Defines Characteristics of Processing Inputs","description":"The characteristics of processing inputs that are necessary to meet requirements are defined."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.2.2","id_raw":"PI1.2.2","tier_raw":"Point of Focus","tier":3,"seq":231,"title":"Evaluates Processing Inputs","description":"Processing inputs are evaluated for compliance with defined input requirements."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.2.3","id_raw":"PI1.2.3","tier_raw":"Point of Focus","tier":3,"seq":232,"title":"Creates and Maintains Records of System Inputs","description":"Records of system input activities are created and maintained completely and accurately in a timely manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3.1","id_raw":"PI1.3.1","tier_raw":"Point of Focus","tier":3,"seq":233,"title":"Defines Processing Specifications","description":"The processing specifications that are necessary to meet product or service requirements are defined."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3.2","id_raw":"PI1.3.2","tier_raw":"Point of Focus","tier":3,"seq":234,"title":"Defines Processing Activities","description":"Processing activities are defined to result in products or services that meet specifications."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3.3","id_raw":"PI1.3.3","tier_raw":"Point of Focus","tier":3,"seq":235,"title":"Detects and Corrects Production Errors","description":"Errors in the production process are detected and corrected in a timely manner. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3.4","id_raw":"PI1.3.4","tier_raw":"Point of Focus","tier":3,"seq":236,"title":"Records System Processing Activities","description":"System processing activities are recorded completely and accurately in a timely manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.3.5","id_raw":"PI1.3.5","tier_raw":"Point of Focus","tier":3,"seq":237,"title":"Processes Inputs","description":"Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.4.1","id_raw":"PI1.4.1","tier_raw":"Point of Focus","tier":3,"seq":238,"title":"Protects Output","description":"Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.4.2","id_raw":"PI1.4.2","tier_raw":"Point of Focus","tier":3,"seq":239,"title":"Distributes Output Only to Intended Parties","description":"Output is distributed or made available only to intended parties."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.4.3","id_raw":"PI1.4.3","tier_raw":"Point of Focus","tier":3,"seq":240,"title":"Distributes Output Completely and Accurately","description":"Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.4.4","id_raw":"PI1.4.4","tier_raw":"Point of Focus","tier":3,"seq":241,"title":"Creates and Maintains Records of System Output Activities","description":"Records of system output activities are created and maintained completely and accurately in a timely manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.5.1","id_raw":"PI1.5.1","tier_raw":"Point of Focus","tier":3,"seq":242,"title":"Protects Stored Items","description":"Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.5.2","id_raw":"PI1.5.2","tier_raw":"Point of Focus","tier":3,"seq":243,"title":"Archives and Protects System Records","description":"System records are archived, and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.5.3","id_raw":"PI1.5.3","tier_raw":"Point of Focus","tier":3,"seq":244,"title":"Stores Data Completely and Accurately","description":"Procedures are in place to provide for the complete, accurate, and timely storage of data. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:pi1.5.4","id_raw":"PI1.5.4","tier_raw":"Point of Focus","tier":3,"seq":245,"title":"Creates and Maintains Records of System Storage Activities","description":"Records of system storage activities are created and maintained completely and accurately in a timely manner."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1.1.1","id_raw":"P1.1.1","tier_raw":"Point of Focus","tier":3,"seq":246,"title":"Communicates to Data Subjects","description":"Notice is provided to data subjects regarding the following:\n—    Purpose for collecting personal information\n—    Choice and consent\n—    Types of personal information collected\n—    Methods of collection (for example, use of cookies or other tracking techniques)\n—    Use, retention, and disposal\n—    Access\n—    Disclosure to third parties\n—    Security for privacy\n—    Quality, including data subjects’ responsibilities for quality\n—    Monitoring and enforcement\nIf personal information is collected from sources other than the individual, such sources are described in the privacy notice."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1.1.2","id_raw":"P1.1.2","tier_raw":"Point of Focus","tier":3,"seq":247,"title":"Provides Notice to Data Subjects","description":"Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1.1.3","id_raw":"P1.1.3","tier_raw":"Point of Focus","tier":3,"seq":248,"title":"Covers Entities and Activities in Notice ","description":"An objective description of the entities and activities covered is included in the entity’s privacy notice."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p1.1.4","id_raw":"P1.1.4","tier_raw":"Point of Focus","tier":3,"seq":249,"title":"Uses Clear and Conspicuous Language","description":"The entity’s privacy notice is conspicuous and uses clear language."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.1","id_raw":"P2.1.1","tier_raw":"Point of Focus","tier":3,"seq":250,"title":"Communicates to Data Subjects","description":"Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.2","id_raw":"P2.1.2","tier_raw":"Point of Focus","tier":3,"seq":251,"title":"Communicates Consequences of Denying or Withdrawing Consent","description":"When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.3","id_raw":"P2.1.3","tier_raw":"Point of Focus","tier":3,"seq":252,"title":"Obtains Implicit or Explicit Consent","description":"Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.4","id_raw":"P2.1.4","tier_raw":"Point of Focus","tier":3,"seq":253,"title":"Documents and Obtains Consent for New Purposes and Uses","description":"If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.5","id_raw":"P2.1.5","tier_raw":"Point of Focus","tier":3,"seq":254,"title":"Obtains Explicit Consent for Sensitive Information","description":"Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p2.1.6","id_raw":"P2.1.6","tier_raw":"Point of Focus","tier":3,"seq":255,"title":"Obtains Consent for Data Transfers","description":"Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.1.1","id_raw":"P3.1.1","tier_raw":"Point of Focus","tier":3,"seq":256,"title":"Limits the Collection of Personal Information","description":"The collection of personal information is limited to that necessary to meet the entity’s objectives."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.1.2","id_raw":"P3.1.2","tier_raw":"Point of Focus","tier":3,"seq":257,"title":"Collects Information by Fair and Lawful Means","description":"Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.1.3","id_raw":"P3.1.3","tier_raw":"Point of Focus","tier":3,"seq":258,"title":"Collects Information From Reliable Sources","description":"Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.1.4","id_raw":"P3.1.4","tier_raw":"Point of Focus","tier":3,"seq":259,"title":"Informs Data Subjects When Additional Information Is Acquired","description":"Data subjects are informed if the entity develops or acquires additional information about them for its use. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.2.1","id_raw":"P3.2.1","tier_raw":"Point of Focus","tier":3,"seq":260,"title":"Obtains Explicit Consent for Sensitive Information","description":"Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p3.2.2","id_raw":"P3.2.2","tier_raw":"Point of Focus","tier":3,"seq":261,"title":"Documents Explicit Consent to Retain Information","description":"Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.1.1","id_raw":"P4.1.1","tier_raw":"Point of Focus","tier":3,"seq":262,"title":"Uses Personal Information for Intended Purposes","description":"Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.2.1","id_raw":"P4.2.1","tier_raw":"Point of Focus","tier":3,"seq":263,"title":"Retains Personal Information","description":"Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.2.2","id_raw":"P4.2.2","tier_raw":"Point of Focus","tier":3,"seq":264,"title":"Protects Personal Information","description":"Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.3.1","id_raw":"P4.3.1","tier_raw":"Point of Focus","tier":3,"seq":265,"title":"Captures, Identifies, and Flags Requests for Deletion","description":"Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.3.2","id_raw":"P4.3.2","tier_raw":"Point of Focus","tier":3,"seq":266,"title":"Disposes of, Destroys, and Redacts Personal Information","description":"Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p4.3.3","id_raw":"P4.3.3","tier_raw":"Point of Focus","tier":3,"seq":267,"title":"Destroys Personal Information","description":"Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.1.1","id_raw":"P5.1.1","tier_raw":"Point of Focus","tier":3,"seq":268,"title":"Authenticates Data Subjects’ Identity","description":"The identity of data subjects who request access to their personal information is authenticated before they are given access to that information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.1.2","id_raw":"P5.1.2","tier_raw":"Point of Focus","tier":3,"seq":269,"title":"Permits Data Subjects Access to Their Personal Information","description":"Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.1.3","id_raw":"P5.1.3","tier_raw":"Point of Focus","tier":3,"seq":270,"title":"Provides Understandable Personal Information Within Reasonable Time","description":"Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.1.4","id_raw":"P5.1.4","tier_raw":"Point of Focus","tier":3,"seq":271,"title":"Informs Data Subjects If Access Is Denied","description":"When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.2.1","id_raw":"P5.2.1","tier_raw":"Point of Focus","tier":3,"seq":272,"title":"Communicates Denial of Access Requests","description":"Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.2.2","id_raw":"P5.2.2","tier_raw":"Point of Focus","tier":3,"seq":273,"title":"Permits Data Subjects to Update or Correct Personal Information","description":"Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p5.2.3","id_raw":"P5.2.3","tier_raw":"Point of Focus","tier":3,"seq":274,"title":"Communicates Denial of Correction Requests","description":"Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.1.1","id_raw":"P6.1.1","tier_raw":"Point of Focus","tier":3,"seq":275,"title":"Communicates Privacy Policies to Third Parties","description":"Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.1.2","id_raw":"P6.1.2","tier_raw":"Point of Focus","tier":3,"seq":276,"title":"Discloses Personal Information Only When Appropriate","description":"Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.1.3","id_raw":"P6.1.3","tier_raw":"Point of Focus","tier":3,"seq":277,"title":"Discloses Personal Information Only to Appropriate Third Parties","description":"Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.1.4","id_raw":"P6.1.4","tier_raw":"Point of Focus","tier":3,"seq":278,"title":"Discloses Information to Third Parties for New Purposes and Uses","description":"Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.2.1","id_raw":"P6.2.1","tier_raw":"Point of Focus","tier":3,"seq":279,"title":"Creates and Retains Record of Authorized Disclosures","description":"The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely. "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.3.1","id_raw":"P6.3.1","tier_raw":"Point of Focus","tier":3,"seq":280,"title":"Creates and Retains Record of Detected or Reported Unauthorized Disclosures","description":"The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.4.1","id_raw":"P6.4.1","tier_raw":"Point of Focus","tier":3,"seq":281,"title":"Discloses Personal Information Only to Appropriate Third Parties","description":"Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.4.2","id_raw":"P6.4.2","tier_raw":"Point of Focus","tier":3,"seq":282,"title":"Remediates Misuse of Personal Information by a Third Party ","description":"The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.5.1","id_raw":"P6.5.1","tier_raw":"Point of Focus","tier":3,"seq":283,"title":"Remediates Misuse of Personal Information by a Third Party","description":"The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.5.2","id_raw":"P6.5.2","tier_raw":"Point of Focus","tier":3,"seq":284,"title":"Reports Actual or Suspected Unauthorized Disclosures","description":"A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.6.1","id_raw":"P6.6.1","tier_raw":"Point of Focus","tier":3,"seq":285,"title":"Remediates Misuse of Personal Information by a Third Party","description":"The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.6.2","id_raw":"P6.6.2","tier_raw":"Point of Focus","tier":3,"seq":286,"title":"Provides Notice of Breaches and Incidents","description":"The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.  "}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.7.1","id_raw":"P6.7.1","tier_raw":"Point of Focus","tier":3,"seq":287,"title":"Identifies Types of Personal Information and Handling Process","description":"The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p6.7.2","id_raw":"P6.7.2","tier_raw":"Point of Focus","tier":3,"seq":288,"title":"Captures, Identifies, and Communicates Requests for Information","description":"Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p7.1.1","id_raw":"P7.1.1","tier_raw":"Point of Focus","tier":3,"seq":289,"title":"Ensures Accuracy and Completeness of Personal Information","description":"Personal information is accurate and complete for the purposes for which it is to be used."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p7.1.2","id_raw":"P7.1.2","tier_raw":"Point of Focus","tier":3,"seq":290,"title":"Ensures Relevance of Personal Information","description":"Personal information is relevant to the purposes for which it is to be used."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.1","id_raw":"P8.1.1","tier_raw":"Point of Focus","tier":3,"seq":291,"title":"Communicates to Data Subjects","description":"Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.2","id_raw":"P8.1.2","tier_raw":"Point of Focus","tier":3,"seq":292,"title":"Addresses Inquiries, Complaints, and Disputes","description":"A process is in place to address inquiries, complaints, and disputes."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.3","id_raw":"P8.1.3","tier_raw":"Point of Focus","tier":3,"seq":293,"title":"Documents and Communicates Dispute Resolution and Recourse","description":"Each complaint is addressed, and the resolution is documented and communicated to the individual."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.4","id_raw":"P8.1.4","tier_raw":"Point of Focus","tier":3,"seq":294,"title":"Documents and Reports Compliance Review Results","description":"Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.5","id_raw":"P8.1.5","tier_raw":"Point of Focus","tier":3,"seq":295,"title":"Documents and Reports Instances of Noncompliance","description":"Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis."}
+{"source":"aicpa_tsc_v2017","id":"aicpa_tsc_v2017:p8.1.6","id_raw":"P8.1.6","tier_raw":"Point of Focus","tier":3,"seq":296,"title":"Performs Ongoing Monitoring","description":"Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary."}
+{"source":"scf","id":"scf:gov","id_raw":"GOV","tier_raw":"Domains & Principles","tier":0,"seq":1,"title":"Security & Privacy Governance","description":"Security & Privacy by Design (S|P) Principles:\nExecute a documented, risk-based program that supports business objectives while encompassing appropriate security and privacy principles that addresses applicable statutory, regulatory and contractual obligations.\n\nPrinciple Intent:\nOrganizations specify the development of an organization’s security and privacy programs, including criteria to measure success, to ensure ongoing leadership engagement and risk management."}
+{"source":"scf","id":"scf:ast","id_raw":"AST","tier_raw":"Domains & Principles","tier":0,"seq":2,"title":"Asset Management","description":"Security & Privacy by Design (S|P) Principles:\nManage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.\n\nPrinciple Intent:\nOrganizations ensure technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets."}
+{"source":"scf","id":"scf:bcd","id_raw":"BCD","tier_raw":"Domains & Principles","tier":0,"seq":3,"title":"Business Continuity & Disaster Recovery","description":"Security & Privacy by Design (S|P) Principles:\nMaintain a resilient capability to sustain business-critical functions while successfully responding to and recovering from incidents through well-documented and exercised processes.\n\nPrinciple Intent:\nOrganizations establish processes that will help the organization recover from adverse situations with the minimal impact to operations, as well as provide the ability for e-discovery."}
+{"source":"scf","id":"scf:cap","id_raw":"CAP","tier_raw":"Domains & Principles","tier":0,"seq":4,"title":"Capacity & Performance Planning","description":"Security & Privacy by Design (S|P) Principles:\nGovern the current and future capacities and performance of technology assets.\n\nPrinciple Intent:\nOrganizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance."}
+{"source":"scf","id":"scf:chg","id_raw":"CHG","tier_raw":"Domains & Principles","tier":0,"seq":5,"title":"Change Management","description":"Security & Privacy by Design (S|P) Principles:\nManage change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur. \n\nPrinciple Intent:\nOrganizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization and monitoring of technical changes across the enterprise so as to not impact production systems uptime, as well as allow easier troubleshooting of issues."}
+{"source":"scf","id":"scf:cld","id_raw":"CLD","tier_raw":"Domains & Principles","tier":0,"seq":6,"title":"Cloud Security","description":"Security & Privacy by Design (S|P) Principles:\nGovern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal cybersecurity and privacy controls.\n\nPrinciple Intent:\nOrganizations govern the use of private and public cloud environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks associated with third-party involvement and architectural decisions, as well as to ensure the portability of data to change cloud providers, if needed. "}
+{"source":"scf","id":"scf:cpl","id_raw":"CPL","tier_raw":"Domains & Principles","tier":0,"seq":7,"title":"Compliance","description":"Security & Privacy by Design (S|P) Principles:\nOversee the execution of cybersecurity and privacy controls to ensure appropriate evidence required due care and due diligence exists to meet compliance with applicable statutory, regulatory and contractual obligations.\n\nPrinciple Intent:\nOrganizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards."}
+{"source":"scf","id":"scf:cfg","id_raw":"CFG","tier_raw":"Domains & Principles","tier":0,"seq":8,"title":"Configuration Management","description":"Security & Privacy by Design (S|P) Principles:\nEnforce secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.\n\nPrinciple Intent:\nOrganizations establish and maintain the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code."}
+{"source":"scf","id":"scf:mon","id_raw":"MON","tier_raw":"Domains & Principles","tier":0,"seq":9,"title":"Continuous Monitoring","description":"Security & Privacy by Design (S|P) Principles:\nMaintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services. \n\nPrinciple Intent:\nOrganizations establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources."}
+{"source":"scf","id":"scf:cry","id_raw":"CRY","tier_raw":"Domains & Principles","tier":0,"seq":10,"title":"Cryptographic Protections","description":"Security & Privacy by Design (S|P) Principles:\nUtilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive data both at rest and in transit.\n\nPrinciple Intent:\nOrganizations ensure the confidentiality of the organization’s data through implementing appropriate cryptographic technologies to protect systems and data."}
+{"source":"scf","id":"scf:dch","id_raw":"DCH","tier_raw":"Domains & Principles","tier":0,"seq":11,"title":"Data Classification & Handling","description":"Security & Privacy by Design (S|P) Principles:\nEnforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can \n\nPrinciple Intent:\nOrganizations ensure that technology assets, both hardware and media, are properly classified and measures implemented to protect the organization’s data from unauthorized disclosure, regardless if it is being transmitted or stored. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data."}
+{"source":"scf","id":"scf:emb","id_raw":"EMB","tier_raw":"Domains & Principles","tier":0,"seq":12,"title":"Embedded Technology","description":"Security & Privacy by Design (S|P) Principles:\nProvide additional scrutiny to reduce the risks associated with embedded technology, based on the potential damages posed from malicious use of the technology.\n\nPrinciple Intent:\nOrganizations specify the development, proactive management and ongoing review of security embedded technologies, including hardening of the “stack” from the hardware, to firmware, software, transmission and service protocols used for Internet of Things (IoT) and Operational Technology (OT) devices."}
+{"source":"scf","id":"scf:end","id_raw":"END","tier_raw":"Domains & Principles","tier":0,"seq":13,"title":"Endpoint Security","description":"Security & Privacy by Design (S|P) Principles:\nHarden endpoint devices to protect against reasonable threats to those devices and the data those devices store, transmit and process. \n\nPrinciple Intent:\nOrganizations ensure that endpoint devices are appropriately protected from security threats to the device and its data. Applicable statutory, regulatory and contractual compliance requirements dictate the minimum safeguards that must be in place to protect the confidentiality, integrity, availability and safety considerations."}
+{"source":"scf","id":"scf:hrs","id_raw":"HRS","tier_raw":"Domains & Principles","tier":0,"seq":14,"title":"Human Resources Security","description":"Security & Privacy by Design (S|P) Principles:\nExecute sound hiring practices and ongoing personnel management to cultivate a security and privacy-minded workforce.\n\nPrinciple Intent:\nOrganizations create a security and privacy-minded workforce and an environment that is conducive to innovation, considering issues such as culture, reward and collaboration."}
+{"source":"scf","id":"scf:iac","id_raw":"IAC","tier_raw":"Domains & Principles","tier":0,"seq":15,"title":"Identification & Authentication","description":"Security & Privacy by Design (S|P) Principles:\nEnforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability.\n\nPrinciple Intent:\nOrganizations implement the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only."}
+{"source":"scf","id":"scf:iro","id_raw":"IRO","tier_raw":"Domains & Principles","tier":0,"seq":16,"title":"Incident Response","description":"Security & Privacy by Design (S|P) Principles:\nMaintain a viable incident response capability that trains personnel on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with a documented Incident Response Plan (IRP). \n\nPrinciple Intent:\nOrganizations establish and maintain a capability to guide the organization’s response when security or privacy-related incidents occur and to train users how to detect and report potential incidents."}
+{"source":"scf","id":"scf:iao","id_raw":"IAO","tier_raw":"Domains & Principles","tier":0,"seq":17,"title":"Information Assurance","description":"Security & Privacy by Design (S|P) Principles:\nExecute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity and privacy controls, prior to a system, application or service being used in a production environment.\n\nPrinciple Intent:\nOrganizations ensure the adequately of security and controls are appropriate in both development and production environments."}
+{"source":"scf","id":"scf:mnt","id_raw":"MNT","tier_raw":"Domains & Principles","tier":0,"seq":18,"title":"Maintenance","description":"Security & Privacy by Design (S|P) Principles:\nProactively maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties. \n\nPrinciple Intent:\nOrganizations ensure that technology assets are properly maintained to ensure continued performance and effectiveness. Maintenance processes apply additional scrutiny to the security of end-of-life or unsupported assets."}
+{"source":"scf","id":"scf:mdm","id_raw":"MDM","tier_raw":"Domains & Principles","tier":0,"seq":19,"title":"Mobile Device Management","description":"Security & Privacy by Design (S|P) Principles:\nImplement measures to restrict mobile device connectivity with critical infrastructure and sensitive data that limit the attack surface and potential data exposure from mobile device usage.\n\nPrinciple Intent:\nOrganizations govern risks associated with mobile devices, regardless if the device is owned by the organization, its users or trusted third-parties. Wherever possible, technologies are employed to centrally manage mobile device access and data storage practices."}
+{"source":"scf","id":"scf:net","id_raw":"NET","tier_raw":"Domains & Principles","tier":0,"seq":20,"title":"Network Security","description":"Security & Privacy by Design (S|P) Principles:\nArchitect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services. \n\nPrinciple Intent:\nOrganizations ensure sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on the organization’s networks."}
+{"source":"scf","id":"scf:pes","id_raw":"PES","tier_raw":"Domains & Principles","tier":0,"seq":21,"title":"Physical & Environmental Security","description":"Security & Privacy by Design (S|P) Principles:\nProtect physical environments through layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage. \n\nPrinciple Intent:\nOrganizations minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats."}
+{"source":"scf","id":"scf:pri","id_raw":"PRI","tier_raw":"Domains & Principles","tier":0,"seq":22,"title":"Privacy","description":"Security & Privacy by Design (S|P) Principles:\nAlign privacy practices with industry-recognized privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services.\n\nPrinciple Intent:\nOrganizations align privacy engineering decisions with the organization’s overall privacy strategy and industry-recognized leading practices to secure Personal Data (PD) that implements the concept of privacy by design and by default."}
+{"source":"scf","id":"scf:prm","id_raw":"PRM","tier_raw":"Domains & Principles","tier":0,"seq":23,"title":"Project & Resource Management","description":"Security & Privacy by Design (S|P) Principles:\nOperationalize a viable strategy to achieve cybersecurity & privacy objectives that establishes cybersecurity as a key stakeholder within project management practices to ensure the delivery of resilient and secure solutions.\n\nPrinciple Intent:\nOrganizations ensure that security-related projects have both resource and project/program management support to ensure successful project execution."}
+{"source":"scf","id":"scf:rsk","id_raw":"RSK","tier_raw":"Domains & Principles","tier":0,"seq":24,"title":"Risk Management","description":"Security & Privacy by Design (S|P) Principles:\nProactively identify, assess, prioritize and remediate risk through alignment with industry-recognized risk management principles to ensure risk decisions adhere to the organization's risk threshold.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy-related risks are visible to and understood by the business unit(s) that own the assets and / or processes involved. The security and privacy teams only advise and educate on risk management matters, while it is the business units and other key stakeholders who ultimately own the risk."}
+{"source":"scf","id":"scf:sea","id_raw":"SEA","tier_raw":"Domains & Principles","tier":0,"seq":25,"title":"Secure Engineering & Architecture","description":"Security & Privacy by Design (S|P) Principles:\nUtilize industry-recognized secure engineering and architecture principles to deliver secure and resilient systems, applications and services.\n\nPrinciple Intent:\nOrganizations align cybersecurity engineering and architecture decisions with the organization’s overall technology architectural strategy and industry-recognized leading practices to secure networked environments."}
+{"source":"scf","id":"scf:ops","id_raw":"OPS","tier_raw":"Domains & Principles","tier":0,"seq":26,"title":"Security Operations","description":"Security & Privacy by Design (S|P) Principles:\nExecute the delivery of security and privacy operations to provide quality services and secure systems, applications and services that meet the organization's business needs.\n\nPrinciple Intent:\nOrganizations ensure appropriate resources and a management structure exists to enable the service delivery of cybersecurity, physical security and privacy operations."}
+{"source":"scf","id":"scf:sat","id_raw":"SAT","tier_raw":"Domains & Principles","tier":0,"seq":27,"title":"Security Awareness & Training","description":"Security & Privacy by Design (S|P) Principles:\nFoster a security and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.\n\nPrinciple Intent:\nOrganizations develop a security and privacy-minded workforce through continuous education activities and practical exercises, in order to refine and improve on existing training."}
+{"source":"scf","id":"scf:tda","id_raw":"TDA","tier_raw":"Domains & Principles","tier":0,"seq":28,"title":"Technology Development & Acquisition","description":"Security & Privacy by Design (S|P) Principles:\nDevelop and test systems, applications or services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design weaknesses.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated."}
+{"source":"scf","id":"scf:tpm","id_raw":"TPM","tier_raw":"Domains & Principles","tier":0,"seq":29,"title":"Third-Party Management","description":"Security & Privacy by Design (S|P) Principles:\nExecute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery.\n\nPrinciple Intent:\nOrganizations ensure that security and privacy risks associated with third-parties are minimized and enable measures to sustain operations should a third-party become compromised, untrustworthy or defunct."}
+{"source":"scf","id":"scf:thr","id_raw":"THR","tier_raw":"Domains & Principles","tier":0,"seq":30,"title":"Threat Management ","description":"Security & Privacy by Design (S|P) Principles:\nProactively identify and assess technology-related threats, to both assets and business processes, to determine the applicable risk and necessary corrective action.\n\nPrinciple Intent:\nOrganizations establish a capability to proactively identify and manage technology-related threats to the security and privacy of the organization’s systems, data and business processes."}
+{"source":"scf","id":"scf:vpm","id_raw":"VPM","tier_raw":"Domains & Principles","tier":0,"seq":31,"title":"Vulnerability & Patch Management","description":"Security & Privacy by Design (S|P) Principles:\nLeverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors.\n\nPrinciple Intent:\nOrganizations proactively manage the risks associated with technical vulnerability management that includes ensuring good patch and change management practices are utilized."}
+{"source":"scf","id":"scf:web","id_raw":"WEB","tier_raw":"Domains & Principles","tier":0,"seq":32,"title":"Web Security","description":"Security & Privacy by Design (S|P) Principles:\nEnsure the security and resilience of Internet-facing technologies through secure configuration management practices and monitoring for anomalous activity.\n\nPrinciple Intent:\nOrganizations address the risks associated with Internet-accessible technologies by hardening devices, monitoring system file integrity, enabling auditing, and monitoring for malicious activities."}
+{"source":"scf","id":"scf:gov-01","id_raw":"GOV-01","tier_raw":"Controls","tier":1,"seq":1,"title":"Security & Privacy Governance Program ","description":"Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)"}
+{"source":"scf","id":"scf:gov-01.1","id_raw":"GOV-01.1","tier_raw":"Controls","tier":1,"seq":2,"title":"Steering Committee","description":"Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)"}
+{"source":"scf","id":"scf:gov-01.2","id_raw":"GOV-01.2","tier_raw":"Controls","tier":1,"seq":3,"title":"Status Reporting To Governing Body","description":"Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity and privacy program."}
+{"source":"scf","id":"scf:gov-02","id_raw":"GOV-02","tier_raw":"Controls","tier":1,"seq":4,"title":"Publishing Security & Privacy Documentation ","description":"Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.\n\nMethods To Comply With SCF Controls:\n- Steering committee\n- Digital Security Program (DSP)\n- Cybersecurity & Data Protection Program (CDPP)\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Wiki\n- SharePoint"}
+{"source":"scf","id":"scf:gov-03","id_raw":"GOV-03","tier_raw":"Controls","tier":1,"seq":5,"title":"Periodic Review & Update of Security & Privacy Program","description":"Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. \n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee"}
+{"source":"scf","id":"scf:gov-04","id_raw":"GOV-04","tier_raw":"Controls","tier":1,"seq":6,"title":"Assigned Security & Privacy Responsibilities ","description":"Mechanisms exist to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program. \n\nMethods To Comply With SCF Controls:\n- NIST NICE Framework\n- Chief Information Security Officer (CISO)"}
+{"source":"scf","id":"scf:gov-05","id_raw":"GOV-05","tier_raw":"Controls","tier":1,"seq":7,"title":"Measures of Performance ","description":"Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.\n\nMethods To Comply With SCF Controls:\n- Metrics\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Enterprise Risk Management (ERM) solution"}
+{"source":"scf","id":"scf:gov-05.1","id_raw":"GOV-05.1","tier_raw":"Controls","tier":1,"seq":8,"title":"Key Performance Indicators (KPIs)","description":"Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and privacy program.\n\nMethods To Comply With SCF Controls:\n- Key Performance Indicators (KPIs)"}
+{"source":"scf","id":"scf:gov-05.2","id_raw":"GOV-05.2","tier_raw":"Controls","tier":1,"seq":9,"title":"Key Risk Indicators (KRIs)","description":"Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.\n\nMethods To Comply With SCF Controls:\n- Key Risk Indicators (KRIs)"}
+{"source":"scf","id":"scf:gov-06","id_raw":"GOV-06","tier_raw":"Controls","tier":1,"seq":10,"title":"Contacts With Authorities ","description":"Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.\n\nMethods To Comply With SCF Controls:\n- Threat intelligence personnel\n- Integrated Security Incident Response Team (ISIRT)"}
+{"source":"scf","id":"scf:gov-07","id_raw":"GOV-07","tier_raw":"Controls","tier":1,"seq":11,"title":"Contacts With Groups & Associations ","description":"Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: \n\nMethods To Comply With SCF Controls:\n- SANS\n- CISO Executive Network\n- ISACA chapters\n- IAPP chapters\n- ISAA chapters"}
+{"source":"scf","id":"scf:gov-08","id_raw":"GOV-08","tier_raw":"Controls","tier":1,"seq":12,"title":"Defining Business Context & Mission","description":"Mechanisms exist to define the context of its business model and document the mission of the organization."}
+{"source":"scf","id":"scf:gov-09","id_raw":"GOV-09","tier_raw":"Controls","tier":1,"seq":13,"title":"Define Control Objectives","description":"Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system."}
+{"source":"scf","id":"scf:gov-10","id_raw":"GOV-10","tier_raw":"Controls","tier":1,"seq":14,"title":"Data Governance","description":"Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations."}
+{"source":"scf","id":"scf:gov-11","id_raw":"GOV-11","tier_raw":"Controls","tier":1,"seq":15,"title":"Purpose Validation","description":"Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose."}
+{"source":"scf","id":"scf:gov-12","id_raw":"GOV-12","tier_raw":"Controls","tier":1,"seq":16,"title":"Forced Technology Transfer (FTT)","description":"Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"}
+{"source":"scf","id":"scf:gov-13","id_raw":"GOV-13","tier_raw":"Controls","tier":1,"seq":17,"title":"State-Sponsored Espionage","description":"Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities. \n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"}
+{"source":"scf","id":"scf:gov-14","id_raw":"GOV-14","tier_raw":"Controls","tier":1,"seq":18,"title":"Business As Usual (BAU) Secure Practices","description":"Mechanisms exist to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices through executive leadership involvement."}
+{"source":"scf","id":"scf:gov-15","id_raw":"GOV-15","tier_raw":"Controls","tier":1,"seq":19,"title":"Operationalizing Cybersecurity & Privacy Practices","description":"Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control."}
+{"source":"scf","id":"scf:gov-15.1","id_raw":"GOV-15.1","tier_raw":"Controls","tier":1,"seq":20,"title":"Select Controls","description":"Mechanisms exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control."}
+{"source":"scf","id":"scf:gov-15.2","id_raw":"GOV-15.2","tier_raw":"Controls","tier":1,"seq":21,"title":"Implement Controls","description":"Mechanisms exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control."}
+{"source":"scf","id":"scf:gov-15.3","id_raw":"GOV-15.3","tier_raw":"Controls","tier":1,"seq":22,"title":"Assess Controls","description":"Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended."}
+{"source":"scf","id":"scf:gov-15.4","id_raw":"GOV-15.4","tier_raw":"Controls","tier":1,"seq":23,"title":"Authorize Systems, Applications & Services","description":"Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control."}
+{"source":"scf","id":"scf:gov-15.5","id_raw":"GOV-15.5","tier_raw":"Controls","tier":1,"seq":24,"title":"Monitor Controls","description":"Mechanisms exist to compel data and/or process owners to monitor  systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity and privacy controls are operating as intended."}
+{"source":"scf","id":"scf:ast-01","id_raw":"AST-01","tier_raw":"Controls","tier":1,"seq":25,"title":"Asset Governance ","description":"Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.\n\nMethods To Comply With SCF Controls:\n- Generally Accepted Accounting Principles (GAAP)\n- ITIL - Configuration Management Database (CMDB)\n- IT Asset Management (ITAM) program"}
+{"source":"scf","id":"scf:ast-01.1","id_raw":"AST-01.1","tier_raw":"Controls","tier":1,"seq":26,"title":"Asset-Service Dependencies","description":"Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function. "}
+{"source":"scf","id":"scf:ast-01.2","id_raw":"AST-01.2","tier_raw":"Controls","tier":1,"seq":27,"title":"Stakeholder Identification & Involvement","description":"Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets."}
+{"source":"scf","id":"scf:ast-01.3","id_raw":"AST-01.3","tier_raw":"Controls","tier":1,"seq":28,"title":"Standardized Naming Convention","description":"Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts."}
+{"source":"scf","id":"scf:ast-02","id_raw":"AST-02","tier_raw":"Controls","tier":1,"seq":29,"title":"Asset Inventories ","description":"Mechanisms exist to perform inventories of technology assets that:\n\nMethods To Comply With SCF Controls:\n- ManageEngine AssetExplorer\n- LANDesk IT Asset Management Suite\n- ServiceNow (https://www.servicenow.com/)\n- Solarwinds (https://www.solarwinds.com/)\n- CrowdStrike\n- JAMF\n- ITIL - Configuration Management Database (CMDB)"}
+{"source":"scf","id":"scf:ast-02.1","id_raw":"AST-02.1","tier_raw":"Controls","tier":1,"seq":30,"title":"Updates During Installations / Removals","description":"Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades. \n\nMethods To Comply With SCF Controls:\n- CrowdStrike\n- JAMF\n- ITIL - Configuration Management Database (CMDB)"}
+{"source":"scf","id":"scf:ast-02.2","id_raw":"AST-02.2","tier_raw":"Controls","tier":1,"seq":31,"title":"Automated Unauthorized Component Detection","description":"Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- DHCP logging\n- Active discovery tools\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Vectra\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Microsoft SCCM\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:ast-02.3","id_raw":"AST-02.3","tier_raw":"Controls","tier":1,"seq":32,"title":"Component Duplication Avoidance ","description":"Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.\n\nMethods To Comply With SCF Controls:\n- ITIL - Configuration Management Database (CMDB)\n- Manual or automated process"}
+{"source":"scf","id":"scf:ast-02.4","id_raw":"AST-02.4","tier_raw":"Controls","tier":1,"seq":33,"title":"Approved Baseline Deviations","description":"Mechanisms exist to document and govern instances of approved deviations from established baseline configurations. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- SCCM\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Microsoft SCCM"}
+{"source":"scf","id":"scf:ast-02.5","id_raw":"AST-02.5","tier_raw":"Controls","tier":1,"seq":34,"title":"Network Access Control (NAC)","description":"Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, that is capable of detecting unauthorized devices and disable network access to those unauthorized devices.\n\nMethods To Comply With SCF Controls:\n- Cisco NAC\n- Aruba Networks\n- Juniper NAC\n- Packet Fence\n- Symantec NAC\n- Sophos NAC\n- Bradford Networks NAC Director\n- Cisco ISE\n- ForeScout"}
+{"source":"scf","id":"scf:ast-02.6","id_raw":"AST-02.6","tier_raw":"Controls","tier":1,"seq":35,"title":"Dynamic Host Configuration Protocol (DHCP) Server Logging","description":"Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems. \n\nMethods To Comply With SCF Controls:\n- Splunk\n- Manual Process\n- Build Automation Tools\n- NNT Log Tracker (https://www.newnettechnologies.com/event-log-management.html)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"}
+{"source":"scf","id":"scf:ast-02.7","id_raw":"AST-02.7","tier_raw":"Controls","tier":1,"seq":36,"title":"Software Licensing Restrictions","description":"Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.\n\nMethods To Comply With SCF Controls:\n- Manual Process\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"}
+{"source":"scf","id":"scf:ast-02.8","id_raw":"AST-02.8","tier_raw":"Controls","tier":1,"seq":37,"title":"Data Action Mapping","description":"Mechanisms exist to create and maintain a map of technology assets where sensitive data is stored, transmitted or processed.\n\nMethods To Comply With SCF Controls:\n- Visio\n- LucidChart"}
+{"source":"scf","id":"scf:ast-02.9","id_raw":"AST-02.9","tier_raw":"Controls","tier":1,"seq":38,"title":"Configuration Management Database (CMDB)","description":"Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.\n\nMethods To Comply With SCF Controls:\n- Configuration Management Database (CMDB)"}
+{"source":"scf","id":"scf:ast-02.10","id_raw":"AST-02.10","tier_raw":"Controls","tier":1,"seq":39,"title":"Automated Location","description":"Mechanisms exist to track the geographic location of system components."}
+{"source":"scf","id":"scf:ast-02.11","id_raw":"AST-02.11","tier_raw":"Controls","tier":1,"seq":40,"title":"Component Assignment","description":"Mechanisms exist to bind components to a specific system."}
+{"source":"scf","id":"scf:ast-03","id_raw":"AST-03","tier_raw":"Controls","tier":1,"seq":41,"title":"Asset Ownership Assignment","description":"Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection."}
+{"source":"scf","id":"scf:ast-03.1","id_raw":"AST-03.1","tier_raw":"Controls","tier":1,"seq":42,"title":"Accountability Information","description":"Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process."}
+{"source":"scf","id":"scf:ast-03.2","id_raw":"AST-03.2","tier_raw":"Controls","tier":1,"seq":43,"title":"Provenance","description":"Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data."}
+{"source":"scf","id":"scf:ast-04","id_raw":"AST-04","tier_raw":"Controls","tier":1,"seq":44,"title":"Network Diagrams & Data Flow Diagrams (DFDs)","description":"Mechanisms exist to maintain network architecture diagrams that: \n\nMethods To Comply With SCF Controls:\n- High-Level Diagram (HLD)\n- Low-Level Diagram (LLD)\n- Data Flow Diagram (DFD)\n- Solarwinds (https://www.solarwinds.com/)\n- Paessler\n- PRTG"}
+{"source":"scf","id":"scf:ast-04.1","id_raw":"AST-04.1","tier_raw":"Controls","tier":1,"seq":45,"title":"Asset Scope Classification","description":"Mechanisms exist to determine cybersecurity and privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties)."}
+{"source":"scf","id":"scf:ast-04.2","id_raw":"AST-04.2","tier_raw":"Controls","tier":1,"seq":46,"title":"Control Applicability Boundary Graphical Representation","description":"Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries."}
+{"source":"scf","id":"scf:ast-04.3","id_raw":"AST-04.3","tier_raw":"Controls","tier":1,"seq":47,"title":"Compliance-Specific Asset Identification","description":"Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization."}
+{"source":"scf","id":"scf:ast-05","id_raw":"AST-05","tier_raw":"Controls","tier":1,"seq":48,"title":"Security of Assets & Media","description":"Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media. \n\nMethods To Comply With SCF Controls:\n- ITIL - Configuration Management Database (CMDB)\n- Definitive Software Library (DSL)"}
+{"source":"scf","id":"scf:ast-05.1","id_raw":"AST-05.1","tier_raw":"Controls","tier":1,"seq":49,"title":"Management Approval For External Media Transfer","description":"Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities."}
+{"source":"scf","id":"scf:ast-06","id_raw":"AST-06","tier_raw":"Controls","tier":1,"seq":50,"title":"Unattended End-User Equipment ","description":"Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Lockable casings\n- Tamper detection tape\n- Full Disk Encryption (FDE) \n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:ast-06.1","id_raw":"AST-06.1","tier_raw":"Controls","tier":1,"seq":51,"title":"Asset Storage In Automobiles","description":"Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.\n\nMethods To Comply With SCF Controls:\n- Security awareness training\n- Gamification"}
+{"source":"scf","id":"scf:ast-07","id_raw":"AST-07","tier_raw":"Controls","tier":1,"seq":52,"title":"Kiosks & Point of Interaction (PoI) Devices","description":"Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Lockable casings\n- Tamper detection tape\n- Chip & PIN"}
+{"source":"scf","id":"scf:ast-08","id_raw":"AST-08","tier_raw":"Controls","tier":1,"seq":53,"title":"Tamper Detection","description":"Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).\n\nMethods To Comply With SCF Controls:\n- \"Burner\" phones & laptops\n- Tamper tape"}
+{"source":"scf","id":"scf:ast-09","id_raw":"AST-09","tier_raw":"Controls","tier":1,"seq":54,"title":"Secure Disposal, Destruction or Re-Use of Equipment ","description":"Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.\n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain\n- sdelete (sysinternals)\n- Bootnukem"}
+{"source":"scf","id":"scf:ast-10","id_raw":"AST-10","tier_raw":"Controls","tier":1,"seq":55,"title":"Return of Assets ","description":"Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.\n\nMethods To Comply With SCF Controls:\n- Termination checklist\n- Manual Process\n- Native OS and Device Asset Tracking capabilities"}
+{"source":"scf","id":"scf:ast-11","id_raw":"AST-11","tier_raw":"Controls","tier":1,"seq":56,"title":"Removal of Assets ","description":"Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities. \n\nMethods To Comply With SCF Controls:\n- RFID asset tagging\n- RFID proximity sensors at access points\n- Asset management software"}
+{"source":"scf","id":"scf:ast-12","id_raw":"AST-12","tier_raw":"Controls","tier":1,"seq":57,"title":"Use of Personal Devices","description":"Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.\n\nMethods To Comply With SCF Controls:\n- BYOD policy"}
+{"source":"scf","id":"scf:ast-13","id_raw":"AST-13","tier_raw":"Controls","tier":1,"seq":58,"title":"Use of Third-Party Devices","description":"Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.\n\nMethods To Comply With SCF Controls:\n- NAC\n- Separate SSIDs for wireless networks\n- SIEM monitoring/alerting\n- Manual process to disable network all unused ports\n- Network Access Control (NAC)\n- Mobile Device Management (MDM) software\n- Data Loss Prevention (DLP)"}
+{"source":"scf","id":"scf:ast-14","id_raw":"AST-14","tier_raw":"Controls","tier":1,"seq":59,"title":"Usage Parameters","description":"Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:ast-14.1","id_raw":"AST-14.1","tier_raw":"Controls","tier":1,"seq":60,"title":"Bluetooth & Wireless Devices","description":"Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building."}
+{"source":"scf","id":"scf:ast-14.2","id_raw":"AST-14.2","tier_raw":"Controls","tier":1,"seq":61,"title":"Infrared Communications","description":"Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space."}
+{"source":"scf","id":"scf:ast-15","id_raw":"AST-15","tier_raw":"Controls","tier":1,"seq":62,"title":"Tamper Protection","description":"Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Tamper detection tape\n- File Integrity Monitoring (FIM)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"}
+{"source":"scf","id":"scf:ast-15.1","id_raw":"AST-15.1","tier_raw":"Controls","tier":1,"seq":63,"title":"Inspection of Systems, Components & Devices ","description":"Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Tamper detection tape\n- File Integrity Monitoring (FIM)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)"}
+{"source":"scf","id":"scf:ast-16","id_raw":"AST-16","tier_raw":"Controls","tier":1,"seq":64,"title":"Bring Your Own Device (BYOD) Usage ","description":"Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.\n\nMethods To Comply With SCF Controls:\n- AirWatch\n- SCCM\n- Casper\n- BYOD policy"}
+{"source":"scf","id":"scf:ast-17","id_raw":"AST-17","tier_raw":"Controls","tier":1,"seq":65,"title":"Prohibited Equipment & Services","description":"Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body."}
+{"source":"scf","id":"scf:ast-18","id_raw":"AST-18","tier_raw":"Controls","tier":1,"seq":66,"title":"Roots of Trust Protection","description":"Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification."}
+{"source":"scf","id":"scf:ast-19","id_raw":"AST-19","tier_raw":"Controls","tier":1,"seq":67,"title":"Telecommunications Equipment","description":"Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping."}
+{"source":"scf","id":"scf:ast-20","id_raw":"AST-20","tier_raw":"Controls","tier":1,"seq":68,"title":"Video Teleconference (VTC) Security","description":"Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping."}
+{"source":"scf","id":"scf:ast-21","id_raw":"AST-21","tier_raw":"Controls","tier":1,"seq":69,"title":"Voice Over Internet Protocol (VoIP) Security","description":"Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks."}
+{"source":"scf","id":"scf:ast-22","id_raw":"AST-22","tier_raw":"Controls","tier":1,"seq":70,"title":"Microphones & Web Cameras","description":"Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive information is discussed."}
+{"source":"scf","id":"scf:ast-23","id_raw":"AST-23","tier_raw":"Controls","tier":1,"seq":71,"title":"Multi-Function Devices (MFD)","description":"Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device."}
+{"source":"scf","id":"scf:ast-24","id_raw":"AST-24","tier_raw":"Controls","tier":1,"seq":72,"title":"Travel-Only Devices","description":"Mechanisms exist to issue personnel travelling overseas with temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."}
+{"source":"scf","id":"scf:ast-25","id_raw":"AST-25","tier_raw":"Controls","tier":1,"seq":73,"title":"Re-Imaging Devices After Travel","description":"Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies."}
+{"source":"scf","id":"scf:ast-26","id_raw":"AST-26","tier_raw":"Controls","tier":1,"seq":74,"title":"System Administrative Processes","description":"Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services."}
+{"source":"scf","id":"scf:ast-27","id_raw":"AST-27","tier_raw":"Controls","tier":1,"seq":75,"title":"Jump Server","description":"Mechanisms exist to conduct remote system administrative functions via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations."}
+{"source":"scf","id":"scf:ast-28","id_raw":"AST-28","tier_raw":"Controls","tier":1,"seq":76,"title":"Database Administrative Processes","description":"Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases."}
+{"source":"scf","id":"scf:ast-28.1","id_raw":"AST-28.1","tier_raw":"Controls","tier":1,"seq":77,"title":"Database Management System (DBMS)","description":"Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable."}
+{"source":"scf","id":"scf:ast-29","id_raw":"AST-29","tier_raw":"Controls","tier":1,"seq":78,"title":"Radio Frequency Identification (RFID) Security","description":"Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces."}
+{"source":"scf","id":"scf:ast-29.1","id_raw":"AST-29.1","tier_raw":"Controls","tier":1,"seq":79,"title":"Contactless Access Control Systems","description":"Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces."}
+{"source":"scf","id":"scf:ast-30","id_raw":"AST-30","tier_raw":"Controls","tier":1,"seq":80,"title":"Decommissioning","description":"Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."}
+{"source":"scf","id":"scf:bcd-01","id_raw":"BCD-01","tier_raw":"Controls","tier":1,"seq":81,"title":"Business Continuity Management System (BCMS)","description":"Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)\n- Business Impact Analysis (BIA)\n- Criticality assessments"}
+{"source":"scf","id":"scf:bcd-01.1","id_raw":"BCD-01.1","tier_raw":"Controls","tier":1,"seq":82,"title":"Coordinate with Related Plans ","description":"Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans. \n\nMethods To Comply With SCF Controls:\n- Cybersecurity Incident Response Plan (IIRP)"}
+{"source":"scf","id":"scf:bcd-01.2","id_raw":"BCD-01.2","tier_raw":"Controls","tier":1,"seq":83,"title":"Coordinate With External Service Providers","description":"Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-01.3","id_raw":"BCD-01.3","tier_raw":"Controls","tier":1,"seq":84,"title":"Transfer to Alternate Processing / Storage Site","description":"Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan."}
+{"source":"scf","id":"scf:bcd-01.4","id_raw":"BCD-01.4","tier_raw":"Controls","tier":1,"seq":85,"title":"Recovery Time / Point Objectives (RTO / RPO)","description":"Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)."}
+{"source":"scf","id":"scf:bcd-02","id_raw":"BCD-02","tier_raw":"Controls","tier":1,"seq":86,"title":"Identify Critical Assets ","description":"Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.\n\nMethods To Comply With SCF Controls:\n- Business Impact Analysis (BIA)\n- Criticality assessments"}
+{"source":"scf","id":"scf:bcd-02.1","id_raw":"BCD-02.1","tier_raw":"Controls","tier":1,"seq":87,"title":"Resume All Missions & Business Functions","description":"Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.\n\nMethods To Comply With SCF Controls:\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)\n- Disaster recovery software"}
+{"source":"scf","id":"scf:bcd-02.2","id_raw":"BCD-02.2","tier_raw":"Controls","tier":1,"seq":88,"title":"Continue Essential Mission & Business Functions","description":"Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.\n\nMethods To Comply With SCF Controls:\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-02.3","id_raw":"BCD-02.3","tier_raw":"Controls","tier":1,"seq":89,"title":"Resume Essential Missions & Business Functions ","description":"Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation. \n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Disaster Recovery Plan (DRP)\n- Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-02.4","id_raw":"BCD-02.4","tier_raw":"Controls","tier":1,"seq":90,"title":"Data Storage Location Reviews","description":"Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data."}
+{"source":"scf","id":"scf:bcd-03","id_raw":"BCD-03","tier_raw":"Controls","tier":1,"seq":91,"title":"Contingency Training","description":"Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities. \n\nMethods To Comply With SCF Controls:\n- NIST NICE Framework\n- Tabletop exercises"}
+{"source":"scf","id":"scf:bcd-03.1","id_raw":"BCD-03.1","tier_raw":"Controls","tier":1,"seq":92,"title":"Simulated Events","description":"Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.\n\nMethods To Comply With SCF Controls:\n- Tabletop exercises"}
+{"source":"scf","id":"scf:bcd-03.2","id_raw":"BCD-03.2","tier_raw":"Controls","tier":1,"seq":93,"title":"Automated Training Environments","description":"Automated mechanisms exist to provide a more thorough and realistic contingency training environment."}
+{"source":"scf","id":"scf:bcd-04","id_raw":"BCD-04","tier_raw":"Controls","tier":1,"seq":94,"title":"Contingency Plan Testing & Exercises ","description":"Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan. \n\nMethods To Comply With SCF Controls:\n- Simulated disasters / emergencies"}
+{"source":"scf","id":"scf:bcd-04.1","id_raw":"BCD-04.1","tier_raw":"Controls","tier":1,"seq":95,"title":"Coordinated Testing with Related Plans ","description":"Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans. \n\nMethods To Comply With SCF Controls:\n- Playbooks\n- Enterprise-wide Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-04.2","id_raw":"BCD-04.2","tier_raw":"Controls","tier":1,"seq":96,"title":"Alternate Storage & Processing Sites","description":"Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations. "}
+{"source":"scf","id":"scf:bcd-05","id_raw":"BCD-05","tier_raw":"Controls","tier":1,"seq":97,"title":"Contingency Plan Root Cause Analysis (RCA) & Lessons Learned","description":"Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)\n- Disaster Recovery Plan (DRP)\n- Business Continuity Plan (BCP)\n- Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-06","id_raw":"BCD-06","tier_raw":"Controls","tier":1,"seq":98,"title":"Contingency Planning & Updates","description":"Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.\n\nMethods To Comply With SCF Controls:\n- Offline / offsite documentation"}
+{"source":"scf","id":"scf:bcd-07","id_raw":"BCD-07","tier_raw":"Controls","tier":1,"seq":99,"title":"Alternative Security Measures ","description":"Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised. \n\nMethods To Comply With SCF Controls:\n- Business Impact Analysis (BIA)\n- Criticality assessments"}
+{"source":"scf","id":"scf:bcd-08","id_raw":"BCD-08","tier_raw":"Controls","tier":1,"seq":100,"title":"Alternate Storage Site","description":"Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information. \n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"}
+{"source":"scf","id":"scf:bcd-08.1","id_raw":"BCD-08.1","tier_raw":"Controls","tier":1,"seq":101,"title":"Separation from Primary Site ","description":"Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"}
+{"source":"scf","id":"scf:bcd-08.2","id_raw":"BCD-08.2","tier_raw":"Controls","tier":1,"seq":102,"title":"Accessibility ","description":"Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"}
+{"source":"scf","id":"scf:bcd-09","id_raw":"BCD-09","tier_raw":"Controls","tier":1,"seq":103,"title":"Alternate Processing Site","description":"Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"}
+{"source":"scf","id":"scf:bcd-09.1","id_raw":"BCD-09.1","tier_raw":"Controls","tier":1,"seq":104,"title":"Separation from Primary Site","description":"Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.\n\nMethods To Comply With SCF Controls:\n- SunGard\n- AWS\n- Azure"}
+{"source":"scf","id":"scf:bcd-09.2","id_raw":"BCD-09.2","tier_raw":"Controls","tier":1,"seq":105,"title":"Accessibility","description":"Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.\n\nMethods To Comply With SCF Controls:\n- Business Continuity Plan (BCP)\n- Continuity of Operations Plan (COOP)"}
+{"source":"scf","id":"scf:bcd-09.3","id_raw":"BCD-09.3","tier_raw":"Controls","tier":1,"seq":106,"title":"Alternate Site Priority of Service","description":"Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs). \n\nMethods To Comply With SCF Controls:\n- Hot / warm / cold site contracts"}
+{"source":"scf","id":"scf:bcd-09.4","id_raw":"BCD-09.4","tier_raw":"Controls","tier":1,"seq":107,"title":"Preparation for Use","description":"Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site."}
+{"source":"scf","id":"scf:bcd-09.5","id_raw":"BCD-09.5","tier_raw":"Controls","tier":1,"seq":108,"title":"Inability to Return to Primary Site","description":"Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site."}
+{"source":"scf","id":"scf:bcd-10","id_raw":"BCD-10","tier_raw":"Controls","tier":1,"seq":109,"title":"Telecommunications Services Availability","description":"Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.\n\nMethods To Comply With SCF Controls:\n- Alternate telecommunications services are maintained with multiple ISP / network providers"}
+{"source":"scf","id":"scf:bcd-10.1","id_raw":"BCD-10.1","tier_raw":"Controls","tier":1,"seq":110,"title":"Telecommunications Priority of Service Provisions","description":"Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs). \n\nMethods To Comply With SCF Controls:\n- Hot / warm / cold site contracts"}
+{"source":"scf","id":"scf:bcd-10.2","id_raw":"BCD-10.2","tier_raw":"Controls","tier":1,"seq":111,"title":"Separation of Primary / Alternate Providers","description":"Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. "}
+{"source":"scf","id":"scf:bcd-10.3","id_raw":"BCD-10.3","tier_raw":"Controls","tier":1,"seq":112,"title":"Provider Continency Plan ","description":"Mechanisms exist to contractually-require telecommunications service providers to have contingency plans that meet organizational contingency requirements."}
+{"source":"scf","id":"scf:bcd-10.4","id_raw":"BCD-10.4","tier_raw":"Controls","tier":1,"seq":113,"title":"Alternate Communications Paths","description":"Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable."}
+{"source":"scf","id":"scf:bcd-11","id_raw":"BCD-11","tier_raw":"Controls","tier":1,"seq":114,"title":"Data Backups","description":"Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).\n\nMethods To Comply With SCF Controls:\n- Backup technologies & procedures\n- Offline storage"}
+{"source":"scf","id":"scf:bcd-11.1","id_raw":"BCD-11.1","tier_raw":"Controls","tier":1,"seq":115,"title":"Testing for Reliability & Integrity ","description":"Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:bcd-11.2","id_raw":"BCD-11.2","tier_raw":"Controls","tier":1,"seq":116,"title":"Separate Storage for Critical Information ","description":"Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.\n\nMethods To Comply With SCF Controls:\n- IronMountain"}
+{"source":"scf","id":"scf:bcd-11.3","id_raw":"BCD-11.3","tier_raw":"Controls","tier":1,"seq":117,"title":"Information System Imaging","description":"Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Acronis\n- Docker (https://www.docker.com/)\n- VMWare"}
+{"source":"scf","id":"scf:bcd-11.4","id_raw":"BCD-11.4","tier_raw":"Controls","tier":1,"seq":118,"title":"Cryptographic Protection","description":"Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.\n\nMethods To Comply With SCF Controls:\n- Backup technologies & procedures"}
+{"source":"scf","id":"scf:bcd-11.5","id_raw":"BCD-11.5","tier_raw":"Controls","tier":1,"seq":119,"title":"Test Restoration Using Sampling","description":"Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing. "}
+{"source":"scf","id":"scf:bcd-11.6","id_raw":"BCD-11.6","tier_raw":"Controls","tier":1,"seq":120,"title":"Transfer to Alternate Storage Site","description":"Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)."}
+{"source":"scf","id":"scf:bcd-11.7","id_raw":"BCD-11.7","tier_raw":"Controls","tier":1,"seq":121,"title":"Redundant Secondary System","description":"Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations."}
+{"source":"scf","id":"scf:bcd-11.8","id_raw":"BCD-11.8","tier_raw":"Controls","tier":1,"seq":122,"title":"Dual Authorization For Backup Media Destruction","description":"Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data."}
+{"source":"scf","id":"scf:bcd-12","id_raw":"BCD-12","tier_raw":"Controls","tier":1,"seq":123,"title":"Information System Recovery & Reconstitution","description":"Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:bcd-12.1","id_raw":"BCD-12.1","tier_raw":"Controls","tier":1,"seq":124,"title":"Transaction Recovery","description":"Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs)."}
+{"source":"scf","id":"scf:bcd-12.2","id_raw":"BCD-12.2","tier_raw":"Controls","tier":1,"seq":125,"title":"Failover Capability","description":"Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.\n\nMethods To Comply With SCF Controls:\n- Load balancers\n- High Availability (HA) firewalls"}
+{"source":"scf","id":"scf:bcd-12.3","id_raw":"BCD-12.3","tier_raw":"Controls","tier":1,"seq":126,"title":"Electronic Discovery (eDiscovery)","description":"Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions."}
+{"source":"scf","id":"scf:bcd-12.4","id_raw":"BCD-12.4","tier_raw":"Controls","tier":1,"seq":127,"title":"Restore Within Time Period","description":"Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:bcd-13","id_raw":"BCD-13","tier_raw":"Controls","tier":1,"seq":128,"title":"Backup & Restoration Hardware Protection ","description":"Mechanisms exist to protect backup and restoration hardware and software."}
+{"source":"scf","id":"scf:bcd-14","id_raw":"BCD-14","tier_raw":"Controls","tier":1,"seq":129,"title":"Isolated Recovery Environment","description":"Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities."}
+{"source":"scf","id":"scf:bcd-15","id_raw":"BCD-15","tier_raw":"Controls","tier":1,"seq":130,"title":"Reserve Hardware","description":"Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption."}
+{"source":"scf","id":"scf:cap-01","id_raw":"CAP-01","tier_raw":"Controls","tier":1,"seq":131,"title":"Capacity & Performance Management ","description":"Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- Resource monitoring"}
+{"source":"scf","id":"scf:cap-02","id_raw":"CAP-02","tier_raw":"Controls","tier":1,"seq":132,"title":"Resource Priority","description":"Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- Resource monitoring"}
+{"source":"scf","id":"scf:cap-03","id_raw":"CAP-03","tier_raw":"Controls","tier":1,"seq":133,"title":"Capacity Planning ","description":"Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations. "}
+{"source":"scf","id":"scf:cap-04","id_raw":"CAP-04","tier_raw":"Controls","tier":1,"seq":134,"title":"Performance Monitoring","description":"Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services."}
+{"source":"scf","id":"scf:chg-01","id_raw":"CHG-01","tier_raw":"Controls","tier":1,"seq":135,"title":"Change Management Program ","description":"Mechanisms exist to facilitate the implementation of a change management program.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- ServiceNow (https://www.servicenow.com/)\n- Remedy\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)"}
+{"source":"scf","id":"scf:chg-02","id_raw":"CHG-02","tier_raw":"Controls","tier":1,"seq":136,"title":"Configuration Change Control ","description":"Mechanisms exist to govern the technical configuration change control processes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Change Control Board (CCB)\n- Configuration Management Database (CMDB)\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) Enterprise\n- Chef (https://www.chef.io/) (https://www.chef.io/)\n- Puppet (https://puppet.com/)\n- Solarwinds (https://www.solarwinds.com/)\n- Docker (https://www.docker.com/)\n- VisibleOps methodology \n- ITIL infrastructure library"}
+{"source":"scf","id":"scf:chg-02.1","id_raw":"CHG-02.1","tier_raw":"Controls","tier":1,"seq":137,"title":"Prohibition Of Changes","description":"Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- Manual processes/workflows\n- Application whitelisting"}
+{"source":"scf","id":"scf:chg-02.2","id_raw":"CHG-02.2","tier_raw":"Controls","tier":1,"seq":138,"title":"Test, Validate & Document Changes ","description":"Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- VMware\n- Docker (https://www.docker.com/)"}
+{"source":"scf","id":"scf:chg-02.3","id_raw":"CHG-02.3","tier_raw":"Controls","tier":1,"seq":139,"title":"Security & Privacy Representative for Asset Lifecycle Changes","description":"Mechanisms exist to include a cybersecurity and/or privacy representative in the configuration change control review process.\n\nMethods To Comply With SCF Controls:\n- Change Control Board (CCB)\n- Change Advisory Board (CAB)\n- VisibleOps methodology \n- ITIL infrastructure library"}
+{"source":"scf","id":"scf:chg-02.4","id_raw":"CHG-02.4","tier_raw":"Controls","tier":1,"seq":140,"title":"Automated Security Response","description":"Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:chg-02.5","id_raw":"CHG-02.5","tier_raw":"Controls","tier":1,"seq":141,"title":"Cryptographic Management","description":"Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes. "}
+{"source":"scf","id":"scf:chg-03","id_raw":"CHG-03","tier_raw":"Controls","tier":1,"seq":142,"title":"Security Impact Analysis for Changes ","description":"Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.\n\nMethods To Comply With SCF Controls:\n- VisibleOps methodology \n- ITIL infrastructure library\n- Change management software"}
+{"source":"scf","id":"scf:chg-04","id_raw":"CHG-04","tier_raw":"Controls","tier":1,"seq":143,"title":"Access Restriction For Change","description":"Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- Role-based permissions\n- Mandatory Access Control (MAC)\n- Application whitelisting"}
+{"source":"scf","id":"scf:chg-04.1","id_raw":"CHG-04.1","tier_raw":"Controls","tier":1,"seq":144,"title":"Automated Access Enforcement / Auditing ","description":"Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- VisibleOps methodology \n- ITIL infrastructure library\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Manual review processes\n- Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)"}
+{"source":"scf","id":"scf:chg-04.2","id_raw":"CHG-04.2","tier_raw":"Controls","tier":1,"seq":145,"title":"Signed Components ","description":"Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.\n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)\n- Patch management tools\n- OS configuration standards"}
+{"source":"scf","id":"scf:chg-04.3","id_raw":"CHG-04.3","tier_raw":"Controls","tier":1,"seq":146,"title":"Dual Authorization for Change","description":"Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.\n\nMethods To Comply With SCF Controls:\n- Separation of Duties (SoD)"}
+{"source":"scf","id":"scf:chg-04.4","id_raw":"CHG-04.4","tier_raw":"Controls","tier":1,"seq":147,"title":"Limit Production / Operational Privileges (Incompatible Roles)","description":"Mechanisms exist to limit operational privileges for implementing changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Separation of Duties (SoD)\n- Privileged Account Management (PAM)"}
+{"source":"scf","id":"scf:chg-04.5","id_raw":"CHG-04.5","tier_raw":"Controls","tier":1,"seq":148,"title":"Library Privileges","description":"Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access. \n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)"}
+{"source":"scf","id":"scf:chg-05","id_raw":"CHG-05","tier_raw":"Controls","tier":1,"seq":149,"title":"Stakeholder Notification of Changes ","description":"Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes. \n\nMethods To Comply With SCF Controls:\n- Change management procedures\n- VisibleOps methodology \n- ITIL infrastructure library"}
+{"source":"scf","id":"scf:chg-06","id_raw":"CHG-06","tier_raw":"Controls","tier":1,"seq":150,"title":"Security Functionality Verification","description":"Mechanisms exist to verify the functionality of security controls when anomalies are discovered.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"}
+{"source":"scf","id":"scf:chg-06.1","id_raw":"CHG-06.1","tier_raw":"Controls","tier":1,"seq":151,"title":"Report Verification Results","description":"Mechanisms exist to report the results of security and privacy function verification to appropriate organizational management.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cld-01","id_raw":"CLD-01","tier_raw":"Controls","tier":1,"seq":152,"title":"Cloud Services","description":"Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:cld-01.1","id_raw":"CLD-01.1","tier_raw":"Controls","tier":1,"seq":153,"title":"Cloud Infrastructure Onboarding","description":"Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."}
+{"source":"scf","id":"scf:cld-01.2","id_raw":"CLD-01.2","tier_raw":"Controls","tier":1,"seq":154,"title":"Cloud Infrastructure Offboarding","description":"Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations."}
+{"source":"scf","id":"scf:cld-02","id_raw":"CLD-02","tier_raw":"Controls","tier":1,"seq":155,"title":"Cloud Security Architecture ","description":"Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. \n\nMethods To Comply With SCF Controls:\n- Architectural review board\n- System Security Plan (SSP)\n- Security architecture roadmaps"}
+{"source":"scf","id":"scf:cld-03","id_raw":"CLD-03","tier_raw":"Controls","tier":1,"seq":156,"title":"Cloud Infrastructure Security Subnet","description":"Mechanisms exist to host security-specific technologies in a dedicated subnet.\n\nMethods To Comply With SCF Controls:\n- Security management subnet"}
+{"source":"scf","id":"scf:cld-04","id_raw":"CLD-04","tier_raw":"Controls","tier":1,"seq":157,"title":"Application & Program Interface (API) Security ","description":"Mechanisms exist to ensure support for secure interoperability between components.\n\nMethods To Comply With SCF Controls:\n- Use only open and published APIs"}
+{"source":"scf","id":"scf:cld-05","id_raw":"CLD-05","tier_raw":"Controls","tier":1,"seq":158,"title":"Virtual Machine Images ","description":"Mechanisms exist to ensure the integrity of virtual machine images at all times. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- File Integrity Monitoring (FIM)\n- Docker (https://www.docker.com/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cld-06","id_raw":"CLD-06","tier_raw":"Controls","tier":1,"seq":159,"title":"Multi-Tenant Environments ","description":"Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.\n\nMethods To Comply With SCF Controls:\n- Security architecture review\n- Defined processes to segment at the network, application, databases layers"}
+{"source":"scf","id":"scf:cld-06.1","id_raw":"CLD-06.1","tier_raw":"Controls","tier":1,"seq":160,"title":"Customer Responsibility Matrix (CRM)","description":"Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.\n\nMethods To Comply With SCF Controls:\n- Customer Responsibility Matrix (CRM)\n- Shared Responsibility Matrix (SRM)\n- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"}
+{"source":"scf","id":"scf:cld-06.2","id_raw":"CLD-06.2","tier_raw":"Controls","tier":1,"seq":161,"title":"Multi-Tenant Event Logging Capabilities","description":"Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations."}
+{"source":"scf","id":"scf:cld-06.3","id_raw":"CLD-06.3","tier_raw":"Controls","tier":1,"seq":162,"title":"Multi-Tenant Forensics Capabilities","description":"Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident."}
+{"source":"scf","id":"scf:cld-06.4","id_raw":"CLD-06.4","tier_raw":"Controls","tier":1,"seq":163,"title":"Multi-Tenant Incident Response Capabilities","description":"Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers."}
+{"source":"scf","id":"scf:cld-07","id_raw":"CLD-07","tier_raw":"Controls","tier":1,"seq":164,"title":"Data Handling & Portability","description":"Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Security architecture review\n- Encrypted data transfers (e.g. TLS or VPNs)"}
+{"source":"scf","id":"scf:cld-08","id_raw":"CLD-08","tier_raw":"Controls","tier":1,"seq":165,"title":"Standardized Virtualization Formats ","description":"Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Data Protection Impact Assessment (DPIA)\n- Manual review process\n- Vendor risk assessments\n- Independent vendor compliance assessments "}
+{"source":"scf","id":"scf:cld-09","id_raw":"CLD-09","tier_raw":"Controls","tier":1,"seq":166,"title":"Geolocation Requirements for Processing, Storage and Service Locations","description":"Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n"}
+{"source":"scf","id":"scf:cld-10","id_raw":"CLD-10","tier_raw":"Controls","tier":1,"seq":167,"title":"Sensitive Data In Public Cloud Providers","description":"Mechanisms exist to limit and manage the storage of sensitive data in public cloud providers. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Security and network architecture diagrams\n- Data Flow Diagram (DFD)"}
+{"source":"scf","id":"scf:cld-11","id_raw":"CLD-11","tier_raw":"Controls","tier":1,"seq":168,"title":"Cloud Access Point (CAP)","description":"Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.\n\nMethods To Comply With SCF Controls:\n- Next Generation Firewall (NGF)\n- Web Application Firewall (WAF)\n- Network Routing / Switching\n- Intrusion Detection / Protection (IDS / IPS)\n- Data Loss Prevention (DLP)\n- Full Packet Capture"}
+{"source":"scf","id":"scf:cld-12","id_raw":"CLD-12","tier_raw":"Controls","tier":1,"seq":169,"title":"Side Channel Attack Prevention","description":"Mechanisms exist to prevent \"side channel attacks\" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network."}
+{"source":"scf","id":"scf:cpl-01","id_raw":"CPL-01","tier_raw":"Controls","tier":1,"seq":170,"title":"Statutory, Regulatory & Contractual Compliance ","description":"Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee"}
+{"source":"scf","id":"scf:cpl-01.1","id_raw":"CPL-01.1","tier_raw":"Controls","tier":1,"seq":171,"title":"Non-Compliance Oversight","description":"Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions."}
+{"source":"scf","id":"scf:cpl-01.2","id_raw":"CPL-01.2","tier_raw":"Controls","tier":1,"seq":172,"title":"Compliance Scope","description":"Mechanisms exist to document and validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations."}
+{"source":"scf","id":"scf:cpl-02","id_raw":"CPL-02","tier_raw":"Controls","tier":1,"seq":173,"title":"Security & Privacy Controls Oversight ","description":"Mechanisms exist to provide a security & privacy controls oversight function that reports to the organization's executive leadership.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)\n- Steering committee\n- Formalized SDLC program\n- Formalized DevOps program\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"}
+{"source":"scf","id":"scf:cpl-02.1","id_raw":"CPL-02.1","tier_raw":"Controls","tier":1,"seq":174,"title":"Internal Audit Function","description":"Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes."}
+{"source":"scf","id":"scf:cpl-03","id_raw":"CPL-03","tier_raw":"Controls","tier":1,"seq":175,"title":"Security Assessments ","description":"Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"}
+{"source":"scf","id":"scf:cpl-03.1","id_raw":"CPL-03.1","tier_raw":"Controls","tier":1,"seq":176,"title":"Independent Assessors ","description":"Mechanisms exist to utilize independent assessors to evaluate security & privacy controls at planned intervals or when the system, service or project undergoes significant changes.\n\nMethods To Comply With SCF Controls:\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"}
+{"source":"scf","id":"scf:cpl-03.2","id_raw":"CPL-03.2","tier_raw":"Controls","tier":1,"seq":177,"title":"Functional Review Of Security Controls ","description":"Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity and privacy policies and standards. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Internal audit program\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Operational review processes\n- Regular/yearly policy and standards review process\n- Governance, Risk and Compliance Solution (GRC) (ZenGRC, Archer, RSAM, Metric stream, etc.)"}
+{"source":"scf","id":"scf:cpl-04","id_raw":"CPL-04","tier_raw":"Controls","tier":1,"seq":178,"title":"Audit Activities ","description":"Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.\n\nMethods To Comply With SCF Controls:\n- Internal audit program"}
+{"source":"scf","id":"scf:cpl-05","id_raw":"CPL-05","tier_raw":"Controls","tier":1,"seq":179,"title":"Legal Assessment of Investigative Inquires","description":"Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary."}
+{"source":"scf","id":"scf:cpl-05.1","id_raw":"CPL-05.1","tier_raw":"Controls","tier":1,"seq":180,"title":"Investigation Request Notifications","description":"Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution)."}
+{"source":"scf","id":"scf:cpl-05.2","id_raw":"CPL-05.2","tier_raw":"Controls","tier":1,"seq":181,"title":"Investigation Access Restrictions","description":"Mechanisms exist to support official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the data and systems needed to perform the investigation."}
+{"source":"scf","id":"scf:cpl-06","id_raw":"CPL-06","tier_raw":"Controls","tier":1,"seq":182,"title":"Government Surveillance","description":"Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"}
+{"source":"scf","id":"scf:cfg-01","id_raw":"CFG-01","tier_raw":"Controls","tier":1,"seq":183,"title":"Configuration Management Program","description":"Mechanisms exist to facilitate the implementation of configuration management controls.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- Configuration Management Database (CMDB)\n- Baseline hardening standards\n- Formalized DevOps program\n- Information Assurance Program (IAP)\n- Security Test & Evaluation (STE)"}
+{"source":"scf","id":"scf:cfg-01.1","id_raw":"CFG-01.1","tier_raw":"Controls","tier":1,"seq":184,"title":"Assignment of Responsibility","description":"Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:cfg-02","id_raw":"CFG-02","tier_raw":"Controls","tier":1,"seq":185,"title":"System Hardening Through Baseline Configurations ","description":"Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n- Center for Internet Security (CIS) Benchmarks\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.1","id_raw":"CFG-02.1","tier_raw":"Controls","tier":1,"seq":186,"title":"Reviews & Updates","description":"Mechanisms exist to review and update baseline configurations:\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)\n- Center for Internet Security (CIS) Benchmarks\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.2","id_raw":"CFG-02.2","tier_raw":"Controls","tier":1,"seq":187,"title":"Automated Central Management & Verification ","description":"Automated mechanisms exist to govern and report on baseline configurations of the systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.3","id_raw":"CFG-02.3","tier_raw":"Controls","tier":1,"seq":188,"title":"Retention Of Previous Configurations ","description":"Mechanisms exist to retain previous versions of baseline configuration to support roll back. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.4","id_raw":"CFG-02.4","tier_raw":"Controls","tier":1,"seq":189,"title":"Development & Test Environment Configurations","description":"Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.5","id_raw":"CFG-02.5","tier_raw":"Controls","tier":1,"seq":190,"title":"Configure Systems, Components or Services for High-Risk Areas ","description":"Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.6","id_raw":"CFG-02.6","tier_raw":"Controls","tier":1,"seq":191,"title":"Network Device Configuration File Synchronization","description":"Mechanisms exist to configure network devices to synchronize startup and running configuration files. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.7","id_raw":"CFG-02.7","tier_raw":"Controls","tier":1,"seq":192,"title":"Approved Configuration Deviations ","description":"Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.8","id_raw":"CFG-02.8","tier_raw":"Controls","tier":1,"seq":193,"title":"Respond To Unauthorized Changes ","description":"Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Service Level Agreements (SLAs)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-02.9","id_raw":"CFG-02.9","tier_raw":"Controls","tier":1,"seq":194,"title":"Baseline Tailoring","description":"Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to:\n\nMethods To Comply With SCF Controls:\n- DISA STIGs\n- CIS Benchmarks"}
+{"source":"scf","id":"scf:cfg-03","id_raw":"CFG-03","tier_raw":"Controls","tier":1,"seq":195,"title":"Least Functionality","description":"Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-03.1","id_raw":"CFG-03.1","tier_raw":"Controls","tier":1,"seq":196,"title":"Periodic Review","description":"Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-03.2","id_raw":"CFG-03.2","tier_raw":"Controls","tier":1,"seq":197,"title":"Prevent Unauthorized Software Execution","description":"Mechanisms exist to configure systems to prevent the execution of unauthorized software programs. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-03.3","id_raw":"CFG-03.3","tier_raw":"Controls","tier":1,"seq":198,"title":"Unauthorized or Authorized Software (Blacklisting or Whitelisting)","description":"Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-03.4","id_raw":"CFG-03.4","tier_raw":"Controls","tier":1,"seq":199,"title":"Split Tunneling","description":"Mechanisms exist to prevent systems from creating split tunneling connections or similar techniques that could be used to exfiltrate data."}
+{"source":"scf","id":"scf:cfg-04","id_raw":"CFG-04","tier_raw":"Controls","tier":1,"seq":200,"title":"Software Usage Restrictions ","description":"Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws."}
+{"source":"scf","id":"scf:cfg-04.1","id_raw":"CFG-04.1","tier_raw":"Controls","tier":1,"seq":201,"title":"Open Source Software","description":"Mechanisms exist to establish parameters for the secure use of open source software. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)"}
+{"source":"scf","id":"scf:cfg-04.2","id_raw":"CFG-04.2","tier_raw":"Controls","tier":1,"seq":202,"title":"Unsupported Internet Browsers & Email Clients ","description":"Mechanisms exist to allow only approved Internet browsers and email clients to run on systems."}
+{"source":"scf","id":"scf:cfg-05","id_raw":"CFG-05","tier_raw":"Controls","tier":1,"seq":203,"title":"User-Installed Software","description":"Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.\n\nMethods To Comply With SCF Controls:\n- Privileged Account Management (PAM)"}
+{"source":"scf","id":"scf:cfg-05.1","id_raw":"CFG-05.1","tier_raw":"Controls","tier":1,"seq":204,"title":"Unauthorized Installation Alerts","description":"Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:cfg-05.2","id_raw":"CFG-05.2","tier_raw":"Controls","tier":1,"seq":205,"title":"Restrict Roles Permitted To Install Software","description":"Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service."}
+{"source":"scf","id":"scf:cfg-06","id_raw":"CFG-06","tier_raw":"Controls","tier":1,"seq":206,"title":"Configuration Enforcement","description":"Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices."}
+{"source":"scf","id":"scf:cfg-07","id_raw":"CFG-07","tier_raw":"Controls","tier":1,"seq":207,"title":"Zero-Touch Provisioning (ZTP)","description":"Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network."}
+{"source":"scf","id":"scf:cfg-08","id_raw":"CFG-08","tier_raw":"Controls","tier":1,"seq":208,"title":"Sensitive / Regulated Data Access Enforcement","description":"Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data."}
+{"source":"scf","id":"scf:cfg-08.1","id_raw":"CFG-08.1","tier_raw":"Controls","tier":1,"seq":209,"title":"Sensitive / Regulated Data Actions","description":"Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived."}
+{"source":"scf","id":"scf:mon-01","id_raw":"MON-01","tier_raw":"Controls","tier":1,"seq":210,"title":"Continuous Monitoring","description":"Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.\n\nMethods To Comply With SCF Controls:\n- Splunk\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.1","id_raw":"MON-01.1","tier_raw":"Controls","tier":1,"seq":211,"title":"Intrusion Detection & Prevention Systems (IDS & IPS)","description":"Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.2","id_raw":"MON-01.2","tier_raw":"Controls","tier":1,"seq":212,"title":"Automated Tools for Real-Time Analysis ","description":"Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.3","id_raw":"MON-01.3","tier_raw":"Controls","tier":1,"seq":213,"title":"Inbound & Outbound Communications Traffic ","description":"Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.4","id_raw":"MON-01.4","tier_raw":"Controls","tier":1,"seq":214,"title":"System Generated Alerts ","description":"Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.5","id_raw":"MON-01.5","tier_raw":"Controls","tier":1,"seq":215,"title":"Wireless Intrusion Detection System (WIDS)","description":"Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.6","id_raw":"MON-01.6","tier_raw":"Controls","tier":1,"seq":216,"title":"Host-Based Devices ","description":"Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.7","id_raw":"MON-01.7","tier_raw":"Controls","tier":1,"seq":217,"title":"File Integrity Monitoring (FIM)","description":"Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.8","id_raw":"MON-01.8","tier_raw":"Controls","tier":1,"seq":218,"title":"Reviews & Updates ","description":"Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-01.9","id_raw":"MON-01.9","tier_raw":"Controls","tier":1,"seq":219,"title":"Proxy Logging ","description":"Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.10","id_raw":"MON-01.10","tier_raw":"Controls","tier":1,"seq":220,"title":"Deactivated Account Activity ","description":"Mechanisms exist to monitor deactivated accounts for attempted usage.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-01.11","id_raw":"MON-01.11","tier_raw":"Controls","tier":1,"seq":221,"title":"Automated Response to Suspicious Events","description":"Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications."}
+{"source":"scf","id":"scf:mon-01.12","id_raw":"MON-01.12","tier_raw":"Controls","tier":1,"seq":222,"title":"Automated Alerts","description":"Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications."}
+{"source":"scf","id":"scf:mon-01.13","id_raw":"MON-01.13","tier_raw":"Controls","tier":1,"seq":223,"title":"Alert Threshold Tuning","description":"Mechanisms exist to \"tune\" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events."}
+{"source":"scf","id":"scf:mon-01.14","id_raw":"MON-01.14","tier_raw":"Controls","tier":1,"seq":224,"title":"Individuals Posing Greater Risk","description":"Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk. "}
+{"source":"scf","id":"scf:mon-01.15","id_raw":"MON-01.15","tier_raw":"Controls","tier":1,"seq":225,"title":"Privileged User Oversight","description":"Mechanisms exist to implement enhanced activity monitoring for privileged users."}
+{"source":"scf","id":"scf:mon-01.16","id_raw":"MON-01.16","tier_raw":"Controls","tier":1,"seq":226,"title":"Analyze and Prioritize Monitoring Requirements","description":"Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes."}
+{"source":"scf","id":"scf:mon-01.17","id_raw":"MON-01.17","tier_raw":"Controls","tier":1,"seq":227,"title":"Real-Time Session Monitoring","description":"Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations."}
+{"source":"scf","id":"scf:mon-02","id_raw":"MON-02","tier_raw":"Controls","tier":1,"seq":228,"title":"Centralized Collection of Security Event Logs","description":"Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-02.1","id_raw":"MON-02.1","tier_raw":"Controls","tier":1,"seq":229,"title":"Correlate Monitoring Information","description":"Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-02.2","id_raw":"MON-02.2","tier_raw":"Controls","tier":1,"seq":230,"title":"Central Review & Analysis","description":"Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-02.3","id_raw":"MON-02.3","tier_raw":"Controls","tier":1,"seq":231,"title":"Integration of Scanning & Other Monitoring Information","description":"Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity."}
+{"source":"scf","id":"scf:mon-02.4","id_raw":"MON-02.4","tier_raw":"Controls","tier":1,"seq":232,"title":"Correlation with Physical Monitoring","description":"Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity. "}
+{"source":"scf","id":"scf:mon-02.5","id_raw":"MON-02.5","tier_raw":"Controls","tier":1,"seq":233,"title":"Permitted Actions","description":"Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information. "}
+{"source":"scf","id":"scf:mon-02.6","id_raw":"MON-02.6","tier_raw":"Controls","tier":1,"seq":234,"title":"Audit Level Adjustments","description":"Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence. "}
+{"source":"scf","id":"scf:mon-02.7","id_raw":"MON-02.7","tier_raw":"Controls","tier":1,"seq":235,"title":"System-Wide / Time-Correlated Audit Trail","description":"Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated."}
+{"source":"scf","id":"scf:mon-02.8","id_raw":"MON-02.8","tier_raw":"Controls","tier":1,"seq":236,"title":"Changes by Authorized Individuals","description":"Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-03","id_raw":"MON-03","tier_raw":"Controls","tier":1,"seq":237,"title":"Content of Audit Records ","description":"Mechanisms exist to configure systems to produce audit records that contain sufficient information to, at a minimum:\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-03.1","id_raw":"MON-03.1","tier_raw":"Controls","tier":1,"seq":238,"title":"Sensitive Audit Information","description":"Mechanisms exist to protect sensitive data contained in log files. "}
+{"source":"scf","id":"scf:mon-03.2","id_raw":"MON-03.2","tier_raw":"Controls","tier":1,"seq":239,"title":"Audit Trails","description":"Mechanisms exist to link system access to individual users or service accounts."}
+{"source":"scf","id":"scf:mon-03.3","id_raw":"MON-03.3","tier_raw":"Controls","tier":1,"seq":240,"title":"Privileged Functions Logging ","description":"Mechanisms exist to log and review the actions of users and/or services with elevated privileges.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-03.4","id_raw":"MON-03.4","tier_raw":"Controls","tier":1,"seq":241,"title":"Verbosity Logging for Boundary Devices ","description":"Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies."}
+{"source":"scf","id":"scf:mon-03.5","id_raw":"MON-03.5","tier_raw":"Controls","tier":1,"seq":242,"title":"Limit Personal Data (PD) In Audit Records","description":"Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the privacy risk assessment.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:mon-03.6","id_raw":"MON-03.6","tier_raw":"Controls","tier":1,"seq":243,"title":"Centralized Management of Planned Audit Record Content","description":"Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components. "}
+{"source":"scf","id":"scf:mon-03.7","id_raw":"MON-03.7","tier_raw":"Controls","tier":1,"seq":244,"title":"Database Logging","description":"Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities."}
+{"source":"scf","id":"scf:mon-04","id_raw":"MON-04","tier_raw":"Controls","tier":1,"seq":245,"title":"Event Log Storage Capacity ","description":"Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded. "}
+{"source":"scf","id":"scf:mon-05","id_raw":"MON-05","tier_raw":"Controls","tier":1,"seq":246,"title":"Response To Event Log Processing Failures","description":"Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-05.1","id_raw":"MON-05.1","tier_raw":"Controls","tier":1,"seq":247,"title":"Real-Time Alerts of Event Logging Failure","description":"Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-05.2","id_raw":"MON-05.2","tier_raw":"Controls","tier":1,"seq":248,"title":"Event Log Storage Capacity Alerting ","description":"Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity."}
+{"source":"scf","id":"scf:mon-06","id_raw":"MON-06","tier_raw":"Controls","tier":1,"seq":249,"title":"Monitoring Reporting ","description":"Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-06.1","id_raw":"MON-06.1","tier_raw":"Controls","tier":1,"seq":250,"title":"Query Parameter Audits of Personal Data (PD)","description":"Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD)."}
+{"source":"scf","id":"scf:mon-06.2","id_raw":"MON-06.2","tier_raw":"Controls","tier":1,"seq":251,"title":"Trend Analysis Reporting","description":"Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."}
+{"source":"scf","id":"scf:mon-07","id_raw":"MON-07","tier_raw":"Controls","tier":1,"seq":252,"title":"Time Stamps ","description":"Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs. "}
+{"source":"scf","id":"scf:mon-07.1","id_raw":"MON-07.1","tier_raw":"Controls","tier":1,"seq":253,"title":"Synchronization With Authoritative Time Source","description":"Mechanisms exist to synchronize internal system clocks with an authoritative time source. \n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"}
+{"source":"scf","id":"scf:mon-08","id_raw":"MON-08","tier_raw":"Controls","tier":1,"seq":254,"title":"Protection of Event Logs ","description":"Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-08.1","id_raw":"MON-08.1","tier_raw":"Controls","tier":1,"seq":255,"title":"Event Log Backup on Separate Physical Systems / Components ","description":"Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-08.2","id_raw":"MON-08.2","tier_raw":"Controls","tier":1,"seq":256,"title":"Access by Subset of Privileged Users ","description":"Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.\n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)\n- Splunk"}
+{"source":"scf","id":"scf:mon-08.3","id_raw":"MON-08.3","tier_raw":"Controls","tier":1,"seq":257,"title":"Cryptographic Protection of Event Log Information","description":"Cryptographic mechanisms exist to protect the integrity of event logs and audit tools. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-08.4","id_raw":"MON-08.4","tier_raw":"Controls","tier":1,"seq":258,"title":"Dual Authorization for Event Log Movement","description":"Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs."}
+{"source":"scf","id":"scf:mon-09","id_raw":"MON-09","tier_raw":"Controls","tier":1,"seq":259,"title":"Non-Repudiation","description":"Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-09.1","id_raw":"MON-09.1","tier_raw":"Controls","tier":1,"seq":260,"title":"Identity Binding","description":"Mechanisms exist to bind the identity of the information producer to the information generated."}
+{"source":"scf","id":"scf:mon-10","id_raw":"MON-10","tier_raw":"Controls","tier":1,"seq":261,"title":"Event Log Retention","description":"Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-11","id_raw":"MON-11","tier_raw":"Controls","tier":1,"seq":262,"title":"Monitoring For Information Disclosure","description":"Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information. \n\nMethods To Comply With SCF Controls:\n- Content filtering solution\n- Review of social media outlets"}
+{"source":"scf","id":"scf:mon-11.1","id_raw":"MON-11.1","tier_raw":"Controls","tier":1,"seq":263,"title":"Analyze Traffic for Covert Exfiltration","description":"Automated mechanisms exist to analyze network traffic to detect covert data exfiltration."}
+{"source":"scf","id":"scf:mon-11.2","id_raw":"MON-11.2","tier_raw":"Controls","tier":1,"seq":264,"title":"Unauthorized Network Services","description":"Automated mechanisms exist to detect unauthorized network services and alert incident response personnel. "}
+{"source":"scf","id":"scf:mon-11.3","id_raw":"MON-11.3","tier_raw":"Controls","tier":1,"seq":265,"title":"Monitoring for Indicators of Compromise (IOC)","description":"Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC). \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:mon-12","id_raw":"MON-12","tier_raw":"Controls","tier":1,"seq":266,"title":"Session Audit ","description":"Mechanisms exist to provide session audit capabilities that can: \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-13","id_raw":"MON-13","tier_raw":"Controls","tier":1,"seq":267,"title":"Alternate Event Logging Capability ","description":"Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-14","id_raw":"MON-14","tier_raw":"Controls","tier":1,"seq":268,"title":"Cross-Organizational Monitoring ","description":"Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data."}
+{"source":"scf","id":"scf:mon-14.1","id_raw":"MON-14.1","tier_raw":"Controls","tier":1,"seq":269,"title":"Sharing of Event Logs","description":"Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.\n\nMethods To Comply With SCF Controls:\n- Veris (incident sharing) (http://veriscommunity.net)"}
+{"source":"scf","id":"scf:mon-15","id_raw":"MON-15","tier_raw":"Controls","tier":1,"seq":270,"title":"Covert Channel Analysis ","description":"Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels."}
+{"source":"scf","id":"scf:mon-16","id_raw":"MON-16","tier_raw":"Controls","tier":1,"seq":271,"title":"Anomalous Behavior","description":"Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-16.1","id_raw":"MON-16.1","tier_raw":"Controls","tier":1,"seq":272,"title":"Insider Threats","description":"Mechanisms exist to monitor internal personnel activity for potential security incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-16.2","id_raw":"MON-16.2","tier_raw":"Controls","tier":1,"seq":273,"title":"Third-Party Threats","description":"Mechanisms exist to monitor third-party personnel activity for potential security incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-16.3","id_raw":"MON-16.3","tier_raw":"Controls","tier":1,"seq":274,"title":"Unauthorized Activities","description":"Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:mon-16.4","id_raw":"MON-16.4","tier_raw":"Controls","tier":1,"seq":275,"title":"Account Creation and Modification Logging","description":"Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups."}
+{"source":"scf","id":"scf:cry-01","id_raw":"CRY-01","tier_raw":"Controls","tier":1,"seq":276,"title":"Use of Cryptographic Controls ","description":"Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.\n\nMethods To Comply With SCF Controls:\n- Key and certificate management solutions\n- Microsoft BitLocker (https://www.microsoft.com/en-us/download/details.aspx?id=53006)\n- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)\n- Vormetric Transparent Encryption (https://www.thalesesecurity.com/products/data-encryption/vormetric-transparent-encryption)"}
+{"source":"scf","id":"scf:cry-01.1","id_raw":"CRY-01.1","tier_raw":"Controls","tier":1,"seq":277,"title":"Alternate Physical Protection ","description":"Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards. "}
+{"source":"scf","id":"scf:cry-01.2","id_raw":"CRY-01.2","tier_raw":"Controls","tier":1,"seq":278,"title":"Export-Controlled Technology","description":"Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements."}
+{"source":"scf","id":"scf:cry-01.3","id_raw":"CRY-01.3","tier_raw":"Controls","tier":1,"seq":279,"title":"Pre/Post Transmission Handling","description":"Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception."}
+{"source":"scf","id":"scf:cry-01.4","id_raw":"CRY-01.4","tier_raw":"Controls","tier":1,"seq":280,"title":"Conceal / Randomize Communications","description":"Cryptographic mechanisms exist to conceal or randomize communication patterns."}
+{"source":"scf","id":"scf:cry-01.5","id_raw":"CRY-01.5","tier_raw":"Controls","tier":1,"seq":281,"title":"Cryptographic Cipher Suites and Protocols Inventory","description":"Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols."}
+{"source":"scf","id":"scf:cry-02","id_raw":"CRY-02","tier_raw":"Controls","tier":1,"seq":282,"title":"Cryptographic Module Authentication","description":"Automated mechanisms exist to enable systems to authenticate to a cryptographic module.\n\nMethods To Comply With SCF Controls:\n- Yubico (https://www.yubico.com)"}
+{"source":"scf","id":"scf:cry-03","id_raw":"CRY-03","tier_raw":"Controls","tier":1,"seq":283,"title":"Transmission Confidentiality ","description":"Cryptographic mechanisms exist to protect the confidentiality of data being transmitted. \n\nMethods To Comply With SCF Controls:\n- SSL / TLS protocols\n- IPSEC Tunnels\n- Native MPLS encrypted tunnel configurations\n- Custom encrypted payloads"}
+{"source":"scf","id":"scf:cry-04","id_raw":"CRY-04","tier_raw":"Controls","tier":1,"seq":284,"title":"Transmission Integrity ","description":"Cryptographic mechanisms exist to protect the integrity of data being transmitted. "}
+{"source":"scf","id":"scf:cry-05","id_raw":"CRY-05","tier_raw":"Controls","tier":1,"seq":285,"title":"Encrypting Data At Rest ","description":"Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest. \n\nMethods To Comply With SCF Controls:\n- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)"}
+{"source":"scf","id":"scf:cry-05.1","id_raw":"CRY-05.1","tier_raw":"Controls","tier":1,"seq":286,"title":"Storage Media","description":"Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive data residing on storage media.\n\nMethods To Comply With SCF Controls:\n- Native Storage Area Network (SAN) encryption functionality\n- BitLocker and EFS"}
+{"source":"scf","id":"scf:cry-05.2","id_raw":"CRY-05.2","tier_raw":"Controls","tier":1,"seq":287,"title":"Offline Storage","description":"Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements."}
+{"source":"scf","id":"scf:cry-05.3","id_raw":"CRY-05.3","tier_raw":"Controls","tier":1,"seq":288,"title":"Database Encryption","description":"Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases."}
+{"source":"scf","id":"scf:cry-06","id_raw":"CRY-06","tier_raw":"Controls","tier":1,"seq":289,"title":"Non-Console Administrative Access","description":"Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access."}
+{"source":"scf","id":"scf:cry-07","id_raw":"CRY-07","tier_raw":"Controls","tier":1,"seq":290,"title":"Wireless Access Authentication & Encryption ","description":"Mechanisms exist to protect wireless access via secure authentication and encryption."}
+{"source":"scf","id":"scf:cry-08","id_raw":"CRY-08","tier_raw":"Controls","tier":1,"seq":291,"title":"Public Key Infrastructure (PKI) ","description":"Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider. \n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD) Certificate Services\n- Digitcert (https://www.digicert.com)\n- Entrust (https://www.entrust.com)\n- Comodo (https://www.comodo.com)\n- Vault (https://www.vaultproject.io/)"}
+{"source":"scf","id":"scf:cry-08.1","id_raw":"CRY-08.1","tier_raw":"Controls","tier":1,"seq":292,"title":"Availability","description":"Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys."}
+{"source":"scf","id":"scf:cry-09","id_raw":"CRY-09","tier_raw":"Controls","tier":1,"seq":293,"title":"Cryptographic Key Management ","description":"Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.\n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD) Certificate Services\n- Digitcert (https://www.digicert.com)\n- Entrust (https://www.entrust.com)\n- Comodo (https://www.comodo.com)\n- Vault (https://www.vaultproject.io/)"}
+{"source":"scf","id":"scf:cry-09.1","id_raw":"CRY-09.1","tier_raw":"Controls","tier":1,"seq":294,"title":"Symmetric Keys","description":"Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes. "}
+{"source":"scf","id":"scf:cry-09.2","id_raw":"CRY-09.2","tier_raw":"Controls","tier":1,"seq":295,"title":"Asymmetric Keys","description":"Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key. "}
+{"source":"scf","id":"scf:cry-09.3","id_raw":"CRY-09.3","tier_raw":"Controls","tier":1,"seq":296,"title":"Cryptographic Key Loss or Change","description":"Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users. \n\nMethods To Comply With SCF Controls:\n- Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. "}
+{"source":"scf","id":"scf:cry-09.4","id_raw":"CRY-09.4","tier_raw":"Controls","tier":1,"seq":297,"title":"Control & Distribution of Cryptographic Keys","description":"Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes. "}
+{"source":"scf","id":"scf:cry-09.5","id_raw":"CRY-09.5","tier_raw":"Controls","tier":1,"seq":298,"title":"Assigned Owners ","description":"Mechanisms exist to ensure cryptographic keys are bound to individual identities. "}
+{"source":"scf","id":"scf:cry-09.6","id_raw":"CRY-09.6","tier_raw":"Controls","tier":1,"seq":299,"title":"Third-Party Cryptographic Keys","description":"Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared."}
+{"source":"scf","id":"scf:cry-09.7","id_raw":"CRY-09.7","tier_raw":"Controls","tier":1,"seq":300,"title":"External System Cryptographic Key Control","description":"Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system."}
+{"source":"scf","id":"scf:cry-10","id_raw":"CRY-10","tier_raw":"Controls","tier":1,"seq":301,"title":"Transmission of Security & Privacy Attributes ","description":"Mechanisms exist to ensure systems associate security attributes with information exchanged between systems. \n\nMethods To Comply With SCF Controls:\n- Integrity checking"}
+{"source":"scf","id":"scf:cry-11","id_raw":"CRY-11","tier_raw":"Controls","tier":1,"seq":302,"title":"Certificate Authorities","description":"Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions."}
+{"source":"scf","id":"scf:dch-01","id_raw":"DCH-01","tier_raw":"Controls","tier":1,"seq":303,"title":"Data Protection ","description":"Mechanisms exist to facilitate the implementation of data protection controls. "}
+{"source":"scf","id":"scf:dch-01.1","id_raw":"DCH-01.1","tier_raw":"Controls","tier":1,"seq":304,"title":"Data Stewardship ","description":"Mechanisms exist to ensure data stewardship is assigned, documented and communicated. "}
+{"source":"scf","id":"scf:dch-01.2","id_raw":"DCH-01.2","tier_raw":"Controls","tier":1,"seq":305,"title":"Sensitive / Regulated Data Protection","description":"Mechanisms exist to protect sensitive/regulated data wherever it is stored."}
+{"source":"scf","id":"scf:dch-01.3","id_raw":"DCH-01.3","tier_raw":"Controls","tier":1,"seq":306,"title":"Sensitive / Regulated Media Records","description":"Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident."}
+{"source":"scf","id":"scf:dch-02","id_raw":"DCH-02","tier_raw":"Controls","tier":1,"seq":307,"title":"Data & Asset Classification ","description":"Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements. "}
+{"source":"scf","id":"scf:dch-02.1","id_raw":"DCH-02.1","tier_raw":"Controls","tier":1,"seq":308,"title":"Highest Classification Level","description":"Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed."}
+{"source":"scf","id":"scf:dch-03","id_raw":"DCH-03","tier_raw":"Controls","tier":1,"seq":309,"title":"Media Access ","description":"Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals. \n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"}
+{"source":"scf","id":"scf:dch-03.1","id_raw":"DCH-03.1","tier_raw":"Controls","tier":1,"seq":310,"title":"Disclosure of Information","description":"Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know."}
+{"source":"scf","id":"scf:dch-03.2","id_raw":"DCH-03.2","tier_raw":"Controls","tier":1,"seq":311,"title":"Masking Displayed Data ","description":"Mechanisms exist to apply data masking to sensitive information that is displayed or printed. "}
+{"source":"scf","id":"scf:dch-03.3","id_raw":"DCH-03.3","tier_raw":"Controls","tier":1,"seq":312,"title":"Controlled Release","description":"Automated mechanisms exist to validate security and privacy attributes prior to releasing information to external systems."}
+{"source":"scf","id":"scf:dch-04","id_raw":"DCH-04","tier_raw":"Controls","tier":1,"seq":313,"title":"Media Marking ","description":"Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. "}
+{"source":"scf","id":"scf:dch-04.1","id_raw":"DCH-04.1","tier_raw":"Controls","tier":1,"seq":314,"title":"Automated Marking","description":"Automated mechanisms exist to mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aide Data Loss Prevention (DLP) technologies. "}
+{"source":"scf","id":"scf:dch-05","id_raw":"DCH-05","tier_raw":"Controls","tier":1,"seq":315,"title":"Security & Privacy Attributes","description":"Mechanisms exist to bind security attributes to information as it is stored, transmitted and processed."}
+{"source":"scf","id":"scf:dch-05.1","id_raw":"DCH-05.1","tier_raw":"Controls","tier":1,"seq":316,"title":"Dynamic Attribute Association","description":"Mechanisms exist to dynamically associate security and privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and privacy policies."}
+{"source":"scf","id":"scf:dch-05.2","id_raw":"DCH-05.2","tier_raw":"Controls","tier":1,"seq":317,"title":"Attribute Value Changes By Authorized Individuals","description":"Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes."}
+{"source":"scf","id":"scf:dch-05.3","id_raw":"DCH-05.3","tier_raw":"Controls","tier":1,"seq":318,"title":"Maintenance of Attribute Associations By System","description":"Mechanisms exist to maintain the association and integrity of security and privacy attributes to individuals and objects."}
+{"source":"scf","id":"scf:dch-05.4","id_raw":"DCH-05.4","tier_raw":"Controls","tier":1,"seq":319,"title":"Association of Attributes By Authorized Individuals","description":"Mechanisms exist to provide the capability to associate security and privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals)."}
+{"source":"scf","id":"scf:dch-05.5","id_raw":"DCH-05.5","tier_raw":"Controls","tier":1,"seq":320,"title":"Attribute Displays for Output Devices","description":"Mechanisms exist to display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions."}
+{"source":"scf","id":"scf:dch-05.6","id_raw":"DCH-05.6","tier_raw":"Controls","tier":1,"seq":321,"title":"Data Subject Attribute Associations","description":"Mechanisms exist to require personnel to associate and maintain the association of security and privacy attributes with individuals and objects in accordance with security and privacy policies."}
+{"source":"scf","id":"scf:dch-05.7","id_raw":"DCH-05.7","tier_raw":"Controls","tier":1,"seq":322,"title":"Consistent Attribute Interpretation","description":"Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components."}
+{"source":"scf","id":"scf:dch-05.8","id_raw":"DCH-05.8","tier_raw":"Controls","tier":1,"seq":323,"title":"Identity Association Techniques & Technologies","description":"Mechanisms exist to associate security and privacy attributes to information."}
+{"source":"scf","id":"scf:dch-05.9","id_raw":"DCH-05.9","tier_raw":"Controls","tier":1,"seq":324,"title":"Attribute Reassignment","description":"Mechanisms exist to reclassify data as required, due to changing business/technical requirements."}
+{"source":"scf","id":"scf:dch-05.10","id_raw":"DCH-05.10","tier_raw":"Controls","tier":1,"seq":325,"title":"Attribute Configuration By Authorized Individuals","description":"Mechanisms exist to provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects."}
+{"source":"scf","id":"scf:dch-05.11","id_raw":"DCH-05.11","tier_raw":"Controls","tier":1,"seq":326,"title":"Audit Changes","description":"Mechanisms exist to audit changes to security and privacy attributes and responds to events in accordance with incident response procedures.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:dch-06","id_raw":"DCH-06","tier_raw":"Controls","tier":1,"seq":327,"title":"Media Storage","description":"Mechanisms exist to: "}
+{"source":"scf","id":"scf:dch-06.1","id_raw":"DCH-06.1","tier_raw":"Controls","tier":1,"seq":328,"title":"Physically Secure All Media","description":"Mechanisms exist to physically secure all media that contains sensitive information.\n\nMethods To Comply With SCF Controls:\n- Lockbox"}
+{"source":"scf","id":"scf:dch-06.2","id_raw":"DCH-06.2","tier_raw":"Controls","tier":1,"seq":329,"title":"Sensitive Data Inventories","description":"Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually. "}
+{"source":"scf","id":"scf:dch-06.3","id_raw":"DCH-06.3","tier_raw":"Controls","tier":1,"seq":330,"title":"Periodic Scans for Sensitive Data","description":"Mechanisms exist to periodically scan unstructured data sources for sensitive data or data requiring special protection measures by statutory, regulatory or contractual obligations. "}
+{"source":"scf","id":"scf:dch-06.4","id_raw":"DCH-06.4","tier_raw":"Controls","tier":1,"seq":331,"title":"Making Sensitive Data Unreadable In Storage","description":"Mechanisms exist to ensure sensitive data is rendered human unreadable anywhere sensitive data is stored. "}
+{"source":"scf","id":"scf:dch-06.5","id_raw":"DCH-06.5","tier_raw":"Controls","tier":1,"seq":332,"title":"Storing Authentication Data","description":"Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization. "}
+{"source":"scf","id":"scf:dch-07","id_raw":"DCH-07","tier_raw":"Controls","tier":1,"seq":333,"title":"Media Transportation ","description":"Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.\n\nMethods To Comply With SCF Controls:\n- Assigned couriers"}
+{"source":"scf","id":"scf:dch-07.1","id_raw":"DCH-07.1","tier_raw":"Controls","tier":1,"seq":334,"title":"Custodians","description":"Mechanisms exist to identify custodians throughout the transport of digital or non-digital media. \n\nMethods To Comply With SCF Controls:\n- Chain of custody"}
+{"source":"scf","id":"scf:dch-07.2","id_raw":"DCH-07.2","tier_raw":"Controls","tier":1,"seq":335,"title":"Encrypting Data In Storage Media","description":"Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."}
+{"source":"scf","id":"scf:dch-08","id_raw":"DCH-08","tier_raw":"Controls","tier":1,"seq":336,"title":"Physical Media Disposal","description":"Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures. \n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain\n- DoD-strength data erasers"}
+{"source":"scf","id":"scf:dch-09","id_raw":"DCH-09","tier_raw":"Controls","tier":1,"seq":337,"title":"Digital Media Sanitization","description":"Mechanisms exist to sanitize digital media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse."}
+{"source":"scf","id":"scf:dch-09.1","id_raw":"DCH-09.1","tier_raw":"Controls","tier":1,"seq":338,"title":"Media Sanitization Documentation","description":"Mechanisms exist to supervise, track, document and verify media sanitization and disposal actions. \n\nMethods To Comply With SCF Controls:\n- Certificate of destruction"}
+{"source":"scf","id":"scf:dch-09.2","id_raw":"DCH-09.2","tier_raw":"Controls","tier":1,"seq":339,"title":"Equipment Testing","description":"Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved. "}
+{"source":"scf","id":"scf:dch-09.3","id_raw":"DCH-09.3","tier_raw":"Controls","tier":1,"seq":340,"title":"Sanitization of Personal Data (PD)","description":"Mechanisms exist to facilitate the sanitization of Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- De-identifying PI"}
+{"source":"scf","id":"scf:dch-09.4","id_raw":"DCH-09.4","tier_raw":"Controls","tier":1,"seq":341,"title":"First Time Use Sanitization","description":"Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use."}
+{"source":"scf","id":"scf:dch-09.5","id_raw":"DCH-09.5","tier_raw":"Controls","tier":1,"seq":342,"title":"Dual Authorization for Sensitive Data Destruction","description":"Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data."}
+{"source":"scf","id":"scf:dch-10","id_raw":"DCH-10","tier_raw":"Controls","tier":1,"seq":343,"title":"Media Use","description":"Mechanisms exist to restrict the use of types of digital media on systems or system components. "}
+{"source":"scf","id":"scf:dch-10.1","id_raw":"DCH-10.1","tier_raw":"Controls","tier":1,"seq":344,"title":"Limitations on Use ","description":"Mechanisms exist to restrict the use and distribution of sensitive / regulated data. "}
+{"source":"scf","id":"scf:dch-10.2","id_raw":"DCH-10.2","tier_raw":"Controls","tier":1,"seq":345,"title":"Prohibit Use Without Owner","description":"Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner."}
+{"source":"scf","id":"scf:dch-11","id_raw":"DCH-11","tier_raw":"Controls","tier":1,"seq":346,"title":"Data Reclassification ","description":"Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information."}
+{"source":"scf","id":"scf:dch-12","id_raw":"DCH-12","tier_raw":"Controls","tier":1,"seq":347,"title":"Removable Media Security","description":"Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters."}
+{"source":"scf","id":"scf:dch-13","id_raw":"DCH-13","tier_raw":"Controls","tier":1,"seq":348,"title":"Use of External Information Systems ","description":"Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data. "}
+{"source":"scf","id":"scf:dch-13.1","id_raw":"DCH-13.1","tier_raw":"Controls","tier":1,"seq":349,"title":"Limits of Authorized Use ","description":"Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: "}
+{"source":"scf","id":"scf:dch-13.2","id_raw":"DCH-13.2","tier_raw":"Controls","tier":1,"seq":350,"title":"Portable Storage Devices","description":"Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems. "}
+{"source":"scf","id":"scf:dch-13.3","id_raw":"DCH-13.3","tier_raw":"Controls","tier":1,"seq":351,"title":"Protecting Sensitive Data on External Systems","description":"Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.\n\nMethods To Comply With SCF Controls:\n- NIST 800-171 Compliance Criteria (NCC) (ComplianceForge)"}
+{"source":"scf","id":"scf:dch-13.4","id_raw":"DCH-13.4","tier_raw":"Controls","tier":1,"seq":352,"title":"Non-Organizationally Owned Systems / Components / Devices","description":"Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information."}
+{"source":"scf","id":"scf:dch-14","id_raw":"DCH-14","tier_raw":"Controls","tier":1,"seq":353,"title":"Information Sharing ","description":"Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.\n\nMethods To Comply With SCF Controls:\n- ShareFile\n- SmartVault\n- Veris (incident sharing) (http://veriscommunity.net)"}
+{"source":"scf","id":"scf:dch-14.1","id_raw":"DCH-14.1","tier_raw":"Controls","tier":1,"seq":354,"title":"Information Search & Retrieval","description":"Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions."}
+{"source":"scf","id":"scf:dch-14.2","id_raw":"DCH-14.2","tier_raw":"Controls","tier":1,"seq":355,"title":"Transfer Authorizations","description":"Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data."}
+{"source":"scf","id":"scf:dch-14.3","id_raw":"DCH-14.3","tier_raw":"Controls","tier":1,"seq":356,"title":"Data Access Mapping","description":"Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the personnel with whom sensitive data is shared."}
+{"source":"scf","id":"scf:dch-15","id_raw":"DCH-15","tier_raw":"Controls","tier":1,"seq":357,"title":"Publicly Accessible Content","description":"Mechanisms exist to control publicly-accessible content.\n\nMethods To Comply With SCF Controls:\n- Designate individuals authorized to post information onto systems that are publicly accessible.\n- Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.\n- Review the proposed content of publicly accessible information for nonpublic information prior to posting.\n- Remove nonpublic information from the publicly accessible system."}
+{"source":"scf","id":"scf:dch-16","id_raw":"DCH-16","tier_raw":"Controls","tier":1,"seq":358,"title":"Data Mining Protection","description":"Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques. "}
+{"source":"scf","id":"scf:dch-17","id_raw":"DCH-17","tier_raw":"Controls","tier":1,"seq":359,"title":"Ad-Hoc Transfers ","description":"Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.\n\nMethods To Comply With SCF Controls:\n- ShareFile\n- Box"}
+{"source":"scf","id":"scf:dch-18","id_raw":"DCH-18","tier_raw":"Controls","tier":1,"seq":360,"title":"Media & Data Retention ","description":"Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-18.1","id_raw":"DCH-18.1","tier_raw":"Controls","tier":1,"seq":361,"title":"Limit Personal Data (PD) Elements In Testing, Training & Research","description":"Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-18.2","id_raw":"DCH-18.2","tier_raw":"Controls","tier":1,"seq":362,"title":"Minimize Personal Data (PD)","description":"Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-18.3","id_raw":"DCH-18.3","tier_raw":"Controls","tier":1,"seq":363,"title":"Temporary Files Containing Personal Data (PD)","description":"Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD)."}
+{"source":"scf","id":"scf:dch-19","id_raw":"DCH-19","tier_raw":"Controls","tier":1,"seq":364,"title":"Geographic Location of Data","description":"Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties."}
+{"source":"scf","id":"scf:dch-20","id_raw":"DCH-20","tier_raw":"Controls","tier":1,"seq":365,"title":"Archived Data Sets ","description":"Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations. "}
+{"source":"scf","id":"scf:dch-21","id_raw":"DCH-21","tier_raw":"Controls","tier":1,"seq":366,"title":"Information Disposal","description":"Mechanisms exist to securely dispose of, destroy or erase information.\n\nMethods To Comply With SCF Controls:\n- Shred-it\n- IronMountain"}
+{"source":"scf","id":"scf:dch-22","id_raw":"DCH-22","tier_raw":"Controls","tier":1,"seq":367,"title":"Data Quality Operations","description":"Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-22.1","id_raw":"DCH-22.1","tier_raw":"Controls","tier":1,"seq":368,"title":"Updating & Correcting Personal Data (PD)","description":"Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-22.2","id_raw":"DCH-22.2","tier_raw":"Controls","tier":1,"seq":369,"title":"Data Tags","description":"Mechanisms exist to utilize data tags to automate tracking of sensitive data across the information lifecycle.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-22.3","id_raw":"DCH-22.3","tier_raw":"Controls","tier":1,"seq":370,"title":"Primary Source Personal Data (PD) Collection","description":"Mechanisms exist to collect Personal Data (PD) directly from the individual. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23","id_raw":"DCH-23","tier_raw":"Controls","tier":1,"seq":371,"title":"De-Identification (Anonymization)","description":"Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.1","id_raw":"DCH-23.1","tier_raw":"Controls","tier":1,"seq":372,"title":"De-Identify Dataset Upon Collection","description":"Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.2","id_raw":"DCH-23.2","tier_raw":"Controls","tier":1,"seq":373,"title":"Archiving","description":"Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.3","id_raw":"DCH-23.3","tier_raw":"Controls","tier":1,"seq":374,"title":"Release","description":"Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.4","id_raw":"DCH-23.4","tier_raw":"Controls","tier":1,"seq":375,"title":"Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers","description":"Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.5","id_raw":"DCH-23.5","tier_raw":"Controls","tier":1,"seq":376,"title":"Statistical Disclosure Control","description":"Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis."}
+{"source":"scf","id":"scf:dch-23.6","id_raw":"DCH-23.6","tier_raw":"Controls","tier":1,"seq":377,"title":"Differential Privacy","description":"Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.7","id_raw":"DCH-23.7","tier_raw":"Controls","tier":1,"seq":378,"title":"Automated De-Identification of Sensitive Data","description":"Mechanisms exist to perform de-identification of sensitive data, using validated algorithms and software to implement the algorithms.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:dch-23.8","id_raw":"DCH-23.8","tier_raw":"Controls","tier":1,"seq":379,"title":"Motivated Intruder","description":"Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."}
+{"source":"scf","id":"scf:dch-23.9","id_raw":"DCH-23.9","tier_raw":"Controls","tier":1,"seq":380,"title":"Code Names","description":"Mechanisms exist to use aliases to name assets, that are mission-critical and/or contain highly-sensitive data, are unique and not readily associated with a product, project or type of data."}
+{"source":"scf","id":"scf:dch-24","id_raw":"DCH-24","tier_raw":"Controls","tier":1,"seq":381,"title":"Information Location","description":"Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.\n\nMethods To Comply With SCF Controls:\n- Data Flow Diagram (DFD)"}
+{"source":"scf","id":"scf:dch-24.1","id_raw":"DCH-24.1","tier_raw":"Controls","tier":1,"seq":382,"title":"Automated Tools to Support Information Location","description":"Automated mechanisms exist to identify by data classification type to ensure adequate security and privacy controls are in place to protect organizational information and individual privacy."}
+{"source":"scf","id":"scf:dch-25","id_raw":"DCH-25","tier_raw":"Controls","tier":1,"seq":383,"title":"Transfer of Sensitive and/or Regulated Data","description":"Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.\n\nMethods To Comply With SCF Controls:\n- Model contracts\n- Privacy Shield\n- Binding Corporate Rules (BCR)"}
+{"source":"scf","id":"scf:dch-25.1","id_raw":"DCH-25.1","tier_raw":"Controls","tier":1,"seq":384,"title":"Transfer Activity Limits","description":"Mechanisms exist to establish organization-defined \"normal business activities\" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions."}
+{"source":"scf","id":"scf:dch-26","id_raw":"DCH-26","tier_raw":"Controls","tier":1,"seq":385,"title":"Data Localization","description":"Mechanisms exist to constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"}
+{"source":"scf","id":"scf:emb-01","id_raw":"EMB-01","tier_raw":"Controls","tier":1,"seq":386,"title":"Embedded Technology Security Program ","description":"Mechanisms exist to facilitate the implementation of embedded technology controls. "}
+{"source":"scf","id":"scf:emb-02","id_raw":"EMB-02","tier_raw":"Controls","tier":1,"seq":387,"title":"Internet of Things (IOT) ","description":"Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Internet of Things (IoT)."}
+{"source":"scf","id":"scf:emb-03","id_raw":"EMB-03","tier_raw":"Controls","tier":1,"seq":388,"title":"Operational Technology (OT) ","description":"Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT)."}
+{"source":"scf","id":"scf:emb-04","id_raw":"EMB-04","tier_raw":"Controls","tier":1,"seq":389,"title":"Interface Security","description":"Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s)."}
+{"source":"scf","id":"scf:emb-05","id_raw":"EMB-05","tier_raw":"Controls","tier":1,"seq":390,"title":"Embedded Technology Configuration Monitoring","description":"Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected."}
+{"source":"scf","id":"scf:emb-06","id_raw":"EMB-06","tier_raw":"Controls","tier":1,"seq":391,"title":"Prevent Alterations","description":"Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software."}
+{"source":"scf","id":"scf:emb-07","id_raw":"EMB-07","tier_raw":"Controls","tier":1,"seq":392,"title":"Embedded Technology Maintenance","description":"Mechanisms exist to securely update software and upgrade functionality on embedded devices."}
+{"source":"scf","id":"scf:emb-08","id_raw":"EMB-08","tier_raw":"Controls","tier":1,"seq":393,"title":"Resilience To Outages","description":"Mechanisms exist to configure embedded technology to be resilient to data network and power outages."}
+{"source":"scf","id":"scf:emb-09","id_raw":"EMB-09","tier_raw":"Controls","tier":1,"seq":394,"title":"Power Level Monitoring","description":"Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering."}
+{"source":"scf","id":"scf:emb-10","id_raw":"EMB-10","tier_raw":"Controls","tier":1,"seq":395,"title":"Embedded Technology Reviews","description":"Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented."}
+{"source":"scf","id":"scf:emb-11","id_raw":"EMB-11","tier_raw":"Controls","tier":1,"seq":396,"title":"Message Queuing Telemetry Transport (MQTT) Security","description":"Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic."}
+{"source":"scf","id":"scf:emb-12","id_raw":"EMB-12","tier_raw":"Controls","tier":1,"seq":397,"title":"Restrict Communications","description":"Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications."}
+{"source":"scf","id":"scf:emb-13","id_raw":"EMB-13","tier_raw":"Controls","tier":1,"seq":398,"title":"Authorized Communications","description":"Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints."}
+{"source":"scf","id":"scf:emb-14","id_raw":"EMB-14","tier_raw":"Controls","tier":1,"seq":399,"title":"Operating Environment Certification","description":"Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment."}
+{"source":"scf","id":"scf:emb-15","id_raw":"EMB-15","tier_raw":"Controls","tier":1,"seq":400,"title":"Safety Assessment","description":"Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure."}
+{"source":"scf","id":"scf:emb-16","id_raw":"EMB-16","tier_raw":"Controls","tier":1,"seq":401,"title":"Certificate-Based Authentication","description":"Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services."}
+{"source":"scf","id":"scf:emb-17","id_raw":"EMB-17","tier_raw":"Controls","tier":1,"seq":402,"title":"Chip-To-Cloud Security","description":"Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP)."}
+{"source":"scf","id":"scf:emb-18","id_raw":"EMB-18","tier_raw":"Controls","tier":1,"seq":403,"title":"Real-Time Operating System (RTOS) Security","description":"Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS)."}
+{"source":"scf","id":"scf:emb-19","id_raw":"EMB-19","tier_raw":"Controls","tier":1,"seq":404,"title":"Safe Operations","description":"Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured."}
+{"source":"scf","id":"scf:end-01","id_raw":"END-01","tier_raw":"Controls","tier":1,"seq":405,"title":"Endpoint Security ","description":"Mechanisms exist to facilitate the implementation of endpoint security controls.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Group Policy Objects (GPOs)\n- Antimalware technologies\n- Software firewalls\n- Host-based IDS/IPS technologies\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-02","id_raw":"END-02","tier_raw":"Controls","tier":1,"seq":406,"title":"Endpoint Protection Measures ","description":"Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-03","id_raw":"END-03","tier_raw":"Controls","tier":1,"seq":407,"title":"Prohibit Installation Without Privileged Status ","description":"Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Removal of local admin rights\n- Privileged Account Management (PAM)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-03.1","id_raw":"END-03.1","tier_raw":"Controls","tier":1,"seq":408,"title":"Software Installation Alerts","description":"Mechanisms exist to generate an alert when new software is detected. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-03.2","id_raw":"END-03.2","tier_raw":"Controls","tier":1,"seq":409,"title":"Governing Access Restriction for Change","description":"Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:end-04","id_raw":"END-04","tier_raw":"Controls","tier":1,"seq":410,"title":"Malicious Code Protection (Anti-Malware) ","description":"Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- Antimalware software\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-04.1","id_raw":"END-04.1","tier_raw":"Controls","tier":1,"seq":411,"title":"Automatic Antimalware Signature Updates","description":"Mechanisms exist to automatically update antimalware technologies, including signature definitions. \n\nMethods To Comply With SCF Controls:\n- Antimalware software"}
+{"source":"scf","id":"scf:end-04.2","id_raw":"END-04.2","tier_raw":"Controls","tier":1,"seq":412,"title":"Documented Protection Measures","description":"Mechanisms exist to document antimalware technologies."}
+{"source":"scf","id":"scf:end-04.3","id_raw":"END-04.3","tier_raw":"Controls","tier":1,"seq":413,"title":"Centralized Management of Antimalware Technologies","description":"Mechanisms exist to centrally-manage antimalware technologies.\n\nMethods To Comply With SCF Controls:\n- Antimalware software"}
+{"source":"scf","id":"scf:end-04.4","id_raw":"END-04.4","tier_raw":"Controls","tier":1,"seq":414,"title":"Heuristic / Nonsignature-Based Detection","description":"Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.\n\nMethods To Comply With SCF Controls:\n- Antimalware software"}
+{"source":"scf","id":"scf:end-04.5","id_raw":"END-04.5","tier_raw":"Controls","tier":1,"seq":415,"title":"Malware Protection Mechanism Testing","description":"Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs. \n\nMethods To Comply With SCF Controls:\n- EICAR test file"}
+{"source":"scf","id":"scf:end-04.6","id_raw":"END-04.6","tier_raw":"Controls","tier":1,"seq":416,"title":"Evolving Malware Threats","description":"Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software. "}
+{"source":"scf","id":"scf:end-04.7","id_raw":"END-04.7","tier_raw":"Controls","tier":1,"seq":417,"title":"Always On Protection","description":"Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period. \n\nMethods To Comply With SCF Controls:\n- Antimalware software"}
+{"source":"scf","id":"scf:end-05","id_raw":"END-05","tier_raw":"Controls","tier":1,"seq":418,"title":"Software Firewall ","description":"Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:end-06","id_raw":"END-06","tier_raw":"Controls","tier":1,"seq":419,"title":"Endpoint File Integrity Monitoring (FIM) ","description":"Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"}
+{"source":"scf","id":"scf:end-06.1","id_raw":"END-06.1","tier_raw":"Controls","tier":1,"seq":420,"title":"Integrity Checks ","description":"Mechanisms exist to validate configurations through integrity checking of software and firmware.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"}
+{"source":"scf","id":"scf:end-06.2","id_raw":"END-06.2","tier_raw":"Controls","tier":1,"seq":421,"title":"Integration of Detection & Response ","description":"Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"}
+{"source":"scf","id":"scf:end-06.3","id_raw":"END-06.3","tier_raw":"Controls","tier":1,"seq":422,"title":"Automated Notifications of Integrity Violations","description":"Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:end-06.4","id_raw":"END-06.4","tier_raw":"Controls","tier":1,"seq":423,"title":"Automated Response to Integrity Violations","description":"Automated mechanisms exist to implement remediation actions when integrity violations are discovered. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:end-06.5","id_raw":"END-06.5","tier_raw":"Controls","tier":1,"seq":424,"title":"Boot Process Integrity","description":"Automated mechanisms exist to verify the integrity of the boot process of information systems."}
+{"source":"scf","id":"scf:end-06.6","id_raw":"END-06.6","tier_raw":"Controls","tier":1,"seq":425,"title":"Protection of Boot Firmware","description":"Automated mechanisms exist to protect the integrity of boot firmware in information systems."}
+{"source":"scf","id":"scf:end-06.7","id_raw":"END-06.7","tier_raw":"Controls","tier":1,"seq":426,"title":"Binary or Machine-Executable Code","description":"Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code."}
+{"source":"scf","id":"scf:end-07","id_raw":"END-07","tier_raw":"Controls","tier":1,"seq":427,"title":"Host Intrusion Detection and Prevention Systems (HIDS / HIPS) ","description":"Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)\n- File Integrity Monitor (FIM)"}
+{"source":"scf","id":"scf:end-08","id_raw":"END-08","tier_raw":"Controls","tier":1,"seq":428,"title":"Phishing & Spam Protection ","description":"Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail."}
+{"source":"scf","id":"scf:end-08.1","id_raw":"END-08.1","tier_raw":"Controls","tier":1,"seq":429,"title":"Central Management","description":"Mechanisms exist to centrally-manage anti-phishing and spam protection technologies."}
+{"source":"scf","id":"scf:end-08.2","id_raw":"END-08.2","tier_raw":"Controls","tier":1,"seq":430,"title":"Automatic Spam and Phishing Protection Updates","description":"Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices."}
+{"source":"scf","id":"scf:end-09","id_raw":"END-09","tier_raw":"Controls","tier":1,"seq":431,"title":"Trusted Path","description":"Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process"}
+{"source":"scf","id":"scf:end-10","id_raw":"END-10","tier_raw":"Controls","tier":1,"seq":432,"title":"Mobile Code","description":"Mechanisms exist to address mobile code / operating system-independent applications. "}
+{"source":"scf","id":"scf:end-11","id_raw":"END-11","tier_raw":"Controls","tier":1,"seq":433,"title":"Thin Nodes","description":"Mechanisms exist to configure thin nodes to have minimal functionality and information storage. "}
+{"source":"scf","id":"scf:end-12","id_raw":"END-12","tier_raw":"Controls","tier":1,"seq":434,"title":"Port & Input / Output (I/O) Device Access ","description":"Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems."}
+{"source":"scf","id":"scf:end-13","id_raw":"END-13","tier_raw":"Controls","tier":1,"seq":435,"title":"Sensor Capability","description":"Mechanisms exist to configure embedded sensors on systems to: "}
+{"source":"scf","id":"scf:end-13.1","id_raw":"END-13.1","tier_raw":"Controls","tier":1,"seq":436,"title":"Authorized Use","description":"Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes."}
+{"source":"scf","id":"scf:end-13.2","id_raw":"END-13.2","tier_raw":"Controls","tier":1,"seq":437,"title":"Notice of Collection","description":"Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.\n\nMethods To Comply With SCF Controls:\n- Visible or auditory alert\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:end-13.3","id_raw":"END-13.3","tier_raw":"Controls","tier":1,"seq":438,"title":"Collection Minimization","description":"Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals."}
+{"source":"scf","id":"scf:end-13.4","id_raw":"END-13.4","tier_raw":"Controls","tier":1,"seq":439,"title":"Sensor Delivery Verification","description":"Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles."}
+{"source":"scf","id":"scf:end-14","id_raw":"END-14","tier_raw":"Controls","tier":1,"seq":440,"title":"Collaborative Computing Devices ","description":"Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n\nMethods To Comply With SCF Controls:\n- Unplug devices when not needed"}
+{"source":"scf","id":"scf:end-14.1","id_raw":"END-14.1","tier_raw":"Controls","tier":1,"seq":441,"title":"Disabling / Removal In Secure Work Areas","description":"Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas."}
+{"source":"scf","id":"scf:end-14.2","id_raw":"END-14.2","tier_raw":"Controls","tier":1,"seq":442,"title":"Explicitly Indicate Current Participants","description":"Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences."}
+{"source":"scf","id":"scf:end-15","id_raw":"END-15","tier_raw":"Controls","tier":1,"seq":443,"title":"Hypervisor Access ","description":"Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems."}
+{"source":"scf","id":"scf:end-16","id_raw":"END-16","tier_raw":"Controls","tier":1,"seq":444,"title":"Restrict Access To Security Functions","description":"Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.\n\nMethods To Comply With SCF Controls:\n- Windows Defender Device Guard"}
+{"source":"scf","id":"scf:end-16.1","id_raw":"END-16.1","tier_raw":"Controls","tier":1,"seq":445,"title":"Host-Based Security Function Isolation","description":"Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation. \n\nMethods To Comply With SCF Controls:\n- Windows Defender Device Guard"}
+{"source":"scf","id":"scf:hrs-01","id_raw":"HRS-01","tier_raw":"Controls","tier":1,"seq":446,"title":"Human Resources Security Management","description":"Mechanisms exist to facilitate the implementation of personnel security controls."}
+{"source":"scf","id":"scf:hrs-02","id_raw":"HRS-02","tier_raw":"Controls","tier":1,"seq":447,"title":"Position Categorization ","description":"Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions."}
+{"source":"scf","id":"scf:hrs-02.1","id_raw":"HRS-02.1","tier_raw":"Controls","tier":1,"seq":448,"title":"Users With Elevated Privileges","description":"Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question."}
+{"source":"scf","id":"scf:hrs-02.2","id_raw":"HRS-02.2","tier_raw":"Controls","tier":1,"seq":449,"title":"Probationary Periods","description":"Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period."}
+{"source":"scf","id":"scf:hrs-03","id_raw":"HRS-03","tier_raw":"Controls","tier":1,"seq":450,"title":"Roles & Responsibilities ","description":"Mechanisms exist to define cybersecurity responsibilities for all personnel. \n\nMethods To Comply With SCF Controls:\n- NIST NICE framework\n- RACI diagram"}
+{"source":"scf","id":"scf:hrs-03.1","id_raw":"HRS-03.1","tier_raw":"Controls","tier":1,"seq":451,"title":"User Awareness ","description":"Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment."}
+{"source":"scf","id":"scf:hrs-03.2","id_raw":"HRS-03.2","tier_raw":"Controls","tier":1,"seq":452,"title":"Competency Requirements for Security-Related Positions","description":"Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set. "}
+{"source":"scf","id":"scf:hrs-04","id_raw":"HRS-04","tier_raw":"Controls","tier":1,"seq":453,"title":"Personnel Screening ","description":"Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.\n\nMethods To Comply With SCF Controls:\n- Criminal, education and employment background checks"}
+{"source":"scf","id":"scf:hrs-04.1","id_raw":"HRS-04.1","tier_raw":"Controls","tier":1,"seq":454,"title":"Roles With Special Protection Measures","description":"Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.\n\nMethods To Comply With SCF Controls:\n- Security clearances for classified information."}
+{"source":"scf","id":"scf:hrs-04.2","id_raw":"HRS-04.2","tier_raw":"Controls","tier":1,"seq":455,"title":"Formal Indoctrination","description":"Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system."}
+{"source":"scf","id":"scf:hrs-04.3","id_raw":"HRS-04.3","tier_raw":"Controls","tier":1,"seq":456,"title":"Citizenship Requirements","description":"Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship."}
+{"source":"scf","id":"scf:hrs-04.4","id_raw":"HRS-04.4","tier_raw":"Controls","tier":1,"seq":457,"title":"Citizenship Identification","description":"Mechanisms exist to identify foreign nationals, including by their specific citizenship."}
+{"source":"scf","id":"scf:hrs-05","id_raw":"HRS-05","tier_raw":"Controls","tier":1,"seq":458,"title":"Terms of Employment ","description":"Mechanisms exist to require all employees and contractors to apply security and privacy principles in their daily work.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"}
+{"source":"scf","id":"scf:hrs-05.1","id_raw":"HRS-05.1","tier_raw":"Controls","tier":1,"seq":459,"title":"Rules of Behavior","description":"Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"}
+{"source":"scf","id":"scf:hrs-05.2","id_raw":"HRS-05.2","tier_raw":"Controls","tier":1,"seq":460,"title":"Social Media & Social Networking Restrictions","description":"Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"}
+{"source":"scf","id":"scf:hrs-05.3","id_raw":"HRS-05.3","tier_raw":"Controls","tier":1,"seq":461,"title":"Use of Communications Technology","description":"Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior"}
+{"source":"scf","id":"scf:hrs-05.4","id_raw":"HRS-05.4","tier_raw":"Controls","tier":1,"seq":462,"title":"Use of Critical Technologies ","description":"Mechanisms exist to govern usage policies for critical technologies. "}
+{"source":"scf","id":"scf:hrs-05.5","id_raw":"HRS-05.5","tier_raw":"Controls","tier":1,"seq":463,"title":"Use of Mobile Devices","description":"Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.\n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Rules of behavior\n- BYOD policy"}
+{"source":"scf","id":"scf:hrs-05.6","id_raw":"HRS-05.6","tier_raw":"Controls","tier":1,"seq":464,"title":"Security-Minded Dress Code","description":"Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets."}
+{"source":"scf","id":"scf:hrs-05.7","id_raw":"HRS-05.7","tier_raw":"Controls","tier":1,"seq":465,"title":"Policy Familiarization & Acknowledgement","description":"Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies and provide acknowledgement."}
+{"source":"scf","id":"scf:hrs-06","id_raw":"HRS-06","tier_raw":"Controls","tier":1,"seq":466,"title":"Access Agreements ","description":"Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access. "}
+{"source":"scf","id":"scf:hrs-06.1","id_raw":"HRS-06.1","tier_raw":"Controls","tier":1,"seq":467,"title":"Confidentiality Agreements","description":"Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"}
+{"source":"scf","id":"scf:hrs-06.2","id_raw":"HRS-06.2","tier_raw":"Controls","tier":1,"seq":468,"title":"Post-Employment Obligations","description":"Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information."}
+{"source":"scf","id":"scf:hrs-07","id_raw":"HRS-07","tier_raw":"Controls","tier":1,"seq":469,"title":"Personnel Sanctions","description":"Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures. "}
+{"source":"scf","id":"scf:hrs-07.1","id_raw":"HRS-07.1","tier_raw":"Controls","tier":1,"seq":470,"title":"Workplace Investigations","description":"Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated. "}
+{"source":"scf","id":"scf:hrs-08","id_raw":"HRS-08","tier_raw":"Controls","tier":1,"seq":471,"title":"Personnel Transfer","description":"Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner."}
+{"source":"scf","id":"scf:hrs-09","id_raw":"HRS-09","tier_raw":"Controls","tier":1,"seq":472,"title":"Personnel Termination ","description":"Mechanisms exist to govern the termination of individual employment."}
+{"source":"scf","id":"scf:hrs-09.1","id_raw":"HRS-09.1","tier_raw":"Controls","tier":1,"seq":473,"title":"Asset Collection","description":"Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment."}
+{"source":"scf","id":"scf:hrs-09.2","id_raw":"HRS-09.2","tier_raw":"Controls","tier":1,"seq":474,"title":"High-Risk Terminations","description":"Mechanisms exist to expedite the process of removing \"high risk\" individual’s access to systems and applications upon termination, as determined by management."}
+{"source":"scf","id":"scf:hrs-09.3","id_raw":"HRS-09.3","tier_raw":"Controls","tier":1,"seq":475,"title":"Post-Employment Requirements ","description":"Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"}
+{"source":"scf","id":"scf:hrs-09.4","id_raw":"HRS-09.4","tier_raw":"Controls","tier":1,"seq":476,"title":"Automated Employment Status Notifications","description":"Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract."}
+{"source":"scf","id":"scf:hrs-10","id_raw":"HRS-10","tier_raw":"Controls","tier":1,"seq":477,"title":"Third-Party Personnel Security","description":"Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities.\n\nMethods To Comply With SCF Controls:\n- Independent background check service"}
+{"source":"scf","id":"scf:hrs-11","id_raw":"HRS-11","tier_raw":"Controls","tier":1,"seq":478,"title":"Separation of Duties (SoD)","description":"Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion."}
+{"source":"scf","id":"scf:hrs-12","id_raw":"HRS-12","tier_raw":"Controls","tier":1,"seq":479,"title":"Incompatible Roles ","description":"Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment."}
+{"source":"scf","id":"scf:hrs-12.1","id_raw":"HRS-12.1","tier_raw":"Controls","tier":1,"seq":480,"title":"Two-Person Rule","description":"Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems."}
+{"source":"scf","id":"scf:hrs-13","id_raw":"HRS-13","tier_raw":"Controls","tier":1,"seq":481,"title":"Identify Critical Skills & Gaps","description":"Mechanisms exist to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist."}
+{"source":"scf","id":"scf:hrs-13.1","id_raw":"HRS-13.1","tier_raw":"Controls","tier":1,"seq":482,"title":"Remediate Identified Skills Deficiencies","description":"Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s mission and business functions."}
+{"source":"scf","id":"scf:hrs-13.2","id_raw":"HRS-13.2","tier_raw":"Controls","tier":1,"seq":483,"title":"Identify Vital Cybersecurity & Privacy Staff","description":"Mechanisms exist to identify vital cybersecurity & privacy staff."}
+{"source":"scf","id":"scf:hrs-13.3","id_raw":"HRS-13.3","tier_raw":"Controls","tier":1,"seq":484,"title":"Establish Redundancy for Vital Cybersecurity & Privacy Staff","description":"Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff."}
+{"source":"scf","id":"scf:hrs-13.4","id_raw":"HRS-13.4","tier_raw":"Controls","tier":1,"seq":485,"title":"Perform Succession Planning","description":"Mechanisms exist to perform succession planning for vital cybersecurity & privacy roles."}
+{"source":"scf","id":"scf:iac-01","id_raw":"IAC-01","tier_raw":"Controls","tier":1,"seq":486,"title":"Identity & Access Management (IAM) ","description":"Mechanisms exist to facilitate the implementation of identification and access management controls."}
+{"source":"scf","id":"scf:iac-01.1","id_raw":"IAC-01.1","tier_raw":"Controls","tier":1,"seq":487,"title":"Retain Access Records","description":"Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed."}
+{"source":"scf","id":"scf:iac-02","id_raw":"IAC-02","tier_raw":"Controls","tier":1,"seq":488,"title":"Identification & Authentication for Organizational Users ","description":"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users. "}
+{"source":"scf","id":"scf:iac-02.1","id_raw":"IAC-02.1","tier_raw":"Controls","tier":1,"seq":489,"title":"Group Authentication ","description":"Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized. "}
+{"source":"scf","id":"scf:iac-02.2","id_raw":"IAC-02.2","tier_raw":"Controls","tier":1,"seq":490,"title":"Network Access to Privileged Accounts - Replay Resistant","description":"Automated mechanisms exist to employ replay-resistant network access authentication."}
+{"source":"scf","id":"scf:iac-02.3","id_raw":"IAC-02.3","tier_raw":"Controls","tier":1,"seq":491,"title":"Acceptance of PIV Credentials ","description":"Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials. \n\nMethods To Comply With SCF Controls:\n- Personal Identity Verification (PIV) credentials"}
+{"source":"scf","id":"scf:iac-02.4","id_raw":"IAC-02.4","tier_raw":"Controls","tier":1,"seq":492,"title":"Out-of-Band Authentication (OOBA) ","description":"Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions. "}
+{"source":"scf","id":"scf:iac-03","id_raw":"IAC-03","tier_raw":"Controls","tier":1,"seq":493,"title":"Identification & Authentication for Non-Organizational Users ","description":"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization."}
+{"source":"scf","id":"scf:iac-03.1","id_raw":"IAC-03.1","tier_raw":"Controls","tier":1,"seq":494,"title":"Acceptance of PIV Credentials from Other Organizations ","description":"Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties."}
+{"source":"scf","id":"scf:iac-03.2","id_raw":"IAC-03.2","tier_raw":"Controls","tier":1,"seq":495,"title":"Acceptance of Third-Party Credentials","description":"Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials. "}
+{"source":"scf","id":"scf:iac-03.3","id_raw":"IAC-03.3","tier_raw":"Controls","tier":1,"seq":496,"title":"Use of FICAM-Issued Profiles","description":"Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles. "}
+{"source":"scf","id":"scf:iac-03.4","id_raw":"IAC-03.4","tier_raw":"Controls","tier":1,"seq":497,"title":"Disassociability","description":"Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties."}
+{"source":"scf","id":"scf:iac-03.5","id_raw":"IAC-03.5","tier_raw":"Controls","tier":1,"seq":498,"title":"Acceptance of External Authenticators","description":"Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators."}
+{"source":"scf","id":"scf:iac-04","id_raw":"IAC-04","tier_raw":"Controls","tier":1,"seq":499,"title":"Identification & Authentication for Devices","description":"Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Kerberos"}
+{"source":"scf","id":"scf:iac-04.1","id_raw":"IAC-04.1","tier_raw":"Controls","tier":1,"seq":500,"title":"Device Attestation","description":"Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process."}
+{"source":"scf","id":"scf:iac-05","id_raw":"IAC-05","tier_raw":"Controls","tier":1,"seq":501,"title":"Identification & Authentication for Third Party Systems & Services","description":"Mechanisms exist to identify and authenticate third-party systems and services."}
+{"source":"scf","id":"scf:iac-05.1","id_raw":"IAC-05.1","tier_raw":"Controls","tier":1,"seq":502,"title":"Sharing Identification & Authentication Information","description":"Mechanisms exist to ensure third-party service providers provide current and accurate information for any third-party user with access to the organization's data or assets."}
+{"source":"scf","id":"scf:iac-05.2","id_raw":"IAC-05.2","tier_raw":"Controls","tier":1,"seq":503,"title":"Privileged Access by Non-Organizational Users","description":"Mechanisms exist to prohibit privileged access by non-organizational users."}
+{"source":"scf","id":"scf:iac-06","id_raw":"IAC-06","tier_raw":"Controls","tier":1,"seq":504,"title":"Multi-Factor Authentication (MFA)","description":"Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"}
+{"source":"scf","id":"scf:iac-06.1","id_raw":"IAC-06.1","tier_raw":"Controls","tier":1,"seq":505,"title":"Network Access to Privileged Accounts","description":"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"}
+{"source":"scf","id":"scf:iac-06.2","id_raw":"IAC-06.2","tier_raw":"Controls","tier":1,"seq":506,"title":"Network Access to Non-Privileged Accounts ","description":"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"}
+{"source":"scf","id":"scf:iac-06.3","id_raw":"IAC-06.3","tier_raw":"Controls","tier":1,"seq":507,"title":"Local Access to Privileged Accounts ","description":"Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts. \n\nMethods To Comply With SCF Controls:\n- Multi-Factor Authentication (MFA)\n- Microsoft Active Directory (AD) Certificate Services\n- Yubico (https://www.yubico.com)\n- Duo (https://www.duo.com)"}
+{"source":"scf","id":"scf:iac-06.4","id_raw":"IAC-06.4","tier_raw":"Controls","tier":1,"seq":508,"title":"Out-of-Band Multi-Factor Authentication ","description":"Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access. "}
+{"source":"scf","id":"scf:iac-07","id_raw":"IAC-07","tier_raw":"Controls","tier":1,"seq":509,"title":"User Provisioning & De-Provisioning ","description":"Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights. "}
+{"source":"scf","id":"scf:iac-07.1","id_raw":"IAC-07.1","tier_raw":"Controls","tier":1,"seq":510,"title":"Change of Roles & Duties","description":"Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted. "}
+{"source":"scf","id":"scf:iac-07.2","id_raw":"IAC-07.2","tier_raw":"Controls","tier":1,"seq":511,"title":"Termination of Employment","description":"Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract."}
+{"source":"scf","id":"scf:iac-08","id_raw":"IAC-08","tier_raw":"Controls","tier":1,"seq":512,"title":"Role-Based Access Control (RBAC) ","description":"Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive data access.\n\nMethods To Comply With SCF Controls:\n- Role-Based Access Control (RBAC)\n"}
+{"source":"scf","id":"scf:iac-09","id_raw":"IAC-09","tier_raw":"Controls","tier":1,"seq":513,"title":"Identifier Management (User Names)","description":"Mechanisms exist to govern naming standards for usernames and systems."}
+{"source":"scf","id":"scf:iac-09.1","id_raw":"IAC-09.1","tier_raw":"Controls","tier":1,"seq":514,"title":"User Identity (ID) Management ","description":"Mechanisms exist to ensure proper user identification management for non-consumer users and administrators. "}
+{"source":"scf","id":"scf:iac-09.2","id_raw":"IAC-09.2","tier_raw":"Controls","tier":1,"seq":515,"title":"Identity User Status","description":"Mechanisms exist to identify contractor and other third-party users through unique username characteristics. "}
+{"source":"scf","id":"scf:iac-09.3","id_raw":"IAC-09.3","tier_raw":"Controls","tier":1,"seq":516,"title":"Dynamic Management","description":"Mechanisms exist to dynamically manage usernames and system identifiers. \n\nMethods To Comply With SCF Controls:\n- Microsoft Active Directory (AD)"}
+{"source":"scf","id":"scf:iac-09.4","id_raw":"IAC-09.4","tier_raw":"Controls","tier":1,"seq":517,"title":"Cross-Organization Management","description":"Mechanisms exist to coordinate username identifiers with external organizations for cross-organization management of identifiers. "}
+{"source":"scf","id":"scf:iac-09.5","id_raw":"IAC-09.5","tier_raw":"Controls","tier":1,"seq":518,"title":"Privileged Account Identifiers","description":"Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged user or service."}
+{"source":"scf","id":"scf:iac-09.6","id_raw":"IAC-09.6","tier_raw":"Controls","tier":1,"seq":519,"title":"Pairwise Pseudonymous Identifiers (PPID)","description":"Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject."}
+{"source":"scf","id":"scf:iac-10","id_raw":"IAC-10","tier_raw":"Controls","tier":1,"seq":520,"title":"Authenticator Management","description":"Mechanisms exist to securely manage authenticators for users and devices."}
+{"source":"scf","id":"scf:iac-10.1","id_raw":"IAC-10.1","tier_raw":"Controls","tier":1,"seq":521,"title":"Password-Based Authentication ","description":"Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication."}
+{"source":"scf","id":"scf:iac-10.2","id_raw":"IAC-10.2","tier_raw":"Controls","tier":1,"seq":522,"title":"PKI-Based Authentication","description":"Automated mechanisms exist to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication."}
+{"source":"scf","id":"scf:iac-10.3","id_raw":"IAC-10.3","tier_raw":"Controls","tier":1,"seq":523,"title":"In-Person or Trusted Third-Party Registration","description":"Mechanisms exist to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created."}
+{"source":"scf","id":"scf:iac-10.4","id_raw":"IAC-10.4","tier_raw":"Controls","tier":1,"seq":524,"title":"Automated Support For Password Strength","description":"Automated mechanisms exist to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements. "}
+{"source":"scf","id":"scf:iac-10.5","id_raw":"IAC-10.5","tier_raw":"Controls","tier":1,"seq":525,"title":"Protection of Authenticators","description":"Mechanisms exist to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access. "}
+{"source":"scf","id":"scf:iac-10.6","id_raw":"IAC-10.6","tier_raw":"Controls","tier":1,"seq":526,"title":"No Embedded Unencrypted Static Authenticators","description":"Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys. "}
+{"source":"scf","id":"scf:iac-10.7","id_raw":"IAC-10.7","tier_raw":"Controls","tier":1,"seq":527,"title":"Hardware Token-Based Authentication","description":"Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.\n\nMethods To Comply With SCF Controls:\n- Tokens are sufficiently encrypted or do not reveal credentials or passwords within the token."}
+{"source":"scf","id":"scf:iac-10.8","id_raw":"IAC-10.8","tier_raw":"Controls","tier":1,"seq":528,"title":"Vendor-Supplied Defaults","description":"Mechanisms exist to ensure vendor-supplied defaults are changed as part of the installation process.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:iac-10.9","id_raw":"IAC-10.9","tier_raw":"Controls","tier":1,"seq":529,"title":"Multiple Information System Accounts","description":"Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems."}
+{"source":"scf","id":"scf:iac-10.10","id_raw":"IAC-10.10","tier_raw":"Controls","tier":1,"seq":530,"title":"Expiration of Cached Authenticators","description":"Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period."}
+{"source":"scf","id":"scf:iac-10.11","id_raw":"IAC-10.11","tier_raw":"Controls","tier":1,"seq":531,"title":"Password Managers","description":"Mechanisms exist to protect and store passwords via a password manager tool."}
+{"source":"scf","id":"scf:iac-10.12","id_raw":"IAC-10.12","tier_raw":"Controls","tier":1,"seq":532,"title":"Biometric Authentication","description":"Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives."}
+{"source":"scf","id":"scf:iac-11","id_raw":"IAC-11","tier_raw":"Controls","tier":1,"seq":533,"title":"Authenticator Feedback","description":"Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. "}
+{"source":"scf","id":"scf:iac-12","id_raw":"IAC-12","tier_raw":"Controls","tier":1,"seq":534,"title":"Cryptographic Module Authentication ","description":"Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.\n\nMethods To Comply With SCF Controls:\n- FIPS 140-2"}
+{"source":"scf","id":"scf:iac-12.1","id_raw":"IAC-12.1","tier_raw":"Controls","tier":1,"seq":535,"title":"Hardware Security Modules (HSM)","description":"Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies. "}
+{"source":"scf","id":"scf:iac-13","id_raw":"IAC-13","tier_raw":"Controls","tier":1,"seq":536,"title":"Adaptive Identification & Authentication ","description":"Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations."}
+{"source":"scf","id":"scf:iac-13.1","id_raw":"IAC-13.1","tier_raw":"Controls","tier":1,"seq":537,"title":"Single Sign-On (SSO)","description":"Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and services."}
+{"source":"scf","id":"scf:iac-13.2","id_raw":"IAC-13.2","tier_raw":"Controls","tier":1,"seq":538,"title":"Federated Credential Management","description":"Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices."}
+{"source":"scf","id":"scf:iac-14","id_raw":"IAC-14","tier_raw":"Controls","tier":1,"seq":539,"title":"Re-Authentication ","description":"Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication. "}
+{"source":"scf","id":"scf:iac-15","id_raw":"IAC-15","tier_raw":"Controls","tier":1,"seq":540,"title":"Account Management ","description":"Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.\n\nMethods To Comply With SCF Controls:\n- Service accounts prohibit interactive login - users cannot log into systems with those accounts."}
+{"source":"scf","id":"scf:iac-15.1","id_raw":"IAC-15.1","tier_raw":"Controls","tier":1,"seq":541,"title":"Automated System Account Management ","description":"Automated mechanisms exist to support the management of system accounts. \n\nMethods To Comply With SCF Controls:\n- Service accounts prohibit interactive login - users cannot log into systems with those accounts."}
+{"source":"scf","id":"scf:iac-15.2","id_raw":"IAC-15.2","tier_raw":"Controls","tier":1,"seq":542,"title":"Removal of Temporary / Emergency Accounts","description":"Automated mechanisms exist to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account. "}
+{"source":"scf","id":"scf:iac-15.3","id_raw":"IAC-15.3","tier_raw":"Controls","tier":1,"seq":543,"title":"Disable Inactive Accounts","description":"Automated mechanisms exist to disable inactive accounts after an organization-defined time period. "}
+{"source":"scf","id":"scf:iac-15.4","id_raw":"IAC-15.4","tier_raw":"Controls","tier":1,"seq":544,"title":"Automated Audit Actions","description":"Automated mechanisms exist to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles. "}
+{"source":"scf","id":"scf:iac-15.5","id_raw":"IAC-15.5","tier_raw":"Controls","tier":1,"seq":545,"title":"Restrictions on Shared Groups / Accounts","description":"Mechanisms exist to authorize the use of shared/group accounts only under certain organization-defined conditions."}
+{"source":"scf","id":"scf:iac-15.6","id_raw":"IAC-15.6","tier_raw":"Controls","tier":1,"seq":546,"title":"Account Disabling for High Risk Individuals","description":"Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization."}
+{"source":"scf","id":"scf:iac-15.7","id_raw":"IAC-15.7","tier_raw":"Controls","tier":1,"seq":547,"title":"System Accounts","description":"Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner. "}
+{"source":"scf","id":"scf:iac-15.8","id_raw":"IAC-15.8","tier_raw":"Controls","tier":1,"seq":548,"title":"Usage Conditions","description":"Automated mechanisms exist to enforce usage conditions for users and/or roles."}
+{"source":"scf","id":"scf:iac-15.9","id_raw":"IAC-15.9","tier_raw":"Controls","tier":1,"seq":549,"title":"Emergency Accounts","description":"Mechanisms exist to establish and control \"emergency access only\" accounts."}
+{"source":"scf","id":"scf:iac-16","id_raw":"IAC-16","tier_raw":"Controls","tier":1,"seq":550,"title":"Privileged Account Management (PAM) ","description":"Mechanisms exist to restrict and control privileged access rights for users and services."}
+{"source":"scf","id":"scf:iac-16.1","id_raw":"IAC-16.1","tier_raw":"Controls","tier":1,"seq":551,"title":"Privileged Account Inventories ","description":"Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management. "}
+{"source":"scf","id":"scf:iac-16.2","id_raw":"IAC-16.2","tier_raw":"Controls","tier":1,"seq":552,"title":"Privileged Account Separation ","description":"Mechanisms exist to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments."}
+{"source":"scf","id":"scf:iac-17","id_raw":"IAC-17","tier_raw":"Controls","tier":1,"seq":553,"title":"Periodic Review of Account Privileges","description":"Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary."}
+{"source":"scf","id":"scf:iac-18","id_raw":"IAC-18","tier_raw":"Controls","tier":1,"seq":554,"title":"User Responsibilities for Account Management","description":"Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.). \n\nMethods To Comply With SCF Controls:\n- Employment contract\n- Rules of Behavior\n- Formalized password policy"}
+{"source":"scf","id":"scf:iac-19","id_raw":"IAC-19","tier_raw":"Controls","tier":1,"seq":555,"title":"Credential Sharing ","description":"Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication methods."}
+{"source":"scf","id":"scf:iac-20","id_raw":"IAC-20","tier_raw":"Controls","tier":1,"seq":556,"title":"Access Enforcement","description":"Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\""}
+{"source":"scf","id":"scf:iac-20.1","id_raw":"IAC-20.1","tier_raw":"Controls","tier":1,"seq":557,"title":"Access To Sensitive Data","description":"Mechanisms exist to limit access to sensitive data to only those individuals whose job requires such access. "}
+{"source":"scf","id":"scf:iac-20.2","id_raw":"IAC-20.2","tier_raw":"Controls","tier":1,"seq":558,"title":"Database Access","description":"Mechanisms exist to restrict access to database containing sensitive data to only necessary services or those individuals whose job requires such access. "}
+{"source":"scf","id":"scf:iac-20.3","id_raw":"IAC-20.3","tier_raw":"Controls","tier":1,"seq":559,"title":"Use of Privileged Utility Programs","description":"Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls."}
+{"source":"scf","id":"scf:iac-20.4","id_raw":"IAC-20.4","tier_raw":"Controls","tier":1,"seq":560,"title":"Dedicated Administrative Machines","description":"Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.\n\nMethods To Comply With SCF Controls:\n- Jump hosts"}
+{"source":"scf","id":"scf:iac-20.5","id_raw":"IAC-20.5","tier_raw":"Controls","tier":1,"seq":561,"title":"Dual Authorization for Privileged Commands","description":"Automated mechanisms exist to enforce dual authorization for privileged commands."}
+{"source":"scf","id":"scf:iac-20.6","id_raw":"IAC-20.6","tier_raw":"Controls","tier":1,"seq":562,"title":"Revocation of Access Authorizations","description":"Mechanisms exist to revoke logical and physical access authorizations."}
+{"source":"scf","id":"scf:iac-21","id_raw":"IAC-21","tier_raw":"Controls","tier":1,"seq":563,"title":"Least Privilege ","description":"Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions. "}
+{"source":"scf","id":"scf:iac-21.1","id_raw":"IAC-21.1","tier_raw":"Controls","tier":1,"seq":564,"title":"Authorize Access to Security Functions ","description":"Mechanisms exist to limit access to security functions to explicitly-authorized privileged users."}
+{"source":"scf","id":"scf:iac-21.2","id_raw":"IAC-21.2","tier_raw":"Controls","tier":1,"seq":565,"title":"Non-Privileged Access for Non-Security Functions ","description":"Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions. "}
+{"source":"scf","id":"scf:iac-21.3","id_raw":"IAC-21.3","tier_raw":"Controls","tier":1,"seq":566,"title":"Privileged Accounts ","description":"Mechanisms exist to restrict the assignment of privileged accounts to organization-defined personnel or roles without management approval."}
+{"source":"scf","id":"scf:iac-21.4","id_raw":"IAC-21.4","tier_raw":"Controls","tier":1,"seq":567,"title":"Auditing Use of Privileged Functions ","description":"Mechanisms exist to audit the execution of privileged functions. "}
+{"source":"scf","id":"scf:iac-21.5","id_raw":"IAC-21.5","tier_raw":"Controls","tier":1,"seq":568,"title":"Prohibit Non-Privileged Users from Executing Privileged Functions ","description":"Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures. "}
+{"source":"scf","id":"scf:iac-21.6","id_raw":"IAC-21.6","tier_raw":"Controls","tier":1,"seq":569,"title":"Network Access to Privileged Commands","description":"Mechanisms exist to authorize remote access to perform privileged commands on critical systems or where sensitive data is stored, transmitted and/or processed only for compelling operational needs."}
+{"source":"scf","id":"scf:iac-21.7","id_raw":"IAC-21.7","tier_raw":"Controls","tier":1,"seq":570,"title":"Privilege Levels for Code Execution","description":"Automated mechanisms exist to prevent applications from executing at higher privilege levels than the user's privileges. "}
+{"source":"scf","id":"scf:iac-22","id_raw":"IAC-22","tier_raw":"Controls","tier":1,"seq":571,"title":"Account Lockout ","description":"Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded."}
+{"source":"scf","id":"scf:iac-23","id_raw":"IAC-23","tier_raw":"Controls","tier":1,"seq":572,"title":"Concurrent Session Control","description":"Mechanisms exist to limit the number of concurrent sessions for each system account. "}
+{"source":"scf","id":"scf:iac-24","id_raw":"IAC-24","tier_raw":"Controls","tier":1,"seq":573,"title":"Session Lock ","description":"Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods."}
+{"source":"scf","id":"scf:iac-24.1","id_raw":"IAC-24.1","tier_raw":"Controls","tier":1,"seq":574,"title":"Pattern-Hiding Displays ","description":"Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock. "}
+{"source":"scf","id":"scf:iac-25","id_raw":"IAC-25","tier_raw":"Controls","tier":1,"seq":575,"title":"Session Termination ","description":"Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity. "}
+{"source":"scf","id":"scf:iac-25.1","id_raw":"IAC-25.1","tier_raw":"Controls","tier":1,"seq":576,"title":"User-Initiated Logouts / Message Displays","description":"Mechanisms exist to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session. "}
+{"source":"scf","id":"scf:iac-26","id_raw":"IAC-26","tier_raw":"Controls","tier":1,"seq":577,"title":"Permitted Actions Without Identification or Authorization","description":"Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication."}
+{"source":"scf","id":"scf:iac-27","id_raw":"IAC-27","tier_raw":"Controls","tier":1,"seq":578,"title":"Reference Monitor","description":"Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured."}
+{"source":"scf","id":"scf:iac-28","id_raw":"IAC-28","tier_raw":"Controls","tier":1,"seq":579,"title":"Identity Proofing (Identity Verification)","description":"Mechanisms exist to verify the identity of a user before modifying any permissions or authentication factor.\n\nMethods To Comply With SCF Controls:\n- Professional references\n- Education / certification transcripts\n- Driver's license\n- Passport"}
+{"source":"scf","id":"scf:iac-28.1","id_raw":"IAC-28.1","tier_raw":"Controls","tier":1,"seq":580,"title":"Management Approval For New or Changed Accounts","description":"Mechanisms exist to ensure management approvals are required for new accounts or changes in permissions to existing accounts."}
+{"source":"scf","id":"scf:iac-28.2","id_raw":"IAC-28.2","tier_raw":"Controls","tier":1,"seq":581,"title":"Identity Evidence","description":"Mechanisms exist to require evidence of individual identification to be presented to the registration authority.\n\nMethods To Comply With SCF Controls:\n- Driver's license\n- Passport"}
+{"source":"scf","id":"scf:iac-28.3","id_raw":"IAC-28.3","tier_raw":"Controls","tier":1,"seq":582,"title":"Identity Evidence Validation & Verification","description":"Mechanisms exist to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.\n\nMethods To Comply With SCF Controls:\n- Employment verification\n- Credit check\n- Criminal history check\n- Education verification"}
+{"source":"scf","id":"scf:iac-28.4","id_raw":"IAC-28.4","tier_raw":"Controls","tier":1,"seq":583,"title":"In-Person Validation & Verification","description":"Mechanisms exist to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.\n\nMethods To Comply With SCF Controls:\n- In-person validation of government-issued photograph identification"}
+{"source":"scf","id":"scf:iac-28.5","id_raw":"IAC-28.5","tier_raw":"Controls","tier":1,"seq":584,"title":"Address Confirmation","description":"Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital)."}
+{"source":"scf","id":"scf:iac-29","id_raw":"IAC-29","tier_raw":"Controls","tier":1,"seq":585,"title":"Attribute-Based Access Control (ABAC) ","description":"Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.\n\nMethods To Comply With SCF Controls:\n- NIST Special Publication 800-162 "}
+{"source":"scf","id":"scf:iro-01","id_raw":"IRO-01","tier_raw":"Controls","tier":1,"seq":586,"title":"Incident Response Operations","description":"Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for security and privacy-related incidents."}
+{"source":"scf","id":"scf:iro-02","id_raw":"IRO-02","tier_raw":"Controls","tier":1,"seq":587,"title":"Incident Handling ","description":"Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.\n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management"}
+{"source":"scf","id":"scf:iro-02.1","id_raw":"IRO-02.1","tier_raw":"Controls","tier":1,"seq":588,"title":"Automated Incident Handling Processes","description":"Automated mechanisms exist to support the incident handling process. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:iro-02.2","id_raw":"IRO-02.2","tier_raw":"Controls","tier":1,"seq":589,"title":"Insider Threat Response Capability","description":"Mechanisms exist to implement and govern an insider threat program. "}
+{"source":"scf","id":"scf:iro-02.3","id_raw":"IRO-02.3","tier_raw":"Controls","tier":1,"seq":590,"title":"Dynamic Reconfiguration","description":"Automated mechanisms exist to dynamically reconfigure information system components as part of the incident response capability. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:iro-02.4","id_raw":"IRO-02.4","tier_raw":"Controls","tier":1,"seq":591,"title":"Continuity of Operations","description":"Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions."}
+{"source":"scf","id":"scf:iro-02.5","id_raw":"IRO-02.5","tier_raw":"Controls","tier":1,"seq":592,"title":"Correlation with External Organizations","description":"Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses. "}
+{"source":"scf","id":"scf:iro-02.6","id_raw":"IRO-02.6","tier_raw":"Controls","tier":1,"seq":593,"title":"Automatic Disabling of System","description":"Mechanisms exist to automatically disable systems, upon detection of a possible incident that meets organizational criteria, that allows for forensic analysis to be performed."}
+{"source":"scf","id":"scf:iro-03","id_raw":"IRO-03","tier_raw":"Controls","tier":1,"seq":594,"title":"Indicators of Compromise (IOC)","description":"Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.\n\nMethods To Comply With SCF Controls:\n- Indicators of Compromise (IoC)\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:iro-04","id_raw":"IRO-04","tier_raw":"Controls","tier":1,"seq":595,"title":"Incident Response Plan (IRP) ","description":"Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.\n\nMethods To Comply With SCF Controls:\n- Incident Response Plan (IRP)\n- Hard copy of IRP"}
+{"source":"scf","id":"scf:iro-04.1","id_raw":"IRO-04.1","tier_raw":"Controls","tier":1,"seq":596,"title":"Data Breach","description":"Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations. "}
+{"source":"scf","id":"scf:iro-04.2","id_raw":"IRO-04.2","tier_raw":"Controls","tier":1,"seq":597,"title":"IRP Update","description":"Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary."}
+{"source":"scf","id":"scf:iro-04.3","id_raw":"IRO-04.3","tier_raw":"Controls","tier":1,"seq":598,"title":"Continuous Incident Response Improvements","description":"Mechanisms exist to use qualitative and quantitative data from incident response testing to: "}
+{"source":"scf","id":"scf:iro-05","id_raw":"IRO-05","tier_raw":"Controls","tier":1,"seq":599,"title":"Incident Response Training ","description":"Mechanisms exist to train personnel in their incident response roles and responsibilities.\n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)"}
+{"source":"scf","id":"scf:iro-05.1","id_raw":"IRO-05.1","tier_raw":"Controls","tier":1,"seq":600,"title":"Simulated Incidents","description":"Mechanisms exist to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations."}
+{"source":"scf","id":"scf:iro-05.2","id_raw":"IRO-05.2","tier_raw":"Controls","tier":1,"seq":601,"title":"Automated Incident Response Training Environments","description":"Automated mechanisms exist to provide a more thorough and realistic incident response training environment."}
+{"source":"scf","id":"scf:iro-06","id_raw":"IRO-06","tier_raw":"Controls","tier":1,"seq":602,"title":"Incident Response Testing","description":"Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)\n- \"Table Top\" incident response exercises (rock drills)\n- \"Red team vs blue team\" exercises\n- EICAR test file antimalware detection and response exercises"}
+{"source":"scf","id":"scf:iro-06.1","id_raw":"IRO-06.1","tier_raw":"Controls","tier":1,"seq":603,"title":"Coordination with Related Plans ","description":"Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans. "}
+{"source":"scf","id":"scf:iro-07","id_raw":"IRO-07","tier_raw":"Controls","tier":1,"seq":604,"title":"Integrated Security Incident Response Team (ISIRT)","description":"Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.\n\nMethods To Comply With SCF Controls:\n- Full-time employees only"}
+{"source":"scf","id":"scf:iro-08","id_raw":"IRO-08","tier_raw":"Controls","tier":1,"seq":605,"title":"Chain of Custody & Forensics","description":"Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.\n\nMethods To Comply With SCF Controls:\n- Chain of custody procedures\n- Encase\n- Forensic Tool Kit (FTK)"}
+{"source":"scf","id":"scf:iro-09","id_raw":"IRO-09","tier_raw":"Controls","tier":1,"seq":606,"title":"Situational Awareness For Incidents","description":"Mechanisms exist to document, monitor and report the status of cybersecurity and privacy incidents to internal stakeholders all the way through the resolution of the incident.\n\nMethods To Comply With SCF Controls:\n- Incident Response Plan (IRP)\n- Strake (https://9yahds.com/)"}
+{"source":"scf","id":"scf:iro-09.1","id_raw":"IRO-09.1","tier_raw":"Controls","tier":1,"seq":607,"title":"Automated Tracking, Data Collection & Analysis","description":"Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential security and privacy incidents.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)"}
+{"source":"scf","id":"scf:iro-10","id_raw":"IRO-10","tier_raw":"Controls","tier":1,"seq":608,"title":"Incident Stakeholder Reporting ","description":"Mechanisms exist to timely-report incidents to applicable:"}
+{"source":"scf","id":"scf:iro-10.1","id_raw":"IRO-10.1","tier_raw":"Controls","tier":1,"seq":609,"title":"Automated Reporting","description":"Automated mechanisms exist to assist in the reporting of security and privacy incidents.\n\nMethods To Comply With SCF Controls:\n- Strake (https://9yahds.com/)"}
+{"source":"scf","id":"scf:iro-10.2","id_raw":"IRO-10.2","tier_raw":"Controls","tier":1,"seq":610,"title":"Cyber Incident Reporting for Sensitive Data","description":"Mechanisms exist to report sensitive data incidents in a timely manner."}
+{"source":"scf","id":"scf:iro-10.3","id_raw":"IRO-10.3","tier_raw":"Controls","tier":1,"seq":611,"title":"Vulnerabilities Related To Incidents","description":"Mechanisms exist to report system vulnerabilities associated with reported security and privacy incidents to organization-defined personnel or roles."}
+{"source":"scf","id":"scf:iro-10.4","id_raw":"IRO-10.4","tier_raw":"Controls","tier":1,"seq":612,"title":"Supply Chain Coordination","description":"Mechanisms exist to provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident."}
+{"source":"scf","id":"scf:iro-11","id_raw":"IRO-11","tier_raw":"Controls","tier":1,"seq":613,"title":"Incident Reporting Assistance ","description":"Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential security and privacy incidents. \n\nMethods To Comply With SCF Controls:\n- ITIL Infrastructure Library - Incident and problem management"}
+{"source":"scf","id":"scf:iro-11.1","id_raw":"IRO-11.1","tier_raw":"Controls","tier":1,"seq":614,"title":"Automation Support of Availability of Information / Support ","description":"Automated mechanisms exist to increase the availability of incident response-related information and support. "}
+{"source":"scf","id":"scf:iro-11.2","id_raw":"IRO-11.2","tier_raw":"Controls","tier":1,"seq":615,"title":"Coordination With External Providers","description":"Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers."}
+{"source":"scf","id":"scf:iro-12","id_raw":"IRO-12","tier_raw":"Controls","tier":1,"seq":616,"title":"Information Spillage Response","description":"Mechanisms exist to respond to sensitive information spills."}
+{"source":"scf","id":"scf:iro-12.1","id_raw":"IRO-12.1","tier_raw":"Controls","tier":1,"seq":617,"title":"Responsible Personnel","description":"Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive information spills. "}
+{"source":"scf","id":"scf:iro-12.2","id_raw":"IRO-12.2","tier_raw":"Controls","tier":1,"seq":618,"title":"Training","description":"Mechanisms exist to ensure incident response training material provides coverage for sensitive information spillage response."}
+{"source":"scf","id":"scf:iro-12.3","id_raw":"IRO-12.3","tier_raw":"Controls","tier":1,"seq":619,"title":"Post-Spill Operations","description":"Mechanisms exist to ensure that organizational personnel impacted by sensitive information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. "}
+{"source":"scf","id":"scf:iro-12.4","id_raw":"IRO-12.4","tier_raw":"Controls","tier":1,"seq":620,"title":"Exposure to Unauthorized Personnel","description":"Mechanisms exist to address security safeguards for personnel exposed to sensitive information that is not within their assigned access authorizations. "}
+{"source":"scf","id":"scf:iro-13","id_raw":"IRO-13","tier_raw":"Controls","tier":1,"seq":621,"title":"Root Cause Analysis (RCA) & Lessons Learned","description":"Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and privacy incidents to reduce the likelihood or impact of future incidents. "}
+{"source":"scf","id":"scf:iro-14","id_raw":"IRO-14","tier_raw":"Controls","tier":1,"seq":622,"title":"Regulatory & Law Enforcement Contacts ","description":"Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies. "}
+{"source":"scf","id":"scf:iro-15","id_raw":"IRO-15","tier_raw":"Controls","tier":1,"seq":623,"title":"Detonation Chambers (Sandboxes)","description":"Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.\n\nMethods To Comply With SCF Controls:\n- Separate network with \"sacrificial\" systems where potential malware can be evaluated without impacting the production network."}
+{"source":"scf","id":"scf:iro-16","id_raw":"IRO-16","tier_raw":"Controls","tier":1,"seq":624,"title":"Public Relations & Reputation Repair","description":"Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation."}
+{"source":"scf","id":"scf:iao-01","id_raw":"IAO-01","tier_raw":"Controls","tier":1,"seq":625,"title":"Information Assurance (IA) Operations","description":"Mechanisms exist to facilitate the implementation of cybersecurity and privacy assessment and authorization controls. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:iao-01.1","id_raw":"IAO-01.1","tier_raw":"Controls","tier":1,"seq":626,"title":"Assessment Boundaries","description":"Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review."}
+{"source":"scf","id":"scf:iao-02","id_raw":"IAO-02","tier_raw":"Controls","tier":1,"seq":627,"title":"Assessments ","description":"Mechanisms exist to formally assess the cybersecurity and privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "}
+{"source":"scf","id":"scf:iao-02.1","id_raw":"IAO-02.1","tier_raw":"Controls","tier":1,"seq":628,"title":"Assessor Independence","description":"Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity and privacy control assessments. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:iao-02.2","id_raw":"IAO-02.2","tier_raw":"Controls","tier":1,"seq":629,"title":"Specialized Assessments","description":"Mechanisms exist to conduct specialized assessments for: \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:iao-02.3","id_raw":"IAO-02.3","tier_raw":"Controls","tier":1,"seq":630,"title":"Third-Party Assessments","description":"Mechanisms exist to accept and respond to the results of external assessments that are performed by impartial, external organizations. \n\nMethods To Comply With SCF Controls:\n- Audit steering committee\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:iao-02.4","id_raw":"IAO-02.4","tier_raw":"Controls","tier":1,"seq":631,"title":"Security Assessment Report (SAR)","description":"Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions."}
+{"source":"scf","id":"scf:iao-03","id_raw":"IAO-03","tier_raw":"Controls","tier":1,"seq":632,"title":"System Security & Privacy Plan (SSPP)","description":"Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical system, application or service, as well as influence inputs, entities, systems, applications and processes, providing a historical record of the data and its origins.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:iao-03.1","id_raw":"IAO-03.1","tier_raw":"Controls","tier":1,"seq":633,"title":"Plan / Coordinate with Other Organizational Entities","description":"Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations. \n\nMethods To Comply With SCF Controls:\n- Audit steering committee\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "}
+{"source":"scf","id":"scf:iao-03.2","id_raw":"IAO-03.2","tier_raw":"Controls","tier":1,"seq":634,"title":"Adequate Security for Sensitive / Regulated Data In Support of Contracts","description":"Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract. \n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:iao-04","id_raw":"IAO-04","tier_raw":"Controls","tier":1,"seq":635,"title":"Threat Analysis & Flaw Remediation During Development","description":"Mechanisms exist to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Security Test & Evaluation (ST&E)"}
+{"source":"scf","id":"scf:iao-05","id_raw":"IAO-05","tier_raw":"Controls","tier":1,"seq":636,"title":"Plan of Action & Milestones (POA&M)","description":"Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Plan of Action & Milestones (POA&M)"}
+{"source":"scf","id":"scf:iao-05.1","id_raw":"IAO-05.1","tier_raw":"Controls","tier":1,"seq":637,"title":"Plan of Action & Milestones (POA&M) Automation","description":"Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.\n\nMethods To Comply With SCF Controls:\n- Governance, Risk & Compliance (GRC)"}
+{"source":"scf","id":"scf:iao-06","id_raw":"IAO-06","tier_raw":"Controls","tier":1,"seq":638,"title":"Technical Verification","description":"Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management\n- Information Assurance Program (IAP) "}
+{"source":"scf","id":"scf:iao-07","id_raw":"IAO-07","tier_raw":"Controls","tier":1,"seq":639,"title":"Security Authorization ","description":"Mechanisms exist to ensure systems, projects and services are officially authorized prior to \"go live\" in a production environment.\n\nMethods To Comply With SCF Controls:\n- Information Assurance (IA) program\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-01","id_raw":"MNT-01","tier_raw":"Controls","tier":1,"seq":640,"title":"Maintenance Operations ","description":"Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise."}
+{"source":"scf","id":"scf:mnt-02","id_raw":"MNT-02","tier_raw":"Controls","tier":1,"seq":641,"title":"Controlled Maintenance ","description":"Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the system, application or service.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-02.1","id_raw":"MNT-02.1","tier_raw":"Controls","tier":1,"seq":642,"title":"Automated Maintenance Activities","description":"Automated mechanisms exist to schedule, conduct and document maintenance and repairs."}
+{"source":"scf","id":"scf:mnt-03","id_raw":"MNT-03","tier_raw":"Controls","tier":1,"seq":643,"title":"Timely Maintenance","description":"Mechanisms exist to obtain maintenance support and/or spare parts for systems within a defined Recovery Time Objective (RTO)."}
+{"source":"scf","id":"scf:mnt-03.1","id_raw":"MNT-03.1","tier_raw":"Controls","tier":1,"seq":644,"title":"Preventative Maintenance","description":"Mechanisms exist to perform preventive maintenance on critical systems, applications and services."}
+{"source":"scf","id":"scf:mnt-03.2","id_raw":"MNT-03.2","tier_raw":"Controls","tier":1,"seq":645,"title":"Predictive Maintenance","description":"Mechanisms exist to perform predictive maintenance on critical systems, applications and services."}
+{"source":"scf","id":"scf:mnt-03.3","id_raw":"MNT-03.3","tier_raw":"Controls","tier":1,"seq":646,"title":"Automated Support For Predictive Maintenance","description":"Automated mechanisms exist to transfer predictive maintenance data to a computerized maintenance management system."}
+{"source":"scf","id":"scf:mnt-04","id_raw":"MNT-04","tier_raw":"Controls","tier":1,"seq":647,"title":"Maintenance Tools","description":"Mechanisms exist to control and monitor the use of system maintenance tools. \n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-04.1","id_raw":"MNT-04.1","tier_raw":"Controls","tier":1,"seq":648,"title":"Inspect Tools ","description":"Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. "}
+{"source":"scf","id":"scf:mnt-04.2","id_raw":"MNT-04.2","tier_raw":"Controls","tier":1,"seq":649,"title":"Inspect Media ","description":"Mechanisms exist to check media containing diagnostic and test programs for malicious code before the media are used. "}
+{"source":"scf","id":"scf:mnt-04.3","id_raw":"MNT-04.3","tier_raw":"Controls","tier":1,"seq":650,"title":"Prevent Unauthorized Removal ","description":"Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that containing organizational information."}
+{"source":"scf","id":"scf:mnt-04.4","id_raw":"MNT-04.4","tier_raw":"Controls","tier":1,"seq":651,"title":"Restrict Tool Usage","description":"Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance personnel and/or roles."}
+{"source":"scf","id":"scf:mnt-05","id_raw":"MNT-05","tier_raw":"Controls","tier":1,"seq":652,"title":"Remote Maintenance","description":"Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities."}
+{"source":"scf","id":"scf:mnt-05.1","id_raw":"MNT-05.1","tier_raw":"Controls","tier":1,"seq":653,"title":"Auditing Remote Maintenance","description":"Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions. "}
+{"source":"scf","id":"scf:mnt-05.2","id_raw":"MNT-05.2","tier_raw":"Controls","tier":1,"seq":654,"title":"Remote Maintenance Notifications","description":"Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time)."}
+{"source":"scf","id":"scf:mnt-05.3","id_raw":"MNT-05.3","tier_raw":"Controls","tier":1,"seq":655,"title":"Remote Maintenance Cryptographic Protection","description":"Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications. "}
+{"source":"scf","id":"scf:mnt-05.4","id_raw":"MNT-05.4","tier_raw":"Controls","tier":1,"seq":656,"title":"Remote Maintenance Disconnect Verification","description":"Mechanisms exist to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated."}
+{"source":"scf","id":"scf:mnt-05.5","id_raw":"MNT-05.5","tier_raw":"Controls","tier":1,"seq":657,"title":"Remote Maintenance Pre-Approval","description":"Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-05.6","id_raw":"MNT-05.6","tier_raw":"Controls","tier":1,"seq":658,"title":"Remote Maintenance Comparable Security & Sanitization","description":"Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced."}
+{"source":"scf","id":"scf:mnt-05.7","id_raw":"MNT-05.7","tier_raw":"Controls","tier":1,"seq":659,"title":"Separation of Maintenance Sessions","description":"Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions."}
+{"source":"scf","id":"scf:mnt-06","id_raw":"MNT-06","tier_raw":"Controls","tier":1,"seq":660,"title":"Authorized Maintenance Personnel","description":"Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-06.1","id_raw":"MNT-06.1","tier_raw":"Controls","tier":1,"seq":661,"title":"Maintenance Personnel Without Appropriate Access ","description":"Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:mnt-06.2","id_raw":"MNT-06.2","tier_raw":"Controls","tier":1,"seq":662,"title":"Non-System Related Maintenance","description":"Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of IT systems have required access authorizations."}
+{"source":"scf","id":"scf:mnt-07","id_raw":"MNT-07","tier_raw":"Controls","tier":1,"seq":663,"title":"Maintain Configuration Control During Maintenance","description":"Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair."}
+{"source":"scf","id":"scf:mnt-08","id_raw":"MNT-08","tier_raw":"Controls","tier":1,"seq":664,"title":"Field Maintenance","description":"Mechanisms exist to securely conduct field maintenance on geographically deployed assets."}
+{"source":"scf","id":"scf:mnt-09","id_raw":"MNT-09","tier_raw":"Controls","tier":1,"seq":665,"title":"Off-Site Maintenance","description":"Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site."}
+{"source":"scf","id":"scf:mnt-10","id_raw":"MNT-10","tier_raw":"Controls","tier":1,"seq":666,"title":"Maintenance Validation","description":"Mechanisms exist to validate maintenance activities were appropriately performed according to the work order and that security controls are operational."}
+{"source":"scf","id":"scf:mnt-11","id_raw":"MNT-11","tier_raw":"Controls","tier":1,"seq":667,"title":"Maintenance Monitoring","description":"Mechanisms exist to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates."}
+{"source":"scf","id":"scf:mdm-01","id_raw":"MDM-01","tier_raw":"Controls","tier":1,"seq":668,"title":"Centralized Management Of Mobile Devices ","description":"Mechanisms exist to develop, govern & update procedures to facilitate the implementation of mobile device management controls."}
+{"source":"scf","id":"scf:mdm-02","id_raw":"MDM-02","tier_raw":"Controls","tier":1,"seq":669,"title":"Access Control For Mobile Devices","description":"Mechanisms exist to enforce access control requirements for the connection of mobile devices to organizational systems. "}
+{"source":"scf","id":"scf:mdm-03","id_raw":"MDM-03","tier_raw":"Controls","tier":1,"seq":670,"title":"Full Device & Container-Based Encryption ","description":"Cryptographic mechanisms exist to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption."}
+{"source":"scf","id":"scf:mdm-04","id_raw":"MDM-04","tier_raw":"Controls","tier":1,"seq":671,"title":"Mobile Device Tampering","description":"Mechanisms exist to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization’s network."}
+{"source":"scf","id":"scf:mdm-05","id_raw":"MDM-05","tier_raw":"Controls","tier":1,"seq":672,"title":"Remote Purging","description":"Mechanisms exist to remotely purge selected information from mobile devices. "}
+{"source":"scf","id":"scf:mdm-06","id_raw":"MDM-06","tier_raw":"Controls","tier":1,"seq":673,"title":"Personally-Owned Mobile Devices ","description":"Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational systems and networks. "}
+{"source":"scf","id":"scf:mdm-07","id_raw":"MDM-07","tier_raw":"Controls","tier":1,"seq":674,"title":"Organization-Owned Mobile Devices ","description":"Mechanisms exist to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store."}
+{"source":"scf","id":"scf:mdm-08","id_raw":"MDM-08","tier_raw":"Controls","tier":1,"seq":675,"title":"Mobile Device Data Retention Limitations","description":"Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and timeframe."}
+{"source":"scf","id":"scf:mdm-09","id_raw":"MDM-09","tier_raw":"Controls","tier":1,"seq":676,"title":"Mobile Device Geofencing","description":"Mechanisms exist to restrict the functionality of mobile devices based on geographic location."}
+{"source":"scf","id":"scf:mdm-10","id_raw":"MDM-10","tier_raw":"Controls","tier":1,"seq":677,"title":"Separate Mobile Device Profiles","description":"Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data. "}
+{"source":"scf","id":"scf:mdm-11","id_raw":"MDM-11","tier_raw":"Controls","tier":1,"seq":678,"title":"Restricting Access To Authorized Devices","description":"Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with systems, applications and services."}
+{"source":"scf","id":"scf:net-01","id_raw":"NET-01","tier_raw":"Controls","tier":1,"seq":679,"title":"Network Security Controls (NSC)","description":"Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:net-01.1","id_raw":"NET-01.1","tier_raw":"Controls","tier":1,"seq":680,"title":"Zero Trust Architecture (ZTA)","description":"Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized."}
+{"source":"scf","id":"scf:net-02","id_raw":"NET-02","tier_raw":"Controls","tier":1,"seq":681,"title":"Layered Network Defenses ","description":"Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. "}
+{"source":"scf","id":"scf:net-02.1","id_raw":"NET-02.1","tier_raw":"Controls","tier":1,"seq":682,"title":"Denial of Service (DoS) Protection","description":"Automated mechanisms exist to protect against or limit the effects of denial of service attacks. "}
+{"source":"scf","id":"scf:net-02.2","id_raw":"NET-02.2","tier_raw":"Controls","tier":1,"seq":683,"title":"Guest Networks","description":"Mechanisms exist to implement and manage a secure guest network. "}
+{"source":"scf","id":"scf:net-02.3","id_raw":"NET-02.3","tier_raw":"Controls","tier":1,"seq":684,"title":"Cross Domain Solution (CDS)","description":"Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains."}
+{"source":"scf","id":"scf:net-03","id_raw":"NET-03","tier_raw":"Controls","tier":1,"seq":685,"title":"Boundary Protection ","description":"Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network."}
+{"source":"scf","id":"scf:net-03.1","id_raw":"NET-03.1","tier_raw":"Controls","tier":1,"seq":686,"title":"Limit Network Connections","description":"Mechanisms exist to limit the number of concurrent external network connections to its systems. "}
+{"source":"scf","id":"scf:net-03.2","id_raw":"NET-03.2","tier_raw":"Controls","tier":1,"seq":687,"title":"External Telecommunications Services ","description":"Mechanisms exist to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.\n\nMethods To Comply With SCF Controls:\n- Outbound content filtering"}
+{"source":"scf","id":"scf:net-03.3","id_raw":"NET-03.3","tier_raw":"Controls","tier":1,"seq":688,"title":"Prevent Discovery of Internal Information","description":"Mechanisms exist to prevent the public disclosure of internal network information. "}
+{"source":"scf","id":"scf:net-03.4","id_raw":"NET-03.4","tier_raw":"Controls","tier":1,"seq":689,"title":"Personal Data (PD)","description":"Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"}
+{"source":"scf","id":"scf:net-03.5","id_raw":"NET-03.5","tier_raw":"Controls","tier":1,"seq":690,"title":"Prevent Unauthorized Exfiltration","description":"Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive data across managed interfaces. "}
+{"source":"scf","id":"scf:net-03.6","id_raw":"NET-03.6","tier_raw":"Controls","tier":1,"seq":691,"title":"Dynamic Isolation & Segregation (Sandboxing)","description":"Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application. "}
+{"source":"scf","id":"scf:net-03.7","id_raw":"NET-03.7","tier_raw":"Controls","tier":1,"seq":692,"title":"Isolation of Information System Components","description":"Mechanisms exist to employ boundary protections to isolate systems, services and processes that support critical missions and/or business functions. "}
+{"source":"scf","id":"scf:net-03.8","id_raw":"NET-03.8","tier_raw":"Controls","tier":1,"seq":693,"title":"Separate Subnet for Connecting to Different Security Domains","description":"Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains."}
+{"source":"scf","id":"scf:net-04","id_raw":"NET-04","tier_raw":"Controls","tier":1,"seq":694,"title":"Data Flow Enforcement – Access Control Lists (ACLs)","description":"Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:net-04.1","id_raw":"NET-04.1","tier_raw":"Controls","tier":1,"seq":695,"title":"Deny Traffic by Default & Allow Traffic by Exception","description":"Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). "}
+{"source":"scf","id":"scf:net-04.2","id_raw":"NET-04.2","tier_raw":"Controls","tier":1,"seq":696,"title":"Object Security Attributes ","description":"Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions. \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:net-04.3","id_raw":"NET-04.3","tier_raw":"Controls","tier":1,"seq":697,"title":"Content Check for Encrypted Data","description":"Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms. "}
+{"source":"scf","id":"scf:net-04.4","id_raw":"NET-04.4","tier_raw":"Controls","tier":1,"seq":698,"title":"Embedded Data Types","description":"Mechanisms exist to enforce limitations on embedding data within other data types. \n\nMethods To Comply With SCF Controls:\n- Prevent exfiltration through steganography"}
+{"source":"scf","id":"scf:net-04.5","id_raw":"NET-04.5","tier_raw":"Controls","tier":1,"seq":699,"title":"Metadata ","description":"Mechanisms exist to enforce information flow controls based on metadata. "}
+{"source":"scf","id":"scf:net-04.6","id_raw":"NET-04.6","tier_raw":"Controls","tier":1,"seq":700,"title":"Human Reviews","description":"Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis. "}
+{"source":"scf","id":"scf:net-04.7","id_raw":"NET-04.7","tier_raw":"Controls","tier":1,"seq":701,"title":"Security Policy Filters","description":"Automated mechanisms exist to enforce information flow control using security policy filters as a basis for flow control decisions."}
+{"source":"scf","id":"scf:net-04.8","id_raw":"NET-04.8","tier_raw":"Controls","tier":1,"seq":702,"title":"Data Type Identifiers","description":"Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains."}
+{"source":"scf","id":"scf:net-04.9","id_raw":"NET-04.9","tier_raw":"Controls","tier":1,"seq":703,"title":"Decomposition Into Policy-Related Subcomponents","description":"Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains."}
+{"source":"scf","id":"scf:net-04.10","id_raw":"NET-04.10","tier_raw":"Controls","tier":1,"seq":704,"title":"Detection of Unsanctioned Information","description":"Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains."}
+{"source":"scf","id":"scf:net-04.11","id_raw":"NET-04.11","tier_raw":"Controls","tier":1,"seq":705,"title":"Approved Solutions","description":"Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains."}
+{"source":"scf","id":"scf:net-04.12","id_raw":"NET-04.12","tier_raw":"Controls","tier":1,"seq":706,"title":"Cross Domain Authentication","description":"Automated mechanisms exist to uniquely identify and authenticate source and destination points for information transfer."}
+{"source":"scf","id":"scf:net-04.13","id_raw":"NET-04.13","tier_raw":"Controls","tier":1,"seq":707,"title":"Metadata Validation","description":"Automated mechanisms exist to apply security and/or privacy filters on metadata."}
+{"source":"scf","id":"scf:net-05","id_raw":"NET-05","tier_raw":"Controls","tier":1,"seq":708,"title":"System Interconnections","description":"Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs) that document, for each interconnection, the interface characteristics, security and privacy requirements and the nature of the information communicated.\n\nMethods To Comply With SCF Controls:\n- VisibleOps security management"}
+{"source":"scf","id":"scf:net-05.1","id_raw":"NET-05.1","tier_raw":"Controls","tier":1,"seq":709,"title":"External System Connections","description":"Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device. "}
+{"source":"scf","id":"scf:net-05.2","id_raw":"NET-05.2","tier_raw":"Controls","tier":1,"seq":710,"title":"Internal System Connections","description":"Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated."}
+{"source":"scf","id":"scf:net-06","id_raw":"NET-06","tier_raw":"Controls","tier":1,"seq":711,"title":"Network Segmentation","description":"Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, applications and services that protections from other network resources.\n\nMethods To Comply With SCF Controls:\n- Subnetting\n- VLANs"}
+{"source":"scf","id":"scf:net-06.1","id_raw":"NET-06.1","tier_raw":"Controls","tier":1,"seq":712,"title":"Security Management Subnets","description":"Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system. "}
+{"source":"scf","id":"scf:net-06.2","id_raw":"NET-06.2","tier_raw":"Controls","tier":1,"seq":713,"title":"Virtual Local Area Network (VLAN) Separation","description":"Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems. \n\nMethods To Comply With SCF Controls:\n- Virtual Local Area Network (VLAN)"}
+{"source":"scf","id":"scf:net-06.3","id_raw":"NET-06.3","tier_raw":"Controls","tier":1,"seq":714,"title":"Sensitive / Regulated Data Enclave (Secure Zone)","description":"Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones). "}
+{"source":"scf","id":"scf:net-06.4","id_raw":"NET-06.4","tier_raw":"Controls","tier":1,"seq":715,"title":"Segregation From Enterprise Services","description":"Mechanisms exist to isolate sensitive / regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments."}
+{"source":"scf","id":"scf:net-06.5","id_raw":"NET-06.5","tier_raw":"Controls","tier":1,"seq":716,"title":"Direct Internet Access Restrictions","description":"Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive / regulated data enclaves (secure zones)."}
+{"source":"scf","id":"scf:net-07","id_raw":"NET-07","tier_raw":"Controls","tier":1,"seq":717,"title":"Remote Session Termination","description":"Mechanisms exist to terminate remote sessions at the end of the session or after an organization-defined time period of inactivity. "}
+{"source":"scf","id":"scf:net-08","id_raw":"NET-08","tier_raw":"Controls","tier":1,"seq":718,"title":"Network Intrusion Detection / Prevention Systems (NIDS / NIPS)","description":"Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network. "}
+{"source":"scf","id":"scf:net-08.1","id_raw":"NET-08.1","tier_raw":"Controls","tier":1,"seq":719,"title":"DMZ Networks","description":"Mechanisms exist to require De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.\n\nMethods To Comply With SCF Controls:\n- Architectural review board\n- System Security Plan (SSP)"}
+{"source":"scf","id":"scf:net-08.2","id_raw":"NET-08.2","tier_raw":"Controls","tier":1,"seq":720,"title":"Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)","description":"Mechanisms exist to require wireless network segments to implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies."}
+{"source":"scf","id":"scf:net-09","id_raw":"NET-09","tier_raw":"Controls","tier":1,"seq":721,"title":"Session Integrity ","description":"Mechanisms exist to protect the authenticity and integrity of communications sessions. \n\nMethods To Comply With SCF Controls:\n- PKI for non-repudiation"}
+{"source":"scf","id":"scf:net-09.1","id_raw":"NET-09.1","tier_raw":"Controls","tier":1,"seq":722,"title":"Invalidate Session Identifiers at Logout","description":"Automated mechanisms exist to invalidate session identifiers upon user logout or other session termination. "}
+{"source":"scf","id":"scf:net-09.2","id_raw":"NET-09.2","tier_raw":"Controls","tier":1,"seq":723,"title":"Unique System-Generated Session Identifiers","description":"Automated mechanisms exist to generate and recognize unique session identifiers for each session."}
+{"source":"scf","id":"scf:net-10","id_raw":"NET-10","tier_raw":"Controls","tier":1,"seq":724,"title":"Domain Name Service (DNS) Resolution ","description":"Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution."}
+{"source":"scf","id":"scf:net-10.1","id_raw":"NET-10.1","tier_raw":"Controls","tier":1,"seq":725,"title":"Architecture & Provisioning for Name / Address Resolution Service","description":"Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) resolution service for are fault-tolerant and implement internal/external role separation. "}
+{"source":"scf","id":"scf:net-10.2","id_raw":"NET-10.2","tier_raw":"Controls","tier":1,"seq":726,"title":"Secure Name / Address Resolution Service (Recursive or Caching Resolver)","description":"Mechanisms exist to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems. "}
+{"source":"scf","id":"scf:net-10.3","id_raw":"NET-10.3","tier_raw":"Controls","tier":1,"seq":727,"title":"Sender Policy Framework (SPF)","description":"Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain."}
+{"source":"scf","id":"scf:net-10.4","id_raw":"NET-10.4","tier_raw":"Controls","tier":1,"seq":728,"title":"Domain Registrar Security","description":"Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details."}
+{"source":"scf","id":"scf:net-11","id_raw":"NET-11","tier_raw":"Controls","tier":1,"seq":729,"title":"Out-of-Band Channels ","description":"Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals. \n\nMethods To Comply With SCF Controls:\n- Signature delivery (courier service)"}
+{"source":"scf","id":"scf:net-12","id_raw":"NET-12","tier_raw":"Controls","tier":1,"seq":730,"title":"Safeguarding Data Over Open Networks ","description":"Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks. "}
+{"source":"scf","id":"scf:net-12.1","id_raw":"NET-12.1","tier_raw":"Controls","tier":1,"seq":731,"title":"Wireless Link Protection","description":"Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered."}
+{"source":"scf","id":"scf:net-12.2","id_raw":"NET-12.2","tier_raw":"Controls","tier":1,"seq":732,"title":"End-User Messaging Technologies","description":"Mechanisms exist to prohibit the transmission of unprotected sensitive data by end-user messaging technologies. \n\nMethods To Comply With SCF Controls:\n- Acceptable Use Policy (AUP)\n- Data Loss Prevention (DLP)"}
+{"source":"scf","id":"scf:net-13","id_raw":"NET-13","tier_raw":"Controls","tier":1,"seq":733,"title":"Electronic Messaging","description":"Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications."}
+{"source":"scf","id":"scf:net-14","id_raw":"NET-14","tier_raw":"Controls","tier":1,"seq":734,"title":"Remote Access ","description":"Mechanisms exist to define, control and review organization-approved, secure remote access methods."}
+{"source":"scf","id":"scf:net-14.1","id_raw":"NET-14.1","tier_raw":"Controls","tier":1,"seq":735,"title":"Automated Monitoring & Control ","description":"Automated mechanisms exist to monitor and control remote access sessions. "}
+{"source":"scf","id":"scf:net-14.2","id_raw":"NET-14.2","tier_raw":"Controls","tier":1,"seq":736,"title":"Protection of Confidentiality / Integrity Using Encryption","description":"Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN). "}
+{"source":"scf","id":"scf:net-14.3","id_raw":"NET-14.3","tier_raw":"Controls","tier":1,"seq":737,"title":"Managed Access Control Points","description":"Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator)."}
+{"source":"scf","id":"scf:net-14.4","id_raw":"NET-14.4","tier_raw":"Controls","tier":1,"seq":738,"title":"Remote Privileged Commands & Sensitive Data Access","description":"Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs. "}
+{"source":"scf","id":"scf:net-14.5","id_raw":"NET-14.5","tier_raw":"Controls","tier":1,"seq":739,"title":"Work From Anywhere (WFA) - Telecommuting Security","description":"Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers. "}
+{"source":"scf","id":"scf:net-14.6","id_raw":"NET-14.6","tier_raw":"Controls","tier":1,"seq":740,"title":"Third-Party Remote Access Governance","description":"Mechanisms exist to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access."}
+{"source":"scf","id":"scf:net-14.7","id_raw":"NET-14.7","tier_raw":"Controls","tier":1,"seq":741,"title":"Endpoint Security Validation ","description":"Mechanisms exist to validate software versions/patch levels and control remote devices connecting to corporate networks or storing and accessing organization information. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:net-14.8","id_raw":"NET-14.8","tier_raw":"Controls","tier":1,"seq":742,"title":"Expeditious Disconnect / Disable Capability ","description":"Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote access session."}
+{"source":"scf","id":"scf:net-15","id_raw":"NET-15","tier_raw":"Controls","tier":1,"seq":743,"title":"Wireless Networking ","description":"Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access."}
+{"source":"scf","id":"scf:net-15.1","id_raw":"NET-15.1","tier_raw":"Controls","tier":1,"seq":744,"title":"Authentication & Encryption","description":"Mechanisms exist to exist to protect wireless access through authentication and strong encryption. "}
+{"source":"scf","id":"scf:net-15.2","id_raw":"NET-15.2","tier_raw":"Controls","tier":1,"seq":745,"title":"Disable Wireless Networking","description":"Mechanisms exist to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users. "}
+{"source":"scf","id":"scf:net-15.3","id_raw":"NET-15.3","tier_raw":"Controls","tier":1,"seq":746,"title":"Restrict Configuration By Users","description":"Mechanisms exist to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities. "}
+{"source":"scf","id":"scf:net-15.4","id_raw":"NET-15.4","tier_raw":"Controls","tier":1,"seq":747,"title":"Wireless Boundaries","description":"Mechanisms exist to confine wireless communications to organization-controlled boundaries. "}
+{"source":"scf","id":"scf:net-15.5","id_raw":"NET-15.5","tier_raw":"Controls","tier":1,"seq":748,"title":"Rogue Wireless Detection","description":"Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies). "}
+{"source":"scf","id":"scf:net-16","id_raw":"NET-16","tier_raw":"Controls","tier":1,"seq":749,"title":"Intranets","description":"Mechanisms exist to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: "}
+{"source":"scf","id":"scf:net-17","id_raw":"NET-17","tier_raw":"Controls","tier":1,"seq":750,"title":"Data Loss Prevention (DLP) ","description":"Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.\n\nMethods To Comply With SCF Controls:\n- Data Loss Prevention (DLP)"}
+{"source":"scf","id":"scf:net-18","id_raw":"NET-18","tier_raw":"Controls","tier":1,"seq":751,"title":"DNS & Content Filtering ","description":"Mechanisms exist to force Internet-bound network traffic through a proxy device for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites."}
+{"source":"scf","id":"scf:net-18.1","id_raw":"NET-18.1","tier_raw":"Controls","tier":1,"seq":752,"title":"Route Traffic to Proxy Servers","description":"Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces. "}
+{"source":"scf","id":"scf:net-18.2","id_raw":"NET-18.2","tier_raw":"Controls","tier":1,"seq":753,"title":"Visibility of Encrypted Communications","description":"Mechanisms exist to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms."}
+{"source":"scf","id":"scf:net-18.3","id_raw":"NET-18.3","tier_raw":"Controls","tier":1,"seq":754,"title":"Route Privileged Network Access","description":"Automated mechanisms exist to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."}
+{"source":"scf","id":"scf:pes-01","id_raw":"PES-01","tier_raw":"Controls","tier":1,"seq":755,"title":"Physical & Environmental Protections","description":"Mechanisms exist to facilitate the operation of physical and environmental protection controls. "}
+{"source":"scf","id":"scf:pes-01.1","id_raw":"PES-01.1","tier_raw":"Controls","tier":1,"seq":756,"title":"Site Security Plan (SitePlan)","description":"Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats."}
+{"source":"scf","id":"scf:pes-02","id_raw":"PES-02","tier_raw":"Controls","tier":1,"seq":757,"title":"Physical Access Authorizations ","description":"Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible)."}
+{"source":"scf","id":"scf:pes-02.1","id_raw":"PES-02.1","tier_raw":"Controls","tier":1,"seq":758,"title":"Role-Based Physical Access","description":"Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual."}
+{"source":"scf","id":"scf:pes-02.2","id_raw":"PES-02.2","tier_raw":"Controls","tier":1,"seq":759,"title":"Dual Authorization for Physical Access","description":"Mechanisms exist to enforce a \"two-person rule\" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.)."}
+{"source":"scf","id":"scf:pes-03","id_raw":"PES-03","tier_raw":"Controls","tier":1,"seq":760,"title":"Physical Access Control ","description":"Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).\n\nMethods To Comply With SCF Controls:\n- Security guards\n- Verify individual access authorizations before granting access to the facility.\n- Control entry to the facility containing the system using physical access devices and/or guards.\n- Control access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk.\n- Secure keys, combinations and other physical access devices.\n- Change combinations and keys and when keys are lost, combinations are compromised or individuals are transferred or terminated."}
+{"source":"scf","id":"scf:pes-03.1","id_raw":"PES-03.1","tier_raw":"Controls","tier":1,"seq":761,"title":"Controlled Ingress & Egress Points","description":"Physical access control mechanisms exist to limit and monitor physical access through controlled ingress and egress points."}
+{"source":"scf","id":"scf:pes-03.2","id_raw":"PES-03.2","tier_raw":"Controls","tier":1,"seq":762,"title":"Lockable Physical Casings","description":"Physical access control mechanisms exist to protect system components from unauthorized physical access (e.g., lockable physical casings). \n\nMethods To Comply With SCF Controls:\n- CCTV\n- Lockable server/network racks\n- Logged access badges to access server rooms"}
+{"source":"scf","id":"scf:pes-03.3","id_raw":"PES-03.3","tier_raw":"Controls","tier":1,"seq":763,"title":"Physical Access Logs ","description":"Physical access control mechanisms exist to generate a log entry for each access through controlled ingress and egress points.\n\nMethods To Comply With SCF Controls:\n- Visitor logbook\n- iLobby (https://goilobby.com/)\n- The Receptionist (https://thereceptionist.com/)\n- LobbyGuard (http://lobbyguard.com/)"}
+{"source":"scf","id":"scf:pes-03.4","id_raw":"PES-03.4","tier_raw":"Controls","tier":1,"seq":764,"title":"Access To Information Systems","description":"Physical access control mechanisms exist to enforce physical access to critical information systems or sensitive data, in addition to the physical access controls for the facility."}
+{"source":"scf","id":"scf:pes-04","id_raw":"PES-04","tier_raw":"Controls","tier":1,"seq":765,"title":"Physical Security of Offices, Rooms & Facilities","description":"Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities. \n\nMethods To Comply With SCF Controls:\n- \"clean desk\" policy\n- Management spot checks"}
+{"source":"scf","id":"scf:pes-04.1","id_raw":"PES-04.1","tier_raw":"Controls","tier":1,"seq":766,"title":"Working in Secure Areas","description":"Physical security mechanisms exist to allow only authorized personnel access to secure areas. \n\nMethods To Comply With SCF Controls:\n- Visitor escorts"}
+{"source":"scf","id":"scf:pes-04.2","id_raw":"PES-04.2","tier_raw":"Controls","tier":1,"seq":767,"title":"Searches","description":"Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets."}
+{"source":"scf","id":"scf:pes-04.3","id_raw":"PES-04.3","tier_raw":"Controls","tier":1,"seq":768,"title":"Temporary Storage","description":"Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards."}
+{"source":"scf","id":"scf:pes-05","id_raw":"PES-05","tier_raw":"Controls","tier":1,"seq":769,"title":"Monitoring Physical Access","description":"Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents."}
+{"source":"scf","id":"scf:pes-05.1","id_raw":"PES-05.1","tier_raw":"Controls","tier":1,"seq":770,"title":"Intrusion Alarms / Surveillance Equipment ","description":"Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance equipment. \n\nMethods To Comply With SCF Controls:\n- CCTV"}
+{"source":"scf","id":"scf:pes-05.2","id_raw":"PES-05.2","tier_raw":"Controls","tier":1,"seq":771,"title":"Monitoring Physical Access To Information Systems","description":"Facility security mechanisms exist to monitor physical access to critical information systems or sensitive data, in addition to the physical access monitoring of the facility."}
+{"source":"scf","id":"scf:pes-06","id_raw":"PES-06","tier_raw":"Controls","tier":1,"seq":772,"title":"Visitor Control","description":"Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible). \n\nMethods To Comply With SCF Controls:\n- Visitor logbook\n- iLobby (https://goilobby.com/)\n- The Receptionist (https://thereceptionist.com/)\n- LobbyGuard (http://lobbyguard.com/)"}
+{"source":"scf","id":"scf:pes-06.1","id_raw":"PES-06.1","tier_raw":"Controls","tier":1,"seq":773,"title":"Distinguish Visitors from On-Site Personnel","description":"Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive data is accessible. \n\nMethods To Comply With SCF Controls:\n- Visible badges for visitors that are different from organizational personnel\n"}
+{"source":"scf","id":"scf:pes-06.2","id_raw":"PES-06.2","tier_raw":"Controls","tier":1,"seq":774,"title":"Identification Requirement","description":"Physical access control mechanisms exist to requires at least one (1) form of government-issued photo identification to authenticate individuals before they can gain access to the facility."}
+{"source":"scf","id":"scf:pes-06.3","id_raw":"PES-06.3","tier_raw":"Controls","tier":1,"seq":775,"title":"Restrict Unescorted Access","description":"Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access. "}
+{"source":"scf","id":"scf:pes-06.4","id_raw":"PES-06.4","tier_raw":"Controls","tier":1,"seq":776,"title":"Automated Records Management & Review","description":"Automated mechanisms exist to facilitate the maintenance and review of visitor access records."}
+{"source":"scf","id":"scf:pes-06.5","id_raw":"PES-06.5","tier_raw":"Controls","tier":1,"seq":777,"title":"Minimize Visitor Personal Data (PD)","description":"Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access records."}
+{"source":"scf","id":"scf:pes-06.6","id_raw":"PES-06.6","tier_raw":"Controls","tier":1,"seq":778,"title":"Visitor Access Revocation","description":"Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration."}
+{"source":"scf","id":"scf:pes-07","id_raw":"PES-07","tier_raw":"Controls","tier":1,"seq":779,"title":"Supporting Utilities ","description":"Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction. "}
+{"source":"scf","id":"scf:pes-07.1","id_raw":"PES-07.1","tier_raw":"Controls","tier":1,"seq":780,"title":"Automatic Voltage Controls","description":"Facility security mechanisms exist to utilize automatic voltage controls for critical system components. "}
+{"source":"scf","id":"scf:pes-07.2","id_raw":"PES-07.2","tier_raw":"Controls","tier":1,"seq":781,"title":"Emergency Shutoff","description":"Facility security mechanisms exist to shut off power in emergency situations by:"}
+{"source":"scf","id":"scf:pes-07.3","id_raw":"PES-07.3","tier_raw":"Controls","tier":1,"seq":782,"title":"Emergency Power","description":"Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source."}
+{"source":"scf","id":"scf:pes-07.4","id_raw":"PES-07.4","tier_raw":"Controls","tier":1,"seq":783,"title":"Emergency Lighting","description":"Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. "}
+{"source":"scf","id":"scf:pes-07.5","id_raw":"PES-07.5","tier_raw":"Controls","tier":1,"seq":784,"title":"Water Damage Protection","description":"Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel. \n\nMethods To Comply With SCF Controls:\n- Water leak sensors\n- Humidity sensors"}
+{"source":"scf","id":"scf:pes-07.6","id_raw":"PES-07.6","tier_raw":"Controls","tier":1,"seq":785,"title":"Automation Support for Water Damage Protection","description":"Facility security mechanisms exist to detect the presence of water in the vicinity of critical information systems and alert facility maintenance and IT personnel. "}
+{"source":"scf","id":"scf:pes-07.7","id_raw":"PES-07.7","tier_raw":"Controls","tier":1,"seq":786,"title":"Redundant Cabling","description":"Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged."}
+{"source":"scf","id":"scf:pes-08","id_raw":"PES-08","tier_raw":"Controls","tier":1,"seq":787,"title":"Fire Protection","description":"Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source. "}
+{"source":"scf","id":"scf:pes-08.1","id_raw":"PES-08.1","tier_raw":"Controls","tier":1,"seq":788,"title":"Fire Detection Devices","description":"Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire. "}
+{"source":"scf","id":"scf:pes-08.2","id_raw":"PES-08.2","tier_raw":"Controls","tier":1,"seq":789,"title":"Fire Suppression Devices","description":"Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders. "}
+{"source":"scf","id":"scf:pes-08.3","id_raw":"PES-08.3","tier_raw":"Controls","tier":1,"seq":790,"title":"Automatic Fire Suppression","description":"Facility security mechanisms exist to employ an automatic fire suppression capability for critical information systems when the facility is not staffed on a continuous basis."}
+{"source":"scf","id":"scf:pes-09","id_raw":"PES-09","tier_raw":"Controls","tier":1,"seq":791,"title":"Temperature & Humidity Controls","description":"Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility."}
+{"source":"scf","id":"scf:pes-09.1","id_raw":"PES-09.1","tier_raw":"Controls","tier":1,"seq":792,"title":"Monitoring with Alarms / Notifications","description":"Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment. "}
+{"source":"scf","id":"scf:pes-10","id_raw":"PES-10","tier_raw":"Controls","tier":1,"seq":793,"title":"Delivery & Removal ","description":"Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access. "}
+{"source":"scf","id":"scf:pes-11","id_raw":"PES-11","tier_raw":"Controls","tier":1,"seq":794,"title":"Alternate Work Site","description":"Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites."}
+{"source":"scf","id":"scf:pes-12","id_raw":"PES-12","tier_raw":"Controls","tier":1,"seq":795,"title":"Equipment Siting & Protection ","description":"Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. "}
+{"source":"scf","id":"scf:pes-12.1","id_raw":"PES-12.1","tier_raw":"Controls","tier":1,"seq":796,"title":"Transmission Medium Security","description":"Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage. "}
+{"source":"scf","id":"scf:pes-12.2","id_raw":"PES-12.2","tier_raw":"Controls","tier":1,"seq":797,"title":"Access Control for Output Devices","description":"Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output. \n\nMethods To Comply With SCF Controls:\n- Printer management (print only when at the printer with proximity card or code)"}
+{"source":"scf","id":"scf:pes-13","id_raw":"PES-13","tier_raw":"Controls","tier":1,"seq":798,"title":"Information Leakage Due To Electromagnetic Signals Emanations","description":"Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations. "}
+{"source":"scf","id":"scf:pes-14","id_raw":"PES-14","tier_raw":"Controls","tier":1,"seq":799,"title":"Asset Monitoring and Tracking","description":"Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.\n\nMethods To Comply With SCF Controls:\n- RFID tagging"}
+{"source":"scf","id":"scf:pes-15","id_raw":"PES-15","tier_raw":"Controls","tier":1,"seq":800,"title":"Electromagnetic Pulse (EMP) Protection","description":"Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.\n\nMethods To Comply With SCF Controls:\n- EMP shielding (Faraday cages)"}
+{"source":"scf","id":"scf:pes-16","id_raw":"PES-16","tier_raw":"Controls","tier":1,"seq":801,"title":"Component Marking","description":"Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component."}
+{"source":"scf","id":"scf:pes-17","id_raw":"PES-17","tier_raw":"Controls","tier":1,"seq":802,"title":"Proximity Sensor ","description":"Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario."}
+{"source":"scf","id":"scf:pes-18","id_raw":"PES-18","tier_raw":"Controls","tier":1,"seq":803,"title":"On-Site Client Segregation","description":"Mechanisms exist to ensure client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client work spaces."}
+{"source":"scf","id":"scf:pri-01","id_raw":"PRI-01","tier_raw":"Controls","tier":1,"seq":804,"title":"Privacy Program","description":"Mechanisms exist to facilitate the implementation and operation of privacy controls. "}
+{"source":"scf","id":"scf:pri-01.1","id_raw":"PRI-01.1","tier_raw":"Controls","tier":1,"seq":805,"title":"Chief Privacy Officer (CPO)","description":"Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."}
+{"source":"scf","id":"scf:pri-01.2","id_raw":"PRI-01.2","tier_raw":"Controls","tier":1,"seq":806,"title":"Privacy Act Statements","description":"Mechanisms exist to provide additional formal notice to individuals from whom the information is being collected that includes:"}
+{"source":"scf","id":"scf:pri-01.3","id_raw":"PRI-01.3","tier_raw":"Controls","tier":1,"seq":807,"title":"Dissemination of Privacy Program Information ","description":"Mechanisms exist to: "}
+{"source":"scf","id":"scf:pri-01.4","id_raw":"PRI-01.4","tier_raw":"Controls","tier":1,"seq":808,"title":"Data Protection Officer (DPO)","description":"Mechanisms exist to appoint a Data Protection Officer (DPO):"}
+{"source":"scf","id":"scf:pri-01.5","id_raw":"PRI-01.5","tier_raw":"Controls","tier":1,"seq":809,"title":"Binding Corporate Rules (BCR)","description":"Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data."}
+{"source":"scf","id":"scf:pri-01.6","id_raw":"PRI-01.6","tier_raw":"Controls","tier":1,"seq":810,"title":"Security of Personal Data","description":"Mechanisms exist to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD."}
+{"source":"scf","id":"scf:pri-01.7","id_raw":"PRI-01.7","tier_raw":"Controls","tier":1,"seq":811,"title":"Limiting Personal Data Disclosures","description":"Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained."}
+{"source":"scf","id":"scf:pri-02","id_raw":"PRI-02","tier_raw":"Controls","tier":1,"seq":812,"title":"Privacy Notice","description":"Mechanisms exist to:"}
+{"source":"scf","id":"scf:pri-02.1","id_raw":"PRI-02.1","tier_raw":"Controls","tier":1,"seq":813,"title":"Purpose Specification","description":"Mechanisms exist to identify and document the purpose(s) for which Personal Data (PD) is collected, used, maintained and shared in its privacy notices."}
+{"source":"scf","id":"scf:pri-02.2","id_raw":"PRI-02.2","tier_raw":"Controls","tier":1,"seq":814,"title":"Automated Data Management Processes","description":"Automated mechanisms exist to adjust data that is able to be collected, created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s).\n\nMethods To Comply With SCF Controls:\nThe organization should identify and address obligations, including legal obligations, to the PD principals resulting from decisions made by the organization which are related to the PD principal based solely on automated processing of PD."}
+{"source":"scf","id":"scf:pri-02.3","id_raw":"PRI-02.3","tier_raw":"Controls","tier":1,"seq":815,"title":"Computer Matching Agreements (CMA) ","description":"Mechanisms exist to publish Computer Matching Agreements (CMA) on the public website of the organization."}
+{"source":"scf","id":"scf:pri-02.4","id_raw":"PRI-02.4","tier_raw":"Controls","tier":1,"seq":816,"title":"System of Records Notice (SORN)","description":"Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance."}
+{"source":"scf","id":"scf:pri-02.5","id_raw":"PRI-02.5","tier_raw":"Controls","tier":1,"seq":817,"title":"System of Records Notice (SORN) Review Process","description":"Mechanisms exist to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."}
+{"source":"scf","id":"scf:pri-02.6","id_raw":"PRI-02.6","tier_raw":"Controls","tier":1,"seq":818,"title":"Privacy Act Exemptions","description":"Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate."}
+{"source":"scf","id":"scf:pri-02.7","id_raw":"PRI-02.7","tier_raw":"Controls","tier":1,"seq":819,"title":"Real-Time or Layered Notice","description":"Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's privacy notice."}
+{"source":"scf","id":"scf:pri-03","id_raw":"PRI-03","tier_raw":"Controls","tier":1,"seq":820,"title":"Choice & Consent","description":"Mechanisms exist to authorize the processing of their Personal Data (PD) prior to its collection that:\n\nMethods To Comply With SCF Controls:\n- \"opt in\" vs \"opt out\" user selections"}
+{"source":"scf","id":"scf:pri-03.1","id_raw":"PRI-03.1","tier_raw":"Controls","tier":1,"seq":821,"title":"Tailored Consent","description":"Mechanisms exist to allow data subjects to modify the use permissions to selected attributes of their Personal Data (PD)."}
+{"source":"scf","id":"scf:pri-03.2","id_raw":"PRI-03.2","tier_raw":"Controls","tier":1,"seq":822,"title":"Just-In-Time Notice & Updated Consent","description":"Mechanisms exist to present authorizations to process Personal Data (PD) in conjunction with the data action, when:"}
+{"source":"scf","id":"scf:pri-03.3","id_raw":"PRI-03.3","tier_raw":"Controls","tier":1,"seq":823,"title":"Prohibition Of Selling or Sharing Personal Data (PD)","description":"Mechanisms exist to prevent the sale or sharing of Personal Data (PD) when instructed by the data subject."}
+{"source":"scf","id":"scf:pri-03.4","id_raw":"PRI-03.4","tier_raw":"Controls","tier":1,"seq":824,"title":"Revoke Consent","description":"Mechanisms exist to allow data subjects to revoke consent to the processing of their Personal Data (PD)."}
+{"source":"scf","id":"scf:pri-03.5","id_raw":"PRI-03.5","tier_raw":"Controls","tier":1,"seq":825,"title":"Product or Service Delivery Restrictions","description":"Mechanisms exist to prohibit the refusal or products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent.\n\nMethods To Comply With SCF Controls:\n- Privacy Program"}
+{"source":"scf","id":"scf:pri-03.6","id_raw":"PRI-03.6","tier_raw":"Controls","tier":1,"seq":826,"title":"Authorized Agent","description":"Mechanisms exist to allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions."}
+{"source":"scf","id":"scf:pri-03.7","id_raw":"PRI-03.7","tier_raw":"Controls","tier":1,"seq":827,"title":"Active Participation By Data Subjects","description":"Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.)."}
+{"source":"scf","id":"scf:pri-03.8","id_raw":"PRI-03.8","tier_raw":"Controls","tier":1,"seq":828,"title":"Global Privacy Control (GPC)","description":"Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal)."}
+{"source":"scf","id":"scf:pri-04","id_raw":"PRI-04","tier_raw":"Controls","tier":1,"seq":829,"title":"Restrict Collection To Identified Purpose","description":"Mechanisms exist to collect Personal Data (PD) only for the purposes identified in the privacy notice and includes protections against collecting PD from minors without appropriate parental, or legal guardian, consent."}
+{"source":"scf","id":"scf:pri-04.1","id_raw":"PRI-04.1","tier_raw":"Controls","tier":1,"seq":830,"title":"Authority To Collect, Use, Maintain & Share Personal Data (PD)","description":"Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Data (PD), either generally or in support of a specific program or system need."}
+{"source":"scf","id":"scf:pri-04.2","id_raw":"PRI-04.2","tier_raw":"Controls","tier":1,"seq":831,"title":"Primary Sources","description":"Mechanisms exist to ensure information is directly collected from the data subject, whenever possible."}
+{"source":"scf","id":"scf:pri-04.3","id_raw":"PRI-04.3","tier_raw":"Controls","tier":1,"seq":832,"title":"Identifiable Image Collection","description":"Mechanisms exist to restrict the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.\n\nMethods To Comply With SCF Controls:\n- Privacy Program"}
+{"source":"scf","id":"scf:pri-04.4","id_raw":"PRI-04.4","tier_raw":"Controls","tier":1,"seq":833,"title":"Acquired Personal Data (PD)","description":"Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject."}
+{"source":"scf","id":"scf:pri-04.5","id_raw":"PRI-04.5","tier_raw":"Controls","tier":1,"seq":834,"title":"Validate Collected Personal Data","description":"Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process."}
+{"source":"scf","id":"scf:pri-04.6","id_raw":"PRI-04.6","tier_raw":"Controls","tier":1,"seq":835,"title":"Re-Validate Collected Personal Data","description":"Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate."}
+{"source":"scf","id":"scf:pri-05","id_raw":"PRI-05","tier_raw":"Controls","tier":1,"seq":836,"title":"Personal Data Retention & Disposal","description":"Mechanisms exist to: "}
+{"source":"scf","id":"scf:pri-05.1","id_raw":"PRI-05.1","tier_raw":"Controls","tier":1,"seq":837,"title":"Internal Use of Personal Data For Testing, Training and Research","description":"Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that:"}
+{"source":"scf","id":"scf:pri-05.2","id_raw":"PRI-05.2","tier_raw":"Controls","tier":1,"seq":838,"title":"Personal Data Accuracy & Integrity","description":"Mechanisms exist to confirm the accuracy and relevance of Personal Data (PD) throughout the information lifecycle."}
+{"source":"scf","id":"scf:pri-05.3","id_raw":"PRI-05.3","tier_raw":"Controls","tier":1,"seq":839,"title":"Data Masking","description":"Mechanisms exist to mask sensitive information through data anonymization, pseudonymization, redaction or de-identification."}
+{"source":"scf","id":"scf:pri-05.4","id_raw":"PRI-05.4","tier_raw":"Controls","tier":1,"seq":840,"title":"Usage Restrictions of Sensitive Personal Data","description":"Mechanisms exist to restrict the use of Personal Data (PD) to only the authorized purpose(s) consistent with applicable laws, regulations and in privacy notices. "}
+{"source":"scf","id":"scf:pri-05.5","id_raw":"PRI-05.5","tier_raw":"Controls","tier":1,"seq":841,"title":"Inventory of Personal Data (PD)","description":"Mechanisms exist to establish, maintain and update an inventory that contains a listing of all programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD). "}
+{"source":"scf","id":"scf:pri-05.6","id_raw":"PRI-05.6","tier_raw":"Controls","tier":1,"seq":842,"title":"Personal Data (PD) Inventory Automation Support","description":"Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form."}
+{"source":"scf","id":"scf:pri-05.7","id_raw":"PRI-05.7","tier_raw":"Controls","tier":1,"seq":843,"title":"Personal Data (PD) Categories","description":"Mechanisms exist to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD)."}
+{"source":"scf","id":"scf:pri-06","id_raw":"PRI-06","tier_raw":"Controls","tier":1,"seq":844,"title":"Data Subject Access","description":"Mechanisms exist to provide individuals the ability to access their Personal Data (PD) maintained in organizational systems of records."}
+{"source":"scf","id":"scf:pri-06.1","id_raw":"PRI-06.1","tier_raw":"Controls","tier":1,"seq":845,"title":"Correcting Inaccurate Personal Data","description":"Mechanisms exist to establish and implement a process for:\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:pri-06.2","id_raw":"PRI-06.2","tier_raw":"Controls","tier":1,"seq":846,"title":"Notice of Correction or Processing Change","description":"Mechanisms exist to notify affected individuals if their Personal Data (PD) has been corrected or amended.\n\nMethods To Comply With SCF Controls:\nThe organization should, in the case of having general written authorization, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PD, thereby giving the customer the opportunity to object to such changes."}
+{"source":"scf","id":"scf:pri-06.3","id_raw":"PRI-06.3","tier_raw":"Controls","tier":1,"seq":847,"title":"Appeal Adverse Decision","description":"Mechanisms exist to provide an organization-defined process for individuals to appeal an adverse decision and have incorrect information amended."}
+{"source":"scf","id":"scf:pri-06.4","id_raw":"PRI-06.4","tier_raw":"Controls","tier":1,"seq":848,"title":"User Feedback Management","description":"Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices."}
+{"source":"scf","id":"scf:pri-06.5","id_raw":"PRI-06.5","tier_raw":"Controls","tier":1,"seq":849,"title":"Right to Erasure","description":"Mechanisms exist to erase personal data of an individual, without delay."}
+{"source":"scf","id":"scf:pri-06.6","id_raw":"PRI-06.6","tier_raw":"Controls","tier":1,"seq":850,"title":"Data Portability","description":"Mechanisms exist to export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance."}
+{"source":"scf","id":"scf:pri-06.7","id_raw":"PRI-06.7","tier_raw":"Controls","tier":1,"seq":851,"title":"Personal Data Exportability","description":"Mechanisms exist to digitally export Personal Data (PD) in a secure manner upon request by the data subject."}
+{"source":"scf","id":"scf:pri-07","id_raw":"PRI-07","tier_raw":"Controls","tier":1,"seq":852,"title":"Information Sharing With Third Parties","description":"Mechanisms exist to discloses Personal Data (PD) to third-parties only for the purposes identified in the privacy notice and with the implicit or explicit consent of the data subject. \n\nMethods To Comply With SCF Controls:\n- Veris (incident sharing) (http://veriscommunity.net)"}
+{"source":"scf","id":"scf:pri-07.1","id_raw":"PRI-07.1","tier_raw":"Controls","tier":1,"seq":853,"title":"Privacy Requirements for Contractors & Service Providers ","description":"Mechanisms exist to includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers. "}
+{"source":"scf","id":"scf:pri-07.2","id_raw":"PRI-07.2","tier_raw":"Controls","tier":1,"seq":854,"title":"Joint Processing of Personal Data","description":"Mechanisms exist to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem. "}
+{"source":"scf","id":"scf:pri-07.3","id_raw":"PRI-07.3","tier_raw":"Controls","tier":1,"seq":855,"title":"Obligation To Inform Third-Parties","description":"Mechanisms exist to inform applicable third-parties to any modification, deletion or other change that affects shared Personal Data (PD).\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:pri-07.4","id_raw":"PRI-07.4","tier_raw":"Controls","tier":1,"seq":856,"title":"Reject Unauthorized Disclosure Requests","description":"Mechanisms exist to reject unauthorized disclosure requests.\n\nMethods To Comply With SCF Controls:\n- Authorized Agent"}
+{"source":"scf","id":"scf:pri-08","id_raw":"PRI-08","tier_raw":"Controls","tier":1,"seq":857,"title":"Testing, Training & Monitoring","description":"Mechanisms exist to conduct security and privacy testing, training and monitoring activities"}
+{"source":"scf","id":"scf:pri-09","id_raw":"PRI-09","tier_raw":"Controls","tier":1,"seq":858,"title":"Personal Data Lineage","description":"Mechanisms exist to utilize a record of processing activities to maintain a record of Personal Data (PD) that is stored, transmitted and/or processed under the organization's responsibility.\n\nMethods To Comply With SCF Controls:\nThe organization should determine and securely maintain the necessary records in support of its obligations for the processing of PD."}
+{"source":"scf","id":"scf:pri-10","id_raw":"PRI-10","tier_raw":"Controls","tier":1,"seq":859,"title":"Data Quality Management","description":"Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Data (PD) across the information lifecycle."}
+{"source":"scf","id":"scf:pri-10.1","id_raw":"PRI-10.1","tier_raw":"Controls","tier":1,"seq":860,"title":"Automation","description":"Automated mechanisms exist to support the evaluation of data quality across the information lifecycle."}
+{"source":"scf","id":"scf:pri-10.2","id_raw":"PRI-10.2","tier_raw":"Controls","tier":1,"seq":861,"title":"Data Analytics Bias","description":"Mechanisms exist to evaluate its analytical processes for potential bias."}
+{"source":"scf","id":"scf:pri-11","id_raw":"PRI-11","tier_raw":"Controls","tier":1,"seq":862,"title":"Data Tagging","description":"Mechanisms exist to issue data modeling guidelines to support tagging of sensitive data."}
+{"source":"scf","id":"scf:pri-12","id_raw":"PRI-12","tier_raw":"Controls","tier":1,"seq":863,"title":"Updating Personal Data (PD)","description":"Mechanisms exist to develop processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur."}
+{"source":"scf","id":"scf:pri-13","id_raw":"PRI-13","tier_raw":"Controls","tier":1,"seq":864,"title":"Data Management Board","description":"Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.\n\nMethods To Comply With SCF Controls:\n- Data Management Board (DMB)"}
+{"source":"scf","id":"scf:pri-14","id_raw":"PRI-14","tier_raw":"Controls","tier":1,"seq":865,"title":"Privacy Records & Reporting","description":"Mechanisms exist to maintain privacy-related records and develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates."}
+{"source":"scf","id":"scf:pri-14.1","id_raw":"PRI-14.1","tier_raw":"Controls","tier":1,"seq":866,"title":"Accounting of Disclosures","description":"Mechanisms exist to develop and maintain an accounting of disclosures of Personal Data (PD) held by the organization and make the accounting of disclosures available to the person named in the record, upon request."}
+{"source":"scf","id":"scf:pri-14.2","id_raw":"PRI-14.2","tier_raw":"Controls","tier":1,"seq":867,"title":"Notification of Disclosure Request To Data Subject","description":"Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD)."}
+{"source":"scf","id":"scf:pri-15","id_raw":"PRI-15","tier_raw":"Controls","tier":1,"seq":868,"title":"Register Database","description":"Mechanisms exist to register databases containing Personal Data (PD) with the appropriate Data Authority, when necessary."}
+{"source":"scf","id":"scf:pri-16","id_raw":"PRI-16","tier_raw":"Controls","tier":1,"seq":869,"title":"Potential Human Rights Abuses","description":"Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.\n\nMethods To Comply With SCF Controls:\n- Board of Directors (Bod) Ethics Committee"}
+{"source":"scf","id":"scf:pri-17","id_raw":"PRI-17","tier_raw":"Controls","tier":1,"seq":870,"title":"Data Subject Communications","description":"Mechanisms exist to craft disclosures and communications to data subjects such that the material is readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person."}
+{"source":"scf","id":"scf:pri-17.1","id_raw":"PRI-17.1","tier_raw":"Controls","tier":1,"seq":871,"title":"Conspicuous Link To Privacy Notice","description":"Mechanisms exist to include a conspicuous link to the organization's privacy notice on all consumer-facing websites and mobile applications."}
+{"source":"scf","id":"scf:pri-17.2","id_raw":"PRI-17.2","tier_raw":"Controls","tier":1,"seq":872,"title":"Notice of Financial Incentive","description":"Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate."}
+{"source":"scf","id":"scf:prm-01","id_raw":"PRM-01","tier_raw":"Controls","tier":1,"seq":873,"title":"Security Portfolio Management","description":"Mechanisms exist to facilitate the implementation of security and privacy-related resource planning controls that define a viable plan for achieving cybersecurity & privacy objectives."}
+{"source":"scf","id":"scf:prm-01.1","id_raw":"PRM-01.1","tier_raw":"Controls","tier":1,"seq":874,"title":"Strategic Plan & Objectives","description":"Mechanisms exist to establish a strategic cybersecurity and privacy-specific business plan and set of objectives to achieve that plan."}
+{"source":"scf","id":"scf:prm-01.2","id_raw":"PRM-01.2","tier_raw":"Controls","tier":1,"seq":875,"title":"Targeted Capability Maturity Levels","description":"Mechanisms exist to define and identify targeted capability maturity levels."}
+{"source":"scf","id":"scf:prm-02","id_raw":"PRM-02","tier_raw":"Controls","tier":1,"seq":876,"title":"Security & Privacy Resource Management","description":"Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and documents all exceptions to this requirement. "}
+{"source":"scf","id":"scf:prm-03","id_raw":"PRM-03","tier_raw":"Controls","tier":1,"seq":877,"title":"Allocation of Resources ","description":"Mechanisms exist to identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives."}
+{"source":"scf","id":"scf:prm-04","id_raw":"PRM-04","tier_raw":"Controls","tier":1,"seq":878,"title":"Security & Privacy In Project Management ","description":"Mechanisms exist to assess security and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements."}
+{"source":"scf","id":"scf:prm-05","id_raw":"PRM-05","tier_raw":"Controls","tier":1,"seq":879,"title":"Security & Privacy Requirements Definition","description":"Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). \n\nMethods To Comply With SCF Controls:\n- Secure Development Life Cycle (SDLC)"}
+{"source":"scf","id":"scf:prm-06","id_raw":"PRM-06","tier_raw":"Controls","tier":1,"seq":880,"title":"Business Process Definition ","description":"Mechanisms exist to define business processes with consideration for cybersecurity and privacy that determines: "}
+{"source":"scf","id":"scf:prm-07","id_raw":"PRM-07","tier_raw":"Controls","tier":1,"seq":881,"title":"Secure Development Life Cycle (SDLC) Management","description":"Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:prm-08","id_raw":"PRM-08","tier_raw":"Controls","tier":1,"seq":882,"title":"Manage Organizational Knowledge","description":"Mechanisms exist to manage the organizational knowledge of the cybersecurity and privacy staff."}
+{"source":"scf","id":"scf:rsk-01","id_raw":"RSK-01","tier_raw":"Controls","tier":1,"seq":883,"title":"Risk Management Program ","description":"Mechanisms exist to facilitate the implementation of risk management controls.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-01.1","id_raw":"RSK-01.1","tier_raw":"Controls","tier":1,"seq":884,"title":"Risk Framing","description":"Mechanisms exist to identify:\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-02","id_raw":"RSK-02","tier_raw":"Controls","tier":1,"seq":885,"title":"Risk-Based Security Categorization ","description":"Mechanisms exist to categorizes systems and data in accordance with applicable local, state and Federal laws that:\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-02.1","id_raw":"RSK-02.1","tier_raw":"Controls","tier":1,"seq":886,"title":"Impact-Level Prioritization","description":"Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent potential disruptions."}
+{"source":"scf","id":"scf:rsk-03","id_raw":"RSK-03","tier_raw":"Controls","tier":1,"seq":887,"title":"Risk Identification","description":"Mechanisms exist to identify and document risks, both internal and external. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-04","id_raw":"RSK-04","tier_raw":"Controls","tier":1,"seq":888,"title":"Risk Assessment ","description":"Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Risk assessment\n- Business Impact Analysis (BIA)\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:rsk-04.1","id_raw":"RSK-04.1","tier_raw":"Controls","tier":1,"seq":889,"title":"Risk Register","description":"Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Risk register\n- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)"}
+{"source":"scf","id":"scf:rsk-05","id_raw":"RSK-05","tier_raw":"Controls","tier":1,"seq":890,"title":"Risk Ranking ","description":"Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-06","id_raw":"RSK-06","tier_raw":"Controls","tier":1,"seq":891,"title":"Risk Remediation ","description":"Mechanisms exist to remediate risks to an acceptable level. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:rsk-06.1","id_raw":"RSK-06.1","tier_raw":"Controls","tier":1,"seq":892,"title":"Risk Response","description":"Mechanisms exist to respond to findings from security and privacy assessments, incidents and audits to ensure proper remediation has been performed.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-06.2","id_raw":"RSK-06.2","tier_raw":"Controls","tier":1,"seq":893,"title":"Compensating Countermeasures","description":"Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats."}
+{"source":"scf","id":"scf:rsk-07","id_raw":"RSK-07","tier_raw":"Controls","tier":1,"seq":894,"title":"Risk Assessment Update","description":"Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. \n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-08","id_raw":"RSK-08","tier_raw":"Controls","tier":1,"seq":895,"title":"Business Impact Analysis (BIA) ","description":"Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)\n- Business Impact Analysis (BIA)"}
+{"source":"scf","id":"scf:rsk-09","id_raw":"RSK-09","tier_raw":"Controls","tier":1,"seq":896,"title":"Supply Chain Risk Management (SCRM) Plan","description":"Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)"}
+{"source":"scf","id":"scf:rsk-09.1","id_raw":"RSK-09.1","tier_raw":"Controls","tier":1,"seq":897,"title":"Supply Chain Risk Assessment","description":"Mechanisms exist to periodically assess supply chain risks associated with systems, system components and services.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:rsk-10","id_raw":"RSK-10","tier_raw":"Controls","tier":1,"seq":898,"title":"Data Protection Impact Assessment (DPIA) ","description":"Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.\n\nMethods To Comply With SCF Controls:\n- Risk Management Program (RMP)\n- Data Protection Impact Assessment (DPIA)\n- Privacy Impact Assessment (PIA)"}
+{"source":"scf","id":"scf:rsk-11","id_raw":"RSK-11","tier_raw":"Controls","tier":1,"seq":899,"title":"Risk Monitoring","description":"Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security & privacy controls, compliance and change management."}
+{"source":"scf","id":"scf:sea-01","id_raw":"SEA-01","tier_raw":"Controls","tier":1,"seq":900,"title":"Secure Engineering Principles ","description":"Mechanisms exist to facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services."}
+{"source":"scf","id":"scf:sea-01.1","id_raw":"SEA-01.1","tier_raw":"Controls","tier":1,"seq":901,"title":"Centralized Management of Cybersecurity & Privacy Controls","description":"Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity and privacy controls and related processes."}
+{"source":"scf","id":"scf:sea-02","id_raw":"SEA-02","tier_raw":"Controls","tier":1,"seq":902,"title":"Alignment With Enterprise Architecture ","description":"Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity and privacy principles that addresses risk to organizational operations, assets, individuals, other organizations. \n\nMethods To Comply With SCF Controls:\n- Administrative controls through corporate policies, standards & procedures.\n- NIST 800-160\n- Enterprise architecture committee"}
+{"source":"scf","id":"scf:sea-02.1","id_raw":"SEA-02.1","tier_raw":"Controls","tier":1,"seq":903,"title":"Standardized Terminology","description":"Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments. "}
+{"source":"scf","id":"scf:sea-02.2","id_raw":"SEA-02.2","tier_raw":"Controls","tier":1,"seq":904,"title":"Outsourcing Non-Essential Functions or Services","description":"Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to third-party service providers and align with the organization's enterprise architecture and security standards."}
+{"source":"scf","id":"scf:sea-02.3","id_raw":"SEA-02.3","tier_raw":"Controls","tier":1,"seq":905,"title":"Technical Debt Reviews","description":"Mechanisms exist to conduct ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/or unsupported technologies."}
+{"source":"scf","id":"scf:sea-03","id_raw":"SEA-03","tier_raw":"Controls","tier":1,"seq":906,"title":"Defense-In-Depth (DiD) Architecture","description":"Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. "}
+{"source":"scf","id":"scf:sea-03.1","id_raw":"SEA-03.1","tier_raw":"Controls","tier":1,"seq":907,"title":"System Partitioning ","description":"Mechanisms exist to partition systems so that partitions reside in separate physical domains or environments. "}
+{"source":"scf","id":"scf:sea-03.2","id_raw":"SEA-03.2","tier_raw":"Controls","tier":1,"seq":908,"title":"Application Partitioning","description":"Mechanisms exist to separate user functionality from system management functionality. \n\nMethods To Comply With SCF Controls:\n- Separate interface for non-privileged users."}
+{"source":"scf","id":"scf:sea-04","id_raw":"SEA-04","tier_raw":"Controls","tier":1,"seq":909,"title":"Process Isolation ","description":"Mechanisms exist to implement a separate execution domain for each executing process. "}
+{"source":"scf","id":"scf:sea-04.1","id_raw":"SEA-04.1","tier_raw":"Controls","tier":1,"seq":910,"title":"Security Function Isolation","description":"Mechanisms exist to isolate security functions from non-security functions. "}
+{"source":"scf","id":"scf:sea-04.2","id_raw":"SEA-04.2","tier_raw":"Controls","tier":1,"seq":911,"title":"Hardware Separation","description":"Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process separation. "}
+{"source":"scf","id":"scf:sea-04.3","id_raw":"SEA-04.3","tier_raw":"Controls","tier":1,"seq":912,"title":"Thread Separation","description":"Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded processing. "}
+{"source":"scf","id":"scf:sea-05","id_raw":"SEA-05","tier_raw":"Controls","tier":1,"seq":913,"title":"Information In Shared Resources ","description":"Mechanisms exist to prevent unauthorized and unintended information transfer via shared system resources. "}
+{"source":"scf","id":"scf:sea-06","id_raw":"SEA-06","tier_raw":"Controls","tier":1,"seq":914,"title":"Prevent Program Execution","description":"Automated mechanisms exist to prevent the execution of unauthorized software programs. "}
+{"source":"scf","id":"scf:sea-07","id_raw":"SEA-07","tier_raw":"Controls","tier":1,"seq":915,"title":"Predictable Failure Analysis ","description":"Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.\n\nMethods To Comply With SCF Controls:\n- Mean Time to Failure (MTTF)"}
+{"source":"scf","id":"scf:sea-07.1","id_raw":"SEA-07.1","tier_raw":"Controls","tier":1,"seq":916,"title":"Technology Lifecycle Management","description":"Mechanisms exist to manage the usable lifecycles of systems. \n\nMethods To Comply With SCF Controls:\n- Computer Lifecycle Program (CLP)\n- Technology Asset Management (TAM)"}
+{"source":"scf","id":"scf:sea-07.2","id_raw":"SEA-07.2","tier_raw":"Controls","tier":1,"seq":917,"title":"Fail Secure","description":"Mechanisms exist to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure. "}
+{"source":"scf","id":"scf:sea-07.3","id_raw":"SEA-07.3","tier_raw":"Controls","tier":1,"seq":918,"title":"Fail Safe","description":"Mechanisms exist to implement fail-safe procedures when failure conditions occur. "}
+{"source":"scf","id":"scf:sea-08","id_raw":"SEA-08","tier_raw":"Controls","tier":1,"seq":919,"title":"Non-Persistence ","description":"Mechanisms exist to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency. "}
+{"source":"scf","id":"scf:sea-08.1","id_raw":"SEA-08.1","tier_raw":"Controls","tier":1,"seq":920,"title":"Refresh from Trusted Sources","description":"Mechanisms exist to ensures that software and data needed for information system component and service refreshes are obtained from trusted sources.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:sea-09","id_raw":"SEA-09","tier_raw":"Controls","tier":1,"seq":921,"title":"Information Output Filtering ","description":"Mechanisms exist to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content. "}
+{"source":"scf","id":"scf:sea-09.1","id_raw":"SEA-09.1","tier_raw":"Controls","tier":1,"seq":922,"title":"Limit Personal Data (PD) Dissemination","description":"Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:sea-10","id_raw":"SEA-10","tier_raw":"Controls","tier":1,"seq":923,"title":"Memory Protection ","description":"Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution. \n\nMethods To Comply With SCF Controls:\n- Puppet (https://puppet.com/)\n- Chef (https://www.chef.io/) (https://www.chef.io/)"}
+{"source":"scf","id":"scf:sea-11","id_raw":"SEA-11","tier_raw":"Controls","tier":1,"seq":924,"title":"Honeypots ","description":"Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks. "}
+{"source":"scf","id":"scf:sea-12","id_raw":"SEA-12","tier_raw":"Controls","tier":1,"seq":925,"title":"Honeyclients ","description":"Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code. "}
+{"source":"scf","id":"scf:sea-13","id_raw":"SEA-13","tier_raw":"Controls","tier":1,"seq":926,"title":"Heterogeneity ","description":"Mechanisms exist to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM). "}
+{"source":"scf","id":"scf:sea-13.1","id_raw":"SEA-13.1","tier_raw":"Controls","tier":1,"seq":927,"title":"Virtualization Techniques ","description":"Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of operating systems and applications."}
+{"source":"scf","id":"scf:sea-14","id_raw":"SEA-14","tier_raw":"Controls","tier":1,"seq":928,"title":"Concealment & Misdirection ","description":"Mechanisms exist to utilize concealment and misdirection techniques for systems to confuse and mislead adversaries. "}
+{"source":"scf","id":"scf:sea-14.1","id_raw":"SEA-14.1","tier_raw":"Controls","tier":1,"seq":929,"title":"Randomness","description":"Automated mechanisms exist to introduce randomness into organizational operations and assets."}
+{"source":"scf","id":"scf:sea-14.2","id_raw":"SEA-14.2","tier_raw":"Controls","tier":1,"seq":930,"title":"Change Processing & Storage Locations","description":"Automated mechanisms exist to change the location of processing and/or storage at random time intervals."}
+{"source":"scf","id":"scf:sea-15","id_raw":"SEA-15","tier_raw":"Controls","tier":1,"seq":931,"title":"Distributed Processing & Storage ","description":"Mechanisms exist to distribute processing and storage across multiple physical locations. "}
+{"source":"scf","id":"scf:sea-16","id_raw":"SEA-16","tier_raw":"Controls","tier":1,"seq":932,"title":"Non-Modifiable Executable Programs ","description":"Mechanisms exist to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media."}
+{"source":"scf","id":"scf:sea-17","id_raw":"SEA-17","tier_raw":"Controls","tier":1,"seq":933,"title":"Secure Log-On Procedures ","description":"Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process"}
+{"source":"scf","id":"scf:sea-18","id_raw":"SEA-18","tier_raw":"Controls","tier":1,"seq":934,"title":"System Use Notification (Logon Banner)","description":"Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides privacy and security notices.\n\nMethods To Comply With SCF Controls:\n- Logon banner\n- System use notifications\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:sea-18.1","id_raw":"SEA-18.1","tier_raw":"Controls","tier":1,"seq":935,"title":"Standardized Microsoft Windows Banner","description":"Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system that provides privacy and security notices.\n\nMethods To Comply With SCF Controls:\n- Active Directory (AD) Ctrl+Alt+Del login process\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:sea-18.2","id_raw":"SEA-18.2","tier_raw":"Controls","tier":1,"seq":936,"title":"Truncated Banner","description":"Mechanisms exist to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source, such as Active Directory.\n\nMethods To Comply With SCF Controls:\n- Logon banner\n- System use notifications\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:sea-19","id_raw":"SEA-19","tier_raw":"Controls","tier":1,"seq":937,"title":"Previous Logon Notification","description":"Mechanisms exist to configure systems that process, store or transmit sensitive data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.\n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"}
+{"source":"scf","id":"scf:sea-20","id_raw":"SEA-20","tier_raw":"Controls","tier":1,"seq":938,"title":"Clock Synchronization","description":"Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks. \n\nMethods To Comply With SCF Controls:\n- Network Time Protocol (NTP)"}
+{"source":"scf","id":"scf:ops-01","id_raw":"OPS-01","tier_raw":"Controls","tier":1,"seq":939,"title":"Operations Security ","description":"Mechanisms exist to facilitate the implementation of operational security controls.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)\n- ITIL v4 \n- COBIT 5"}
+{"source":"scf","id":"scf:ops-01.1","id_raw":"OPS-01.1","tier_raw":"Controls","tier":1,"seq":940,"title":"Standardized Operating Procedures (SOP)","description":"Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.\n\nMethods To Comply With SCF Controls:\n- Standardized Operating Procedures (SOP)"}
+{"source":"scf","id":"scf:ops-02","id_raw":"OPS-02","tier_raw":"Controls","tier":1,"seq":941,"title":"Security Concept Of Operations (CONOPS) ","description":"Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders. "}
+{"source":"scf","id":"scf:ops-03","id_raw":"OPS-03","tier_raw":"Controls","tier":1,"seq":942,"title":"Service Delivery","description":"Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.\n\nMethods To Comply With SCF Controls:\n- ITIL v4 \n- COBIT 5"}
+{"source":"scf","id":"scf:ops-04","id_raw":"OPS-04","tier_raw":"Controls","tier":1,"seq":943,"title":"Security Operations Center (SOC)","description":"Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability."}
+{"source":"scf","id":"scf:ops-05","id_raw":"OPS-05","tier_raw":"Controls","tier":1,"seq":944,"title":"Secure Practices Guidelines","description":"Mechanisms exist to provide guidelines and recommendations for the secure use of products and/or services to assist in the configuration, installation and use of the product and/or service."}
+{"source":"scf","id":"scf:sat-01","id_raw":"SAT-01","tier_raw":"Controls","tier":1,"seq":945,"title":"Security & Privacy-Minded Workforce ","description":"Mechanisms exist to facilitate the implementation of security workforce development and awareness controls. "}
+{"source":"scf","id":"scf:sat-02","id_raw":"SAT-02","tier_raw":"Controls","tier":1,"seq":946,"title":"Security & Privacy Awareness ","description":"Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function. "}
+{"source":"scf","id":"scf:sat-02.1","id_raw":"SAT-02.1","tier_raw":"Controls","tier":1,"seq":947,"title":"Simulated Cyber Attack Scenario Training","description":"Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios."}
+{"source":"scf","id":"scf:sat-02.2","id_raw":"SAT-02.2","tier_raw":"Controls","tier":1,"seq":948,"title":"Social Engineering & Mining","description":"Mechanisms exist to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining."}
+{"source":"scf","id":"scf:sat-03","id_raw":"SAT-03","tier_raw":"Controls","tier":1,"seq":949,"title":"Role-Based Security & Privacy Training ","description":"Mechanisms exist to provide role-based security-related training: "}
+{"source":"scf","id":"scf:sat-03.1","id_raw":"SAT-03.1","tier_raw":"Controls","tier":1,"seq":950,"title":"Practical Exercises ","description":"Mechanisms exist to include practical exercises in security and privacy training that reinforce training objectives."}
+{"source":"scf","id":"scf:sat-03.2","id_raw":"SAT-03.2","tier_raw":"Controls","tier":1,"seq":951,"title":"Suspicious Communications & Anomalous System Behavior","description":"Mechanisms exist to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior."}
+{"source":"scf","id":"scf:sat-03.3","id_raw":"SAT-03.3","tier_raw":"Controls","tier":1,"seq":952,"title":"Sensitive Information Storage, Handling & Processing","description":"Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements."}
+{"source":"scf","id":"scf:sat-03.4","id_raw":"SAT-03.4","tier_raw":"Controls","tier":1,"seq":953,"title":"Vendor Security & Privacy Training","description":"Mechanisms exist to incorporate vendor-specific security training in support of new technology initiatives. "}
+{"source":"scf","id":"scf:sat-03.5","id_raw":"SAT-03.5","tier_raw":"Controls","tier":1,"seq":954,"title":"Privileged Users","description":"Mechanisms exist to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities "}
+{"source":"scf","id":"scf:sat-03.6","id_raw":"SAT-03.6","tier_raw":"Controls","tier":1,"seq":955,"title":"Cyber Threat Environment","description":"Mechanisms exist to provide role-based security and privacy awareness training that is specific to the cyber threats that the user might encounter the user's specific day-to-day business operations."}
+{"source":"scf","id":"scf:sat-03.7","id_raw":"SAT-03.7","tier_raw":"Controls","tier":1,"seq":956,"title":"Continuing Professional Education (CPE) - Cybersecurity & Privacy Personnel","description":"Mechanisms exist to ensure cybersecurity and privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities."}
+{"source":"scf","id":"scf:sat-03.8","id_raw":"SAT-03.8","tier_raw":"Controls","tier":1,"seq":957,"title":"Continuing Professional Education (CPE) - DevOps Personnel","description":"Mechanisms exist to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats."}
+{"source":"scf","id":"scf:sat-04","id_raw":"SAT-04","tier_raw":"Controls","tier":1,"seq":958,"title":"Security & Privacy Training Records ","description":"Mechanisms exist to document, retain and monitor individual training activities, including basic security awareness training, ongoing awareness training and specific-system training.\n\nMethods To Comply With SCF Controls:\n- KnowB4 (https://www.knowbe4.com/)"}
+{"source":"scf","id":"scf:tda-01","id_raw":"TDA-01","tier_raw":"Controls","tier":1,"seq":959,"title":"Technology Development & Acquisition","description":"Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs."}
+{"source":"scf","id":"scf:tda-01.1","id_raw":"TDA-01.1","tier_raw":"Controls","tier":1,"seq":960,"title":"Product Management","description":"Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies."}
+{"source":"scf","id":"scf:tda-01.2","id_raw":"TDA-01.2","tier_raw":"Controls","tier":1,"seq":961,"title":"Integrity Mechanisms for Software / Firmware Updates ","description":"Mechanisms exist to utilize integrity validation mechanisms for security updates.\n\nMethods To Comply With SCF Controls:\n- Checksum comparison\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:tda-01.3","id_raw":"TDA-01.3","tier_raw":"Controls","tier":1,"seq":962,"title":"Malware Testing Prior to Release ","description":"Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:tda-02","id_raw":"TDA-02","tier_raw":"Controls","tier":1,"seq":963,"title":"Minimum Viable Product (MVP) Security Requirements ","description":"Mechanisms exist to ensure risk-based technical and functional specifications are established to define a Minimum Viable Product (MVP)."}
+{"source":"scf","id":"scf:tda-02.1","id_raw":"TDA-02.1","tier_raw":"Controls","tier":1,"seq":964,"title":"Ports, Protocols & Services In Use","description":"Mechanisms exist to require the developers of systems, system components or services to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use. \n\nMethods To Comply With SCF Controls:\n- Ports, Protocols & Services (PPS)"}
+{"source":"scf","id":"scf:tda-02.2","id_raw":"TDA-02.2","tier_raw":"Controls","tier":1,"seq":965,"title":"Information Assurance Enabled Products","description":"Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.\n\nMethods To Comply With SCF Controls:\n- FIPS 201"}
+{"source":"scf","id":"scf:tda-02.3","id_raw":"TDA-02.3","tier_raw":"Controls","tier":1,"seq":966,"title":"Development Methods, Techniques & Processes","description":"Mechanisms exist to require software vendors / manufacturers to demonstrate that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed or malformed software."}
+{"source":"scf","id":"scf:tda-02.4","id_raw":"TDA-02.4","tier_raw":"Controls","tier":1,"seq":967,"title":"Pre-Established Security Configurations","description":"Mechanisms exist to ensure software vendors / manufacturers:"}
+{"source":"scf","id":"scf:tda-02.5","id_raw":"TDA-02.5","tier_raw":"Controls","tier":1,"seq":968,"title":"Identification & Justification of Ports, Protocols & Services","description":"Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions. "}
+{"source":"scf","id":"scf:tda-02.6","id_raw":"TDA-02.6","tier_raw":"Controls","tier":1,"seq":969,"title":"Insecure Ports, Protocols & Services","description":"Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions. "}
+{"source":"scf","id":"scf:tda-02.7","id_raw":"TDA-02.7","tier_raw":"Controls","tier":1,"seq":970,"title":"Security & Privacy Representatives For Product Changes","description":"Mechanisms exist to include appropriate cybersecurity and privacy representatives in the product feature and/or functionality change control review process."}
+{"source":"scf","id":"scf:tda-03","id_raw":"TDA-03","tier_raw":"Controls","tier":1,"seq":971,"title":"Commercial Off-The-Shelf (COTS) Security Solutions ","description":"Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products. "}
+{"source":"scf","id":"scf:tda-03.1","id_raw":"TDA-03.1","tier_raw":"Controls","tier":1,"seq":972,"title":"Supplier Diversity","description":"Mechanisms exist to obtain security and privacy technologies from different suppliers to minimize supply chain risk.\n\nMethods To Comply With SCF Controls:\n- Supplier diversity"}
+{"source":"scf","id":"scf:tda-04","id_raw":"TDA-04","tier_raw":"Controls","tier":1,"seq":973,"title":"Documentation Requirements","description":"Mechanisms exist to obtain, protect and distribute administrator documentation for systems that describe:"}
+{"source":"scf","id":"scf:tda-04.1","id_raw":"TDA-04.1","tier_raw":"Controls","tier":1,"seq":974,"title":"Functional Properties ","description":"Mechanisms exist to require vendors/contractors to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls. \n\nMethods To Comply With SCF Controls:\n- SSAE-16 SOC2 report"}
+{"source":"scf","id":"scf:tda-04.2","id_raw":"TDA-04.2","tier_raw":"Controls","tier":1,"seq":975,"title":"Software Bill of Materials (SBOM)","description":"Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and services that lists software packages in use, including versions and applicable licenses."}
+{"source":"scf","id":"scf:tda-05","id_raw":"TDA-05","tier_raw":"Controls","tier":1,"seq":976,"title":"Developer Architecture & Design ","description":"Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: "}
+{"source":"scf","id":"scf:tda-05.1","id_raw":"TDA-05.1","tier_raw":"Controls","tier":1,"seq":977,"title":"Physical Diagnostic & Test Interfaces","description":"Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse."}
+{"source":"scf","id":"scf:tda-05.2","id_raw":"TDA-05.2","tier_raw":"Controls","tier":1,"seq":978,"title":"Diagnostic & Test Interface Monitoring","description":"Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces."}
+{"source":"scf","id":"scf:tda-06","id_raw":"TDA-06","tier_raw":"Controls","tier":1,"seq":979,"title":"Secure Coding ","description":"Mechanisms exist to develop applications based on secure coding principles. \n\nMethods To Comply With SCF Controls:\n- OWASP's Application Security Verification Standard (ASVS) \n- Mobile Application Security Verification Standard (MASVS)"}
+{"source":"scf","id":"scf:tda-06.1","id_raw":"TDA-06.1","tier_raw":"Controls","tier":1,"seq":980,"title":"Criticality Analysis","description":"Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).\n\nMethods To Comply With SCF Controls:\n- Secure Development Life Cycle (SDLC)"}
+{"source":"scf","id":"scf:tda-06.2","id_raw":"TDA-06.2","tier_raw":"Controls","tier":1,"seq":981,"title":"Threat Modeling","description":"Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for."}
+{"source":"scf","id":"scf:tda-06.3","id_raw":"TDA-06.3","tier_raw":"Controls","tier":1,"seq":982,"title":"Software Assurance Maturity Model (SAMM)","description":"Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services."}
+{"source":"scf","id":"scf:tda-06.4","id_raw":"TDA-06.4","tier_raw":"Controls","tier":1,"seq":983,"title":"Supporting Toolchain","description":"Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle."}
+{"source":"scf","id":"scf:tda-06.5","id_raw":"TDA-06.5","tier_raw":"Controls","tier":1,"seq":984,"title":"Software Design Review","description":"Mechanisms exist to have an independent review of the software design to confirm that all security and privacy requirements are met and that any identified risks are satisfactorily addressed."}
+{"source":"scf","id":"scf:tda-07","id_raw":"TDA-07","tier_raw":"Controls","tier":1,"seq":985,"title":"Secure Development Environments ","description":"Mechanisms exist to maintain a segmented development network to ensure a secure development environment. "}
+{"source":"scf","id":"scf:tda-08","id_raw":"TDA-08","tier_raw":"Controls","tier":1,"seq":986,"title":"Separation of Development, Testing and Operational Environments ","description":"Mechanisms exist to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production systems."}
+{"source":"scf","id":"scf:tda-08.1","id_raw":"TDA-08.1","tier_raw":"Controls","tier":1,"seq":987,"title":"Secure Migration Practices","description":"Mechanisms exist to ensure secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment."}
+{"source":"scf","id":"scf:tda-09","id_raw":"TDA-09","tier_raw":"Controls","tier":1,"seq":988,"title":"Security & Privacy Testing Throughout Development ","description":"Mechanisms exist to require system developers/integrators consult with cybersecurity and privacy personnel to: \n\nMethods To Comply With SCF Controls:\n- Security Test & Evaluation (ST&E)"}
+{"source":"scf","id":"scf:tda-09.1","id_raw":"TDA-09.1","tier_raw":"Controls","tier":1,"seq":989,"title":"Continuous Monitoring Plan","description":"Mechanisms exist to require the developers of systems, system components or services to produce a plan for the continuous monitoring of security & privacy control effectiveness. "}
+{"source":"scf","id":"scf:tda-09.2","id_raw":"TDA-09.2","tier_raw":"Controls","tier":1,"seq":990,"title":"Static Code Analysis","description":"Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis. "}
+{"source":"scf","id":"scf:tda-09.3","id_raw":"TDA-09.3","tier_raw":"Controls","tier":1,"seq":991,"title":"Dynamic Code Analysis ","description":"Mechanisms exist to require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis. "}
+{"source":"scf","id":"scf:tda-09.4","id_raw":"TDA-09.4","tier_raw":"Controls","tier":1,"seq":992,"title":"Malformed Input Testing","description":"Mechanisms exist to utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:tda-09.5","id_raw":"TDA-09.5","tier_raw":"Controls","tier":1,"seq":993,"title":"Application Penetration Testing","description":"Mechanisms exist to perform application-level penetration testing of custom-made applications and services.\n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:tda-09.6","id_raw":"TDA-09.6","tier_raw":"Controls","tier":1,"seq":994,"title":"Secure Settings By Default","description":"Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise."}
+{"source":"scf","id":"scf:tda-09.7","id_raw":"TDA-09.7","tier_raw":"Controls","tier":1,"seq":995,"title":"Manual Code Review","description":"Mechanisms exist to require the developers of systems, system components or services to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application’s requirements and design."}
+{"source":"scf","id":"scf:tda-10","id_raw":"TDA-10","tier_raw":"Controls","tier":1,"seq":996,"title":"Use of Live Data ","description":"Mechanisms exist to approve, document and control the use of live data in development and test environments."}
+{"source":"scf","id":"scf:tda-10.1","id_raw":"TDA-10.1","tier_raw":"Controls","tier":1,"seq":997,"title":"Test Data Integrity","description":"Mechanisms exist to ensure the integrity of test data through existing security & privacy controls.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:tda-11","id_raw":"TDA-11","tier_raw":"Controls","tier":1,"seq":998,"title":"Product Tampering and Counterfeiting (PTC)","description":"Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components."}
+{"source":"scf","id":"scf:tda-11.1","id_raw":"TDA-11.1","tier_raw":"Controls","tier":1,"seq":999,"title":"Anti-Counterfeit Training","description":"Mechanisms exist to train personnel to detect counterfeit system components, including hardware, software and firmware. "}
+{"source":"scf","id":"scf:tda-11.2","id_raw":"TDA-11.2","tier_raw":"Controls","tier":1,"seq":1000,"title":"Component Disposal","description":"[deprecated - incorporated into AST-09]"}
+{"source":"scf","id":"scf:tda-12","id_raw":"TDA-12","tier_raw":"Controls","tier":1,"seq":1001,"title":"Customized Development of Critical Components ","description":"Mechanisms exist to custom-develop critical system components, when COTS solutions are unavailable.\n\nMethods To Comply With SCF Controls:\n- OWASP"}
+{"source":"scf","id":"scf:tda-13","id_raw":"TDA-13","tier_raw":"Controls","tier":1,"seq":1002,"title":"Developer Screening ","description":"Mechanisms exist to ensure that the developers of systems, applications and/or services have the requisite skillset and appropriate access authorizations."}
+{"source":"scf","id":"scf:tda-14","id_raw":"TDA-14","tier_raw":"Controls","tier":1,"seq":1003,"title":"Developer Configuration Management ","description":"Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation."}
+{"source":"scf","id":"scf:tda-14.1","id_raw":"TDA-14.1","tier_raw":"Controls","tier":1,"seq":1004,"title":"Software / Firmware Integrity Verification","description":"Mechanisms exist to require developer of systems, system components or services to enable integrity verification of software and firmware components. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:tda-14.2","id_raw":"TDA-14.2","tier_raw":"Controls","tier":1,"seq":1005,"title":"Hardware Integrity Verification","description":"Mechanisms exist to require developer of systems, system components or services to enable integrity verification of hardware components."}
+{"source":"scf","id":"scf:tda-15","id_raw":"TDA-15","tier_raw":"Controls","tier":1,"seq":1006,"title":"Developer Threat Analysis & Flaw Remediation","description":"Mechanisms exist to require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party. \n\nMethods To Comply With SCF Controls:\n- Security Test and Evaluation (ST&E) plan"}
+{"source":"scf","id":"scf:tda-16","id_raw":"TDA-16","tier_raw":"Controls","tier":1,"seq":1007,"title":"Developer-Provided Training ","description":"Mechanisms exist to require the developers of systems, system components or services to provide training on the correct use and operation of the system, system component or service."}
+{"source":"scf","id":"scf:tda-17","id_raw":"TDA-17","tier_raw":"Controls","tier":1,"seq":1008,"title":"Unsupported Systems ","description":"Mechanisms exist to prevent unsupported systems by:"}
+{"source":"scf","id":"scf:tda-17.1","id_raw":"TDA-17.1","tier_raw":"Controls","tier":1,"seq":1009,"title":"Alternate Sources for Continued Support","description":"Mechanisms exist to provide in-house support or contract external providers for support with unsupported system components. "}
+{"source":"scf","id":"scf:tda-18","id_raw":"TDA-18","tier_raw":"Controls","tier":1,"seq":1010,"title":"Input Data Validation ","description":"Mechanisms exist to check the validity of information inputs. "}
+{"source":"scf","id":"scf:tda-19","id_raw":"TDA-19","tier_raw":"Controls","tier":1,"seq":1011,"title":"Error Handling ","description":"Mechanisms exist to handle error conditions by: "}
+{"source":"scf","id":"scf:tda-20","id_raw":"TDA-20","tier_raw":"Controls","tier":1,"seq":1012,"title":"Access to Program Source Code ","description":"Mechanisms exist to limit privileges to change software resident within software libraries. \n\nMethods To Comply With SCF Controls:\n- Source code escrow"}
+{"source":"scf","id":"scf:tda-20.1","id_raw":"TDA-20.1","tier_raw":"Controls","tier":1,"seq":1013,"title":"Software Release Integrity Verification","description":"Mechanisms exist to publish integrity verification information for software releases."}
+{"source":"scf","id":"scf:tda-20.2","id_raw":"TDA-20.2","tier_raw":"Controls","tier":1,"seq":1014,"title":"Archiving Software Releases","description":"Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information."}
+{"source":"scf","id":"scf:tda-20.3","id_raw":"TDA-20.3","tier_raw":"Controls","tier":1,"seq":1015,"title":"Software Escrow","description":"Mechanisms exist to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support. "}
+{"source":"scf","id":"scf:tpm-01","id_raw":"TPM-01","tier_raw":"Controls","tier":1,"seq":1016,"title":"Third-Party Management ","description":"Mechanisms exist to facilitate the implementation of third-party management controls.\n\nMethods To Comply With SCF Controls:\n- Procurement program\n- Contract reviews"}
+{"source":"scf","id":"scf:tpm-01.1","id_raw":"TPM-01.1","tier_raw":"Controls","tier":1,"seq":1017,"title":"Third-Party Inventories ","description":"Mechanisms exist to maintain a current, accurate and complete list of Third-Party Service Providers (TSP) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data."}
+{"source":"scf","id":"scf:tpm-02","id_raw":"TPM-02","tier_raw":"Controls","tier":1,"seq":1018,"title":"Third-Party Criticality Assessments","description":"Mechanisms exist to identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:tpm-03","id_raw":"TPM-03","tier_raw":"Controls","tier":1,"seq":1019,"title":"Supply Chain Protection","description":"Mechanisms exist to evaluate security risks associated with the services and product supply chain. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:tpm-03.1","id_raw":"TPM-03.1","tier_raw":"Controls","tier":1,"seq":1020,"title":"Acquisition Strategies, Tools & Methods","description":"Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.\n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:tpm-03.2","id_raw":"TPM-03.2","tier_raw":"Controls","tier":1,"seq":1021,"title":"Limit Potential Harm","description":"Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain. \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)\n- Liability clause in contracts"}
+{"source":"scf","id":"scf:tpm-03.3","id_raw":"TPM-03.3","tier_raw":"Controls","tier":1,"seq":1022,"title":"Processes To Address Weaknesses or Deficiencies","description":"Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain \n\nMethods To Comply With SCF Controls:\n- Data Protection Impact Assessment (DPIA)"}
+{"source":"scf","id":"scf:tpm-04","id_raw":"TPM-04","tier_raw":"Controls","tier":1,"seq":1023,"title":"Third-Party Services ","description":"Mechanisms exist to mitigate the risks associated with third-party access to the organization’s systems and data.\n\nMethods To Comply With SCF Controls:\n- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.\n- Maintain and implement policies and procedures to manage service providers (e.g., Software-as-a-Service (SaaS), web hosting companies, collocation providers, or email providers), through observation, review of policies and procedures and review of supporting documentation. \n- Maintain a program to monitor service providers’ control compliance status at least annually.\n- Require providers of external system services to comply with organizational security requirements and employ appropriate security controls in accordance with applicable statutory, regulatory and contractual obligations.\n- Define and document oversight and user roles and responsibilities with regard to external system services.\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:tpm-04.1","id_raw":"TPM-04.1","tier_raw":"Controls","tier":1,"seq":1024,"title":"Third-Party Risk Assessments & Approvals","description":"Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of technology-related services.\n\nMethods To Comply With SCF Controls:\n- Conduct an organizational assessment of risk prior to the acquisition or outsourcing of services.\n- Maintain a list of service providers.\n- Maintain and implement controls to manage security providers (e.g., backup tape storage facilities or security service providers), through observation, review of policies and procedures and review of supporting documentation.\n- Maintain a written agreement that includes an acknowledgment that service providers are responsible for the security of data the service providers possess.\n- Maintain a program to monitor service providers’ control compliance status, at least annually.\n- Require that providers of external services comply with organizational digital security requirements and utilize appropriate security controls in accordance with all applicable laws and regulatory requirements."}
+{"source":"scf","id":"scf:tpm-04.2","id_raw":"TPM-04.2","tier_raw":"Controls","tier":1,"seq":1025,"title":"External Connectivity Requirements - Identification of Ports, Protocols & Services","description":"Mechanisms exist to require Third-Party Service Providers (TSP) to identify and document the business need for ports, protocols and other services it requires to operate its processes and technologies."}
+{"source":"scf","id":"scf:tpm-04.3","id_raw":"TPM-04.3","tier_raw":"Controls","tier":1,"seq":1026,"title":"Conflict of Interests","description":"Mechanisms exist to ensure that the interests of third-party service providers are consistent with and reflect organizational interests.\n\nMethods To Comply With SCF Controls:\n- Third-party contract requirements for cybersecurity controls"}
+{"source":"scf","id":"scf:tpm-04.4","id_raw":"TPM-04.4","tier_raw":"Controls","tier":1,"seq":1027,"title":"Third-Party Processing, Storage and Service Locations","description":"Mechanisms exist to restrict the location of information processing/storage based on business requirements. "}
+{"source":"scf","id":"scf:tpm-05","id_raw":"TPM-05","tier_raw":"Controls","tier":1,"seq":1028,"title":"Third-Party Contract Requirements","description":"Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data.\n\nMethods To Comply With SCF Controls:\n- Non-Disclosure Agreements (NDAs)"}
+{"source":"scf","id":"scf:tpm-05.1","id_raw":"TPM-05.1","tier_raw":"Controls","tier":1,"seq":1029,"title":"Security Compromise Notification Agreements","description":"Mechanisms exist to compel Third-Party Service Providers (TSP) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes."}
+{"source":"scf","id":"scf:tpm-05.2","id_raw":"TPM-05.2","tier_raw":"Controls","tier":1,"seq":1030,"title":"Contract Flow-Down Requirements","description":"Mechanisms exist to ensure cybersecurity and privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers."}
+{"source":"scf","id":"scf:tpm-05.3","id_raw":"TPM-05.3","tier_raw":"Controls","tier":1,"seq":1031,"title":"Third-Party Authentication Practices","description":"Mechanisms exist to ensure Third-Party Service Providers (TSP) use unique authentication factors for each of its customers."}
+{"source":"scf","id":"scf:tpm-05.4","id_raw":"TPM-05.4","tier_raw":"Controls","tier":1,"seq":1032,"title":"Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix","description":"Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity and privacy controls between internal stakeholders and Third-Party Service Providers (TSP). \n\nMethods To Comply With SCF Controls:\n- Customer Responsibility Matrix (CRM)\n- Shared Responsibility Matrix (SRM)\n- Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix"}
+{"source":"scf","id":"scf:tpm-05.5","id_raw":"TPM-05.5","tier_raw":"Controls","tier":1,"seq":1033,"title":"Third-Party Scope Review","description":"Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity and privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders. "}
+{"source":"scf","id":"scf:tpm-05.6","id_raw":"TPM-05.6","tier_raw":"Controls","tier":1,"seq":1034,"title":"First-Party Declaration (1PD)","description":"Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable Third-Party Service Providers (TSP) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and privacy controls, including any flow-down requirements to subcontractors. "}
+{"source":"scf","id":"scf:tpm-06","id_raw":"TPM-06","tier_raw":"Controls","tier":1,"seq":1035,"title":"Third-Party Personnel Security ","description":"Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers."}
+{"source":"scf","id":"scf:tpm-07","id_raw":"TPM-07","tier_raw":"Controls","tier":1,"seq":1036,"title":"Monitoring for Third-Party Information Disclosure ","description":"Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of organizational information. "}
+{"source":"scf","id":"scf:tpm-08","id_raw":"TPM-08","tier_raw":"Controls","tier":1,"seq":1037,"title":"Review of Third-Party Services","description":"Mechanisms exist to monitor, regularly review and audit Third-Party Service Providers (TSP) for compliance with established contractual requirements for cybersecurity and privacy controls. "}
+{"source":"scf","id":"scf:tpm-09","id_raw":"TPM-09","tier_raw":"Controls","tier":1,"seq":1038,"title":"Third-Party Deficiency Remediation ","description":"Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. "}
+{"source":"scf","id":"scf:tpm-10","id_raw":"TPM-10","tier_raw":"Controls","tier":1,"seq":1039,"title":"Managing Changes To Third-Party Services","description":"Mechanisms exist to control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party.\n\nMethods To Comply With SCF Controls:\n- Contact requirement to report changes to service offerings that may impact the contract.\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:tpm-11","id_raw":"TPM-11","tier_raw":"Controls","tier":1,"seq":1040,"title":"Third-Party Incident Response & Recovery Capabilities","description":"Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers. "}
+{"source":"scf","id":"scf:thr-01","id_raw":"THR-01","tier_raw":"Controls","tier":1,"seq":1041,"title":"Threat Intelligence Program","description":"Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities."}
+{"source":"scf","id":"scf:thr-02","id_raw":"THR-02","tier_raw":"Controls","tier":1,"seq":1042,"title":"Indicators of Exposure (IOE)","description":"Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization. \n\nMethods To Comply With SCF Controls:\n- Indicators of Exposure (IoE)"}
+{"source":"scf","id":"scf:thr-03","id_raw":"THR-03","tier_raw":"Controls","tier":1,"seq":1043,"title":"Threat Intelligence Feeds","description":"Mechanisms exist to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.\n\nMethods To Comply With SCF Controls:\n- US-CERT mailing lists & feeds\n- InfraGard\n- Internal newsletters"}
+{"source":"scf","id":"scf:thr-04","id_raw":"THR-04","tier_raw":"Controls","tier":1,"seq":1044,"title":"Insider Threat Program ","description":"Mechanisms exist to implement an insider threat program that includes a cross-discipline insider threat incident handling team. \n\nMethods To Comply With SCF Controls:\n- Insider threat program"}
+{"source":"scf","id":"scf:thr-05","id_raw":"THR-05","tier_raw":"Controls","tier":1,"seq":1045,"title":"Insider Threat Awareness","description":"Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat."}
+{"source":"scf","id":"scf:thr-06","id_raw":"THR-06","tier_raw":"Controls","tier":1,"seq":1046,"title":"Vulnerability Disclosure Program (VDP)","description":"Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of products and services that receives unsolicited input from the public about vulnerabilities in organizational systems, services and processes.\n\nMethods To Comply With SCF Controls:\n- \"bug bounty\" program"}
+{"source":"scf","id":"scf:thr-07","id_raw":"THR-07","tier_raw":"Controls","tier":1,"seq":1047,"title":"Threat Hunting","description":"Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls."}
+{"source":"scf","id":"scf:thr-08","id_raw":"THR-08","tier_raw":"Controls","tier":1,"seq":1048,"title":"Tainting","description":"Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved."}
+{"source":"scf","id":"scf:vpm-01","id_raw":"VPM-01","tier_raw":"Controls","tier":1,"seq":1049,"title":"Vulnerability & Patch Management Program (VPMP)","description":"Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.\n\nMethods To Comply With SCF Controls:\n- Vulnerability & Patch Management Program (ComplianceForge)"}
+{"source":"scf","id":"scf:vpm-01.1","id_raw":"VPM-01.1","tier_raw":"Controls","tier":1,"seq":1050,"title":"Attack Surface Scope","description":"Mechanisms exist to define and manage the scope for its attack surface management activities."}
+{"source":"scf","id":"scf:vpm-02","id_raw":"VPM-02","tier_raw":"Controls","tier":1,"seq":1051,"title":"Vulnerability Remediation Process ","description":"Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:vpm-03","id_raw":"VPM-03","tier_raw":"Controls","tier":1,"seq":1052,"title":"Vulnerability Ranking ","description":"Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information. \n\nMethods To Comply With SCF Controls:\n- US-CERT "}
+{"source":"scf","id":"scf:vpm-04","id_raw":"VPM-04","tier_raw":"Controls","tier":1,"seq":1053,"title":"Continuous Vulnerability Remediation Activities","description":"Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks. \n\nMethods To Comply With SCF Controls:\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:vpm-04.1","id_raw":"VPM-04.1","tier_raw":"Controls","tier":1,"seq":1054,"title":"Stable Versions","description":"Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems."}
+{"source":"scf","id":"scf:vpm-04.2","id_raw":"VPM-04.2","tier_raw":"Controls","tier":1,"seq":1055,"title":"Flaw Remediation with Personal Data (PD)","description":"Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD)."}
+{"source":"scf","id":"scf:vpm-05","id_raw":"VPM-05","tier_raw":"Controls","tier":1,"seq":1056,"title":"Software & Firmware Patching","description":"Mechanisms exist to conduct software patching for all deployed operating systems, applications and firmware.\n\nMethods To Comply With SCF Controls:\n- Patch management tools"}
+{"source":"scf","id":"scf:vpm-05.1","id_raw":"VPM-05.1","tier_raw":"Controls","tier":1,"seq":1057,"title":"Centralized Management of Flaw Remediation Processes","description":"Mechanisms exist to centrally-manage the flaw remediation process. \n\nMethods To Comply With SCF Controls:\n- Patch management tools"}
+{"source":"scf","id":"scf:vpm-05.2","id_raw":"VPM-05.2","tier_raw":"Controls","tier":1,"seq":1058,"title":"Automated Remediation Status","description":"Automated mechanisms exist to determine the state of system components with regard to flaw remediation. \n\nMethods To Comply With SCF Controls:\n- Vulnerability scanning tools\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:vpm-05.3","id_raw":"VPM-05.3","tier_raw":"Controls","tier":1,"seq":1059,"title":"Time To Remediate / Benchmarks For Corrective Action","description":"Mechanisms exist to track the effectiveness of remediation operations through metrics reporting.\n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:vpm-05.4","id_raw":"VPM-05.4","tier_raw":"Controls","tier":1,"seq":1060,"title":"Automated Software & Firmware Updates","description":"Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates."}
+{"source":"scf","id":"scf:vpm-05.5","id_raw":"VPM-05.5","tier_raw":"Controls","tier":1,"seq":1061,"title":"Removal of Previous Versions","description":"Mechanisms exist to remove old versions of software and firmware components after updated versions have been installed. "}
+{"source":"scf","id":"scf:vpm-06","id_raw":"VPM-06","tier_raw":"Controls","tier":1,"seq":1062,"title":"Vulnerability Scanning ","description":"Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications.\n\nMethods To Comply With SCF Controls:\n- External vulnerability scans (unauthenticated)\n- Internal vulnerability scans (authenticated)\n- Nessus (https://www.tenable.com/products/nessus/nessus-professional)\n- Qualys (https://www.qualys.com/)\n- Rapid7 (https://www.rapid7.com/)\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:vpm-06.1","id_raw":"VPM-06.1","tier_raw":"Controls","tier":1,"seq":1063,"title":"Update Tool Capability","description":"Mechanisms exist to update vulnerability scanning tools."}
+{"source":"scf","id":"scf:vpm-06.2","id_raw":"VPM-06.2","tier_raw":"Controls","tier":1,"seq":1064,"title":"Breadth / Depth of Coverage ","description":"Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)\n- NNT Change Tracker (https://www.newnettechnologies.com)"}
+{"source":"scf","id":"scf:vpm-06.3","id_raw":"VPM-06.3","tier_raw":"Controls","tier":1,"seq":1065,"title":"Privileged Access","description":"Mechanisms exist to implement privileged access authorization for selected vulnerability scanning activities. \n\nMethods To Comply With SCF Controls:\n- Authenticated scans"}
+{"source":"scf","id":"scf:vpm-06.4","id_raw":"VPM-06.4","tier_raw":"Controls","tier":1,"seq":1066,"title":"Trend Analysis","description":"Automated mechanisms exist to compare the results of vulnerability scans over time to determine trends in system vulnerabilities. \n\nMethods To Comply With SCF Controls:\n- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)"}
+{"source":"scf","id":"scf:vpm-06.5","id_raw":"VPM-06.5","tier_raw":"Controls","tier":1,"seq":1067,"title":"Review Historical Audit Logs","description":"Mechanisms exist to review historical audit logs to determine if identified vulnerabilities have been previously exploited. "}
+{"source":"scf","id":"scf:vpm-06.6","id_raw":"VPM-06.6","tier_raw":"Controls","tier":1,"seq":1068,"title":"External Vulnerability Assessment Scans","description":"Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."}
+{"source":"scf","id":"scf:vpm-06.7","id_raw":"VPM-06.7","tier_raw":"Controls","tier":1,"seq":1069,"title":"Internal Vulnerability Assessment Scans","description":"Mechanisms exist to perform quarterly internal vulnerability scans, that includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)."}
+{"source":"scf","id":"scf:vpm-06.8","id_raw":"VPM-06.8","tier_raw":"Controls","tier":1,"seq":1070,"title":"Acceptable Discoverable Information","description":"Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediated non-compliant systems."}
+{"source":"scf","id":"scf:vpm-06.9","id_raw":"VPM-06.9","tier_raw":"Controls","tier":1,"seq":1071,"title":"Correlate Scanning Information","description":"Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."}
+{"source":"scf","id":"scf:vpm-07","id_raw":"VPM-07","tier_raw":"Controls","tier":1,"seq":1072,"title":"Penetration Testing ","description":"Mechanisms exist to conduct penetration testing on systems and web applications."}
+{"source":"scf","id":"scf:vpm-07.1","id_raw":"VPM-07.1","tier_raw":"Controls","tier":1,"seq":1073,"title":"Independent Penetration Agent or Team","description":"Mechanisms exist to utilize an independent assessor or penetration team to perform penetration testing."}
+{"source":"scf","id":"scf:vpm-08","id_raw":"VPM-08","tier_raw":"Controls","tier":1,"seq":1074,"title":"Technical Surveillance Countermeasures Security ","description":"Mechanisms exist to utilize a technical surveillance countermeasures survey.\n\nMethods To Comply With SCF Controls:\n- Facility sweeping for \"bugs\" or other unauthorized surveillance technologies."}
+{"source":"scf","id":"scf:vpm-09","id_raw":"VPM-09","tier_raw":"Controls","tier":1,"seq":1075,"title":"Reviewing Vulnerability Scanner Usage","description":"Mechanisms exist to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans. \n\nMethods To Comply With SCF Controls:\n- Security Incident Event Manager (SIEM)"}
+{"source":"scf","id":"scf:vpm-10","id_raw":"VPM-10","tier_raw":"Controls","tier":1,"seq":1076,"title":"Red Team Exercises","description":"Mechanisms exist to utilize \"red team\" exercises to simulate attempts by adversaries to compromise systems and applications in accordance with organization-defined rules of engagement. \n\nMethods To Comply With SCF Controls:\n- \"red team\" exercises"}
+{"source":"scf","id":"scf:web-01","id_raw":"WEB-01","tier_raw":"Controls","tier":1,"seq":1077,"title":"Web Security","description":"Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures."}
+{"source":"scf","id":"scf:web-01.1","id_raw":"WEB-01.1","tier_raw":"Controls","tier":1,"seq":1078,"title":"Unauthorized Code","description":"Mechanisms exist to prevent unauthorized code from being present in a secure page as it is rendered in a client’s browser."}
+{"source":"scf","id":"scf:web-02","id_raw":"WEB-02","tier_raw":"Controls","tier":1,"seq":1079,"title":"Use of Demilitarized Zones (DMZ)","description":"Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports."}
+{"source":"scf","id":"scf:web-03","id_raw":"WEB-03","tier_raw":"Controls","tier":1,"seq":1080,"title":"Web Application Firewall (WAF)","description":"Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. \n\nMethods To Comply With SCF Controls:\n- Web Application Firewall (WAF)"}
+{"source":"scf","id":"scf:web-04","id_raw":"WEB-04","tier_raw":"Controls","tier":1,"seq":1081,"title":"Client-Facing Web Services","description":"Mechanisms exist to deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.\n\nMethods To Comply With SCF Controls:\n- OWASP"}
+{"source":"scf","id":"scf:web-05","id_raw":"WEB-05","tier_raw":"Controls","tier":1,"seq":1082,"title":"Cookie Management","description":"Mechanisms exist to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management."}
+{"source":"scf","id":"scf:web-06","id_raw":"WEB-06","tier_raw":"Controls","tier":1,"seq":1083,"title":"Strong Customer Authentication (SCA)","description":"Mechanisms exist to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity."}
+{"source":"scf","id":"scf:web-07","id_raw":"WEB-07","tier_raw":"Controls","tier":1,"seq":1084,"title":"Web Security Standard","description":"Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process."}
+{"source":"scf","id":"scf:web-08","id_raw":"WEB-08","tier_raw":"Controls","tier":1,"seq":1085,"title":"Web Application Framework","description":"Mechanisms exist to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs."}
+{"source":"scf","id":"scf:web-09","id_raw":"WEB-09","tier_raw":"Controls","tier":1,"seq":1086,"title":"Validation & Sanitization","description":"Mechanisms exist to ensure all input handled by a web application is validated and/or sanitized."}
+{"source":"scf","id":"scf:web-10","id_raw":"WEB-10","tier_raw":"Controls","tier":1,"seq":1087,"title":"Secure Web Traffic","description":"Mechanisms exist to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS)."}
+{"source":"scf","id":"scf:web-11","id_raw":"WEB-11","tier_raw":"Controls","tier":1,"seq":1088,"title":"Output Encoding","description":"Mechanisms exist to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks."}
+{"source":"scf","id":"scf:web-12","id_raw":"WEB-12","tier_raw":"Controls","tier":1,"seq":1089,"title":"Web Browser Security","description":"Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users."}
+{"source":"scf","id":"scf:web-13","id_raw":"WEB-13","tier_raw":"Controls","tier":1,"seq":1090,"title":"Website Change Detection","description":"Mechanisms exist to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data. "}
diff --git a/data/frameworks.csv b/data/frameworks.csv
index 9dad2d5..cad5991 100644
--- a/data/frameworks.csv
+++ b/data/frameworks.csv
@@ -4,4 +4,8 @@ cis_csc_v7.1,CIS CSC,Center for Internet Security (CIS) Controls,http://www.cise
 nist_800_53_v4,NIST 800-53,NIST Security and Privacy Controls for Federal Information Systems and Organizations,https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final,4
 nist_800_171_v1,NIST 800-171,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final,1
 owasp_10_v3,OWASP Top 10 Controls,Open Web Application Security Project (OWASP) Top Ten Proactive Controls 2018,https://owasp.org/www-project-proactive-controls,3
-asvs_v4.0.1,ASVS,OWASP Application Security Verification Standard,https://owasp.org/www-project-application-security-verification-standard,4.0.1
\ No newline at end of file
+asvs_v4.0.1,ASVS,OWASP Application Security Verification Standard,https://owasp.org/www-project-application-security-verification-standard,4.0.1
+fsscc_profile_v1.0,FSSCC Profile,Financial Services Sector Coordinating Council (FSSCC) Profile,https://fsscc.org/The-Profile-FAQs,1.0
+ffiec_cat_v2017.05,FFIEC CAT,Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool,https://www.ffiec.gov/cyberassessmenttool.htm,2017.05
+aicpa_tsc_v2017,AICPA TSC (SOC),AICPA Trust Services Criteria (May 2017),https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf,2017
+scf,Secure Controls Framework,Secure Controls Framework,https://www.securecontrolsframework.com/,2022.3
\ No newline at end of file
diff --git a/data/frameworks.json b/data/frameworks.json
index f7bb38c..e8363ae 100644
--- a/data/frameworks.json
+++ b/data/frameworks.json
@@ -40,5 +40,33 @@
     "title": "OWASP Application Security Verification Standard",
     "url": "https://owasp.org/www-project-application-security-verification-standard",
     "version": "4.0.1"
+  },
+  {
+    "id": "fsscc_profile_v1.0",
+    "abbreviation": "FSSCC Profile",
+    "title": "Financial Services Sector Coordinating Council (FSSCC) Profile",
+    "url": "https://fsscc.org/The-Profile-FAQs",
+    "version": "1.0"
+  },
+  {
+    "id": "ffiec_cat_v2017.05",
+    "abbreviation": "FFIEC CAT",
+    "title": "Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool",
+    "url": "https://www.ffiec.gov/cyberassessmenttool.htm",
+    "version": "2017.05"
+  },
+  {
+    "id": "aicpa_tsc_v2017",
+    "abbreviation": "AICPA TSC (SOC)",
+    "title": "AICPA Trust Services Criteria (May 2017)",
+    "url": "https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf",
+    "version": "2017"
+  },
+  {
+    "id": "scf",
+    "abbreviation": "Secure Controls Framework",
+    "title": "Secure Controls Framework",
+    "url": "https://www.securecontrolsframework.com/",
+    "version": "2022.3"
   }
 ]
diff --git a/data/frameworks.jsonl b/data/frameworks.jsonl
index 55ab13c..3e08cb4 100644
--- a/data/frameworks.jsonl
+++ b/data/frameworks.jsonl
@@ -4,3 +4,7 @@
 {"id":"nist_800_171_v1","abbreviation":"NIST 800-171","title":"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations","url":"https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final","version":"1"}
 {"id":"owasp_10_v3","abbreviation":"OWASP Top 10 Controls","title":"Open Web Application Security Project (OWASP) Top Ten Proactive Controls 2018","url":"https://owasp.org/www-project-proactive-controls","version":"3"}
 {"id":"asvs_v4.0.1","abbreviation":"ASVS","title":"OWASP Application Security Verification Standard","url":"https://owasp.org/www-project-application-security-verification-standard","version":"4.0.1"}
+{"id":"fsscc_profile_v1.0","abbreviation":"FSSCC Profile","title":"Financial Services Sector Coordinating Council (FSSCC) Profile","url":"https://fsscc.org/The-Profile-FAQs","version":"1.0"}
+{"id":"ffiec_cat_v2017.05","abbreviation":"FFIEC CAT","title":"Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool","url":"https://www.ffiec.gov/cyberassessmenttool.htm","version":"2017.05"}
+{"id":"aicpa_tsc_v2017","abbreviation":"AICPA TSC (SOC)","title":"AICPA Trust Services Criteria (May 2017)","url":"https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf","version":"2017"}
+{"id":"scf","abbreviation":"Secure Controls Framework","title":"Secure Controls Framework","url":"https://www.securecontrolsframework.com/","version":"2022.3"}
diff --git a/data/relationships.csv b/data/relationships.csv
index c324813..a517947 100644
--- a/data/relationships.csv
+++ b/data/relationships.csv
@@ -1174,6 +1174,94 @@ nist_800_171_v1,nist_800_171_v1:3.1.6,nist_800_171_v1:3.1,,skos:broadMatch
 nist_800_171_v1,nist_800_171_v1:3.1.7,nist_800_171_v1:3.1,,skos:broadMatch
 nist_800_171_v1,nist_800_171_v1:3.1.8,nist_800_171_v1:3.1,,skos:broadMatch
 nist_800_171_v1,nist_800_171_v1:3.1.9,nist_800_171_v1:3.1,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.1,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.2,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.3,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.4,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.5,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.10.6,nist_800_171_v1:3.10,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.11.1,nist_800_171_v1:3.11,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.11.2,nist_800_171_v1:3.11,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.11.3,nist_800_171_v1:3.11,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.12.1,nist_800_171_v1:3.12,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.12.2,nist_800_171_v1:3.12,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.12.3,nist_800_171_v1:3.12,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.12.4,nist_800_171_v1:3.12,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.1,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.10,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.11,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.12,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.13,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.14,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.15,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.16,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.2,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.3,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.4,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.5,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.6,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.7,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.8,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.13.9,nist_800_171_v1:3.13,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.1,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.2,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.3,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.4,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.5,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.6,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.14.7,nist_800_171_v1:3.14,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.2.1,nist_800_171_v1:3.2,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.2.2,nist_800_171_v1:3.2,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.2.3,nist_800_171_v1:3.2,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.1,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.2,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.3,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.4,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.5,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.6,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.7,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.8,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.3.9,nist_800_171_v1:3.3,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.1,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.2,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.3,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.4,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.5,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.6,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.7,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.8,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.4.9,nist_800_171_v1:3.4,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.1,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.10,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.11,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.2,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.3,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.4,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.5,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.6,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.7,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.8,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.5.9,nist_800_171_v1:3.5,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.6.1,nist_800_171_v1:3.6,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.6.2,nist_800_171_v1:3.6,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.6.3,nist_800_171_v1:3.6,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.1,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.2,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.3,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.4,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.5,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.7.6,nist_800_171_v1:3.7,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.1,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.2,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.3,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.4,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.5,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.6,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.7,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.8,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.8.9,nist_800_171_v1:3.8,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.9.1,nist_800_171_v1:3.9,,skos:broadMatch
+nist_800_171_v1,nist_800_171_v1:3.9.2,nist_800_171_v1:3.9,,skos:broadMatch
 cis_csc_v7.1,cis_csc_v7.1:1,nist_800_171_v1:3.1.1,,skos:relatedMatch
 cis_csc_v7.1,cis_csc_v7.1:11.5,nist_800_171_v1:3.1.12,,skos:relatedMatch
 cis_csc_v7.1,cis_csc_v7.1:11.5,nist_800_171_v1:3.1.13,,skos:relatedMatch
@@ -1221,3 +1309,2595 @@ nist_800_53_v4,nist_800_53_v4:ac-2(3),cis_csc_v7.1:16.9,,skos:closeMatch
 nist_800_53_v4,nist_800_53_v4:ac-18(5),cis_csc_v7.1:15.9,,skos:relatedMatch
 nist_800_53_v4,nist_800_53_v4:ac-20,cis_csc_v7.1:13.8,,skos:relatedMatch
 nist_800_53_v4,nist_800_53_v4:ac-20(2),nist_800_171_v1:3.1.21,,skos:closeMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te,fsscc_profile_v1.0:gv,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am,fsscc_profile_v1.0:id,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra,fsscc_profile_v1.0:id,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt,fsscc_profile_v1.0:pr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae,fsscc_profile_v1.0:de,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm,fsscc_profile_v1.0:de,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp,fsscc_profile_v1.0:de,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp,fsscc_profile_v1.0:rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co,fsscc_profile_v1.0:rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an,fsscc_profile_v1.0:rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi,fsscc_profile_v1.0:rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im,fsscc_profile_v1.0:rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp,fsscc_profile_v1.0:rc,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im,fsscc_profile_v1.0:rc,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co,fsscc_profile_v1.0:rc,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id,fsscc_profile_v1.0:dm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed,fsscc_profile_v1.0:dm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs,fsscc_profile_v1.0:dm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be,fsscc_profile_v1.0:dm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1,fsscc_profile_v1.0:gv.sf,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-2,fsscc_profile_v1.0:gv.sf,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3,fsscc_profile_v1.0:gv.sf,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-4,fsscc_profile_v1.0:gv.sf,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1,fsscc_profile_v1.0:gv.rm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2,fsscc_profile_v1.0:gv.rm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3,fsscc_profile_v1.0:gv.rm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1,fsscc_profile_v1.0:gv.pl,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2,fsscc_profile_v1.0:gv.pl,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3,fsscc_profile_v1.0:gv.pl,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-1,fsscc_profile_v1.0:gv.rr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2,fsscc_profile_v1.0:gv.rr,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1,fsscc_profile_v1.0:gv.sp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2,fsscc_profile_v1.0:gv.sp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1,fsscc_profile_v1.0:gv.ir,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2,fsscc_profile_v1.0:gv.ir,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-3,fsscc_profile_v1.0:gv.ir,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1,fsscc_profile_v1.0:gv.au,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2,fsscc_profile_v1.0:gv.au,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3,fsscc_profile_v1.0:gv.au,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1,fsscc_profile_v1.0:gv.te,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-2,fsscc_profile_v1.0:gv.te,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-1,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-2,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-4,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-6,fsscc_profile_v1.0:id.am,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-1,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-2,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-4,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6,fsscc_profile_v1.0:id.ra,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-2,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-6,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7,fsscc_profile_v1.0:pr.ac,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1,fsscc_profile_v1.0:pr.at,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2,fsscc_profile_v1.0:pr.at,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3,fsscc_profile_v1.0:pr.at,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4,fsscc_profile_v1.0:pr.at,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-5,fsscc_profile_v1.0:pr.at,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-3,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-4,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-5,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-6,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-7,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-8,fsscc_profile_v1.0:pr.ds,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-3,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-5,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-6,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-7,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-8,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12,fsscc_profile_v1.0:pr.ip,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-1,fsscc_profile_v1.0:pr.ma,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-2,fsscc_profile_v1.0:pr.ma,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1,fsscc_profile_v1.0:pr.pt,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-2,fsscc_profile_v1.0:pr.pt,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-3,fsscc_profile_v1.0:pr.pt,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-4,fsscc_profile_v1.0:pr.pt,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-5,fsscc_profile_v1.0:pr.pt,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-1,fsscc_profile_v1.0:de.ae,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-2,fsscc_profile_v1.0:de.ae,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3,fsscc_profile_v1.0:de.ae,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-4,fsscc_profile_v1.0:de.ae,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-5,fsscc_profile_v1.0:de.ae,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-2,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-5,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8,fsscc_profile_v1.0:de.cm,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-1,fsscc_profile_v1.0:de.dp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-2,fsscc_profile_v1.0:de.dp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-3,fsscc_profile_v1.0:de.dp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4,fsscc_profile_v1.0:de.dp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-5,fsscc_profile_v1.0:de.dp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp-1,fsscc_profile_v1.0:rs.rp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1,fsscc_profile_v1.0:rs.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2,fsscc_profile_v1.0:rs.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3,fsscc_profile_v1.0:rs.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-4,fsscc_profile_v1.0:rs.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5,fsscc_profile_v1.0:rs.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-1,fsscc_profile_v1.0:rs.an,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2,fsscc_profile_v1.0:rs.an,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-3,fsscc_profile_v1.0:rs.an,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-4,fsscc_profile_v1.0:rs.an,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5,fsscc_profile_v1.0:rs.an,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1,fsscc_profile_v1.0:rs.mi,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-2,fsscc_profile_v1.0:rs.mi,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3,fsscc_profile_v1.0:rs.mi,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1,fsscc_profile_v1.0:rs.im,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-2,fsscc_profile_v1.0:rs.im,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1,fsscc_profile_v1.0:rc.rp,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-1,fsscc_profile_v1.0:rc.im,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-2,fsscc_profile_v1.0:rc.im,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1,fsscc_profile_v1.0:rc.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-2,fsscc_profile_v1.0:rc.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-3,fsscc_profile_v1.0:rc.co,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1,fsscc_profile_v1.0:dm.id,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-2,fsscc_profile_v1.0:dm.id,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7,fsscc_profile_v1.0:dm.ed,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1,fsscc_profile_v1.0:dm.rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2,fsscc_profile_v1.0:dm.rs,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1,fsscc_profile_v1.0:dm.be,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2,fsscc_profile_v1.0:dm.be,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-3,fsscc_profile_v1.0:dm.be,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.1,fsscc_profile_v1.0:gv.sf-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.2,fsscc_profile_v1.0:gv.sf-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.3,fsscc_profile_v1.0:gv.sf-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.4,fsscc_profile_v1.0:gv.sf-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-1.5,fsscc_profile_v1.0:gv.sf-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-2.1,fsscc_profile_v1.0:gv.sf-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.1,fsscc_profile_v1.0:gv.sf-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.2,fsscc_profile_v1.0:gv.sf-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-3.3,fsscc_profile_v1.0:gv.sf-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sf-4.1,fsscc_profile_v1.0:gv.sf-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.1,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.2,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.3,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.4,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.5,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-1.6,fsscc_profile_v1.0:gv.rm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.1,fsscc_profile_v1.0:gv.rm-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.2,fsscc_profile_v1.0:gv.rm-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-2.3,fsscc_profile_v1.0:gv.rm-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.1,fsscc_profile_v1.0:gv.rm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.2,fsscc_profile_v1.0:gv.rm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rm-3.3,fsscc_profile_v1.0:gv.rm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1.1,fsscc_profile_v1.0:gv.pl-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-1.2,fsscc_profile_v1.0:gv.pl-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.1,fsscc_profile_v1.0:gv.pl-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.2,fsscc_profile_v1.0:gv.pl-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-2.3,fsscc_profile_v1.0:gv.pl-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.1,fsscc_profile_v1.0:gv.pl-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.2,fsscc_profile_v1.0:gv.pl-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.pl-3.3,fsscc_profile_v1.0:gv.pl-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-1.1,fsscc_profile_v1.0:gv.rr-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.1,fsscc_profile_v1.0:gv.rr-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.2,fsscc_profile_v1.0:gv.rr-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.3,fsscc_profile_v1.0:gv.rr-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.rr-2.4,fsscc_profile_v1.0:gv.rr-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1.1,fsscc_profile_v1.0:gv.sp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-1.2,fsscc_profile_v1.0:gv.sp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.1,fsscc_profile_v1.0:gv.sp-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.2,fsscc_profile_v1.0:gv.sp-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.sp-2.3,fsscc_profile_v1.0:gv.sp-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.1,fsscc_profile_v1.0:gv.ir-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.2,fsscc_profile_v1.0:gv.ir-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.3,fsscc_profile_v1.0:gv.ir-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-1.4,fsscc_profile_v1.0:gv.ir-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2.1,fsscc_profile_v1.0:gv.ir-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-2.2,fsscc_profile_v1.0:gv.ir-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.ir-3.1,fsscc_profile_v1.0:gv.ir-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.1,fsscc_profile_v1.0:gv.au-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.2,fsscc_profile_v1.0:gv.au-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.3,fsscc_profile_v1.0:gv.au-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-1.4,fsscc_profile_v1.0:gv.au-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2.1,fsscc_profile_v1.0:gv.au-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-2.2,fsscc_profile_v1.0:gv.au-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.1,fsscc_profile_v1.0:gv.au-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.2,fsscc_profile_v1.0:gv.au-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.au-3.3,fsscc_profile_v1.0:gv.au-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1.1,fsscc_profile_v1.0:gv.te-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-1.2,fsscc_profile_v1.0:gv.te-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:gv.te-2.1,fsscc_profile_v1.0:gv.te-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-1.1,fsscc_profile_v1.0:id.am-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-2.1,fsscc_profile_v1.0:id.am-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.1,fsscc_profile_v1.0:id.am-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.2,fsscc_profile_v1.0:id.am-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-3.3,fsscc_profile_v1.0:id.am-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-4.1,fsscc_profile_v1.0:id.am-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5.1,fsscc_profile_v1.0:id.am-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-5.2,fsscc_profile_v1.0:id.am-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.am-6.1,fsscc_profile_v1.0:id.am-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-1.1,fsscc_profile_v1.0:id.ra-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-2.1,fsscc_profile_v1.0:id.ra-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.1,fsscc_profile_v1.0:id.ra-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.2,fsscc_profile_v1.0:id.ra-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-3.3,fsscc_profile_v1.0:id.ra-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-4.1,fsscc_profile_v1.0:id.ra-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.1,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.2,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.3,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.4,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.5,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-5.6,fsscc_profile_v1.0:id.ra-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6.1,fsscc_profile_v1.0:id.ra-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:id.ra-6.2,fsscc_profile_v1.0:id.ra-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.1,fsscc_profile_v1.0:pr.ac-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.2,fsscc_profile_v1.0:pr.ac-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-1.3,fsscc_profile_v1.0:pr.ac-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-2.1,fsscc_profile_v1.0:pr.ac-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3.1,fsscc_profile_v1.0:pr.ac-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-3.2,fsscc_profile_v1.0:pr.ac-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.1,fsscc_profile_v1.0:pr.ac-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.2,fsscc_profile_v1.0:pr.ac-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-4.3,fsscc_profile_v1.0:pr.ac-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5.1,fsscc_profile_v1.0:pr.ac-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-5.2,fsscc_profile_v1.0:pr.ac-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-6.1,fsscc_profile_v1.0:pr.ac-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7.1,fsscc_profile_v1.0:pr.ac-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ac-7.2,fsscc_profile_v1.0:pr.ac-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.1,fsscc_profile_v1.0:pr.at-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.2,fsscc_profile_v1.0:pr.at-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-1.3,fsscc_profile_v1.0:pr.at-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.1,fsscc_profile_v1.0:pr.at-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.2,fsscc_profile_v1.0:pr.at-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-2.3,fsscc_profile_v1.0:pr.at-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.1,fsscc_profile_v1.0:pr.at-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.2,fsscc_profile_v1.0:pr.at-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-3.3,fsscc_profile_v1.0:pr.at-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4.1,fsscc_profile_v1.0:pr.at-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-4.2,fsscc_profile_v1.0:pr.at-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.at-5.1,fsscc_profile_v1.0:pr.at-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1.1,fsscc_profile_v1.0:pr.ds-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-1.2,fsscc_profile_v1.0:pr.ds-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2.1,fsscc_profile_v1.0:pr.ds-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-2.2,fsscc_profile_v1.0:pr.ds-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-3.1,fsscc_profile_v1.0:pr.ds-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-4.1,fsscc_profile_v1.0:pr.ds-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-5.1,fsscc_profile_v1.0:pr.ds-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-6.1,fsscc_profile_v1.0:pr.ds-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-7.1,fsscc_profile_v1.0:pr.ds-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ds-8.1,fsscc_profile_v1.0:pr.ds-8,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.1,fsscc_profile_v1.0:pr.ip-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.2,fsscc_profile_v1.0:pr.ip-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-1.3,fsscc_profile_v1.0:pr.ip-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.1,fsscc_profile_v1.0:pr.ip-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.2,fsscc_profile_v1.0:pr.ip-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-2.3,fsscc_profile_v1.0:pr.ip-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-3.1,fsscc_profile_v1.0:pr.ip-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.1,fsscc_profile_v1.0:pr.ip-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.2,fsscc_profile_v1.0:pr.ip-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.3,fsscc_profile_v1.0:pr.ip-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-4.4,fsscc_profile_v1.0:pr.ip-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-5.1,fsscc_profile_v1.0:pr.ip-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-6.1,fsscc_profile_v1.0:pr.ip-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-7.1,fsscc_profile_v1.0:pr.ip-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-8.1,fsscc_profile_v1.0:pr.ip-8,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9.1,fsscc_profile_v1.0:pr.ip-9,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-9.2,fsscc_profile_v1.0:pr.ip-9,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.1,fsscc_profile_v1.0:pr.ip-10,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.2,fsscc_profile_v1.0:pr.ip-10,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.3,fsscc_profile_v1.0:pr.ip-10,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-10.4,fsscc_profile_v1.0:pr.ip-10,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.1,fsscc_profile_v1.0:pr.ip-11,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.2,fsscc_profile_v1.0:pr.ip-11,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-11.3,fsscc_profile_v1.0:pr.ip-11,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.1,fsscc_profile_v1.0:pr.ip-12,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.2,fsscc_profile_v1.0:pr.ip-12,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.3,fsscc_profile_v1.0:pr.ip-12,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ip-12.4,fsscc_profile_v1.0:pr.ip-12,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-1.1,fsscc_profile_v1.0:pr.ma-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.ma-2.1,fsscc_profile_v1.0:pr.ma-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1.1,fsscc_profile_v1.0:pr.pt-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-1.2,fsscc_profile_v1.0:pr.pt-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-2.1,fsscc_profile_v1.0:pr.pt-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-3.1,fsscc_profile_v1.0:pr.pt-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-4.1,fsscc_profile_v1.0:pr.pt-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:pr.pt-5.1,fsscc_profile_v1.0:pr.pt-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-1.1,fsscc_profile_v1.0:de.ae-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-2.1,fsscc_profile_v1.0:de.ae-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3.1,fsscc_profile_v1.0:de.ae-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-3.2,fsscc_profile_v1.0:de.ae-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-4.1,fsscc_profile_v1.0:de.ae-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.ae-5.1,fsscc_profile_v1.0:de.ae-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.1,fsscc_profile_v1.0:de.cm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.2,fsscc_profile_v1.0:de.cm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.3,fsscc_profile_v1.0:de.cm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-1.4,fsscc_profile_v1.0:de.cm-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-2.1,fsscc_profile_v1.0:de.cm-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.1,fsscc_profile_v1.0:de.cm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.2,fsscc_profile_v1.0:de.cm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-3.3,fsscc_profile_v1.0:de.cm-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4.1,fsscc_profile_v1.0:de.cm-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-4.2,fsscc_profile_v1.0:de.cm-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-5.1,fsscc_profile_v1.0:de.cm-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.1,fsscc_profile_v1.0:de.cm-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.2,fsscc_profile_v1.0:de.cm-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-6.3,fsscc_profile_v1.0:de.cm-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.1,fsscc_profile_v1.0:de.cm-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.2,fsscc_profile_v1.0:de.cm-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.3,fsscc_profile_v1.0:de.cm-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-7.4,fsscc_profile_v1.0:de.cm-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8.1,fsscc_profile_v1.0:de.cm-8,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.cm-8.2,fsscc_profile_v1.0:de.cm-8,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-1.1,fsscc_profile_v1.0:de.dp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-2.1,fsscc_profile_v1.0:de.dp-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-3.1,fsscc_profile_v1.0:de.dp-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4.1,fsscc_profile_v1.0:de.dp-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-4.2,fsscc_profile_v1.0:de.dp-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:de.dp-5.1,fsscc_profile_v1.0:de.dp-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.rp-1.1,fsscc_profile_v1.0:rs.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.1,fsscc_profile_v1.0:rs.co-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.2,fsscc_profile_v1.0:rs.co-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-1.3,fsscc_profile_v1.0:rs.co-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.1,fsscc_profile_v1.0:rs.co-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.2,fsscc_profile_v1.0:rs.co-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.3,fsscc_profile_v1.0:rs.co-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-2.4,fsscc_profile_v1.0:rs.co-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3.1,fsscc_profile_v1.0:rs.co-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-3.2,fsscc_profile_v1.0:rs.co-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-4.1,fsscc_profile_v1.0:rs.co-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.1,fsscc_profile_v1.0:rs.co-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.2,fsscc_profile_v1.0:rs.co-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.co-5.3,fsscc_profile_v1.0:rs.co-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-1.1,fsscc_profile_v1.0:rs.an-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2.1,fsscc_profile_v1.0:rs.an-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-2.2,fsscc_profile_v1.0:rs.an-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-3.1,fsscc_profile_v1.0:rs.an-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-4.1,fsscc_profile_v1.0:rs.an-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.1,fsscc_profile_v1.0:rs.an-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.2,fsscc_profile_v1.0:rs.an-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.an-5.3,fsscc_profile_v1.0:rs.an-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1.1,fsscc_profile_v1.0:rs.mi-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-1.2,fsscc_profile_v1.0:rs.mi-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-2.1,fsscc_profile_v1.0:rs.mi-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3.1,fsscc_profile_v1.0:rs.mi-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.mi-3.2,fsscc_profile_v1.0:rs.mi-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.1,fsscc_profile_v1.0:rs.im-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.2,fsscc_profile_v1.0:rs.im-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-1.3,fsscc_profile_v1.0:rs.im-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rs.im-2.1,fsscc_profile_v1.0:rs.im-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.1,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.2,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.3,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.4,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.5,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.rp-1.6,fsscc_profile_v1.0:rc.rp-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-1.1,fsscc_profile_v1.0:rc.im-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.im-2.1,fsscc_profile_v1.0:rc.im-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1.1,fsscc_profile_v1.0:rc.co-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-1.2,fsscc_profile_v1.0:rc.co-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-2.1,fsscc_profile_v1.0:rc.co-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:rc.co-3.1,fsscc_profile_v1.0:rc.co-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.1,fsscc_profile_v1.0:dm.id-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.2,fsscc_profile_v1.0:dm.id-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.3,fsscc_profile_v1.0:dm.id-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-1.4,fsscc_profile_v1.0:dm.id-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.id-2.1,fsscc_profile_v1.0:dm.id-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.1,fsscc_profile_v1.0:dm.ed-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.2,fsscc_profile_v1.0:dm.ed-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-1.3,fsscc_profile_v1.0:dm.ed-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.1,fsscc_profile_v1.0:dm.ed-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.2,fsscc_profile_v1.0:dm.ed-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.3,fsscc_profile_v1.0:dm.ed-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.4,fsscc_profile_v1.0:dm.ed-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-2.5,fsscc_profile_v1.0:dm.ed-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3.1,fsscc_profile_v1.0:dm.ed-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-3.2,fsscc_profile_v1.0:dm.ed-3,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.1,fsscc_profile_v1.0:dm.ed-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.2,fsscc_profile_v1.0:dm.ed-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.3,fsscc_profile_v1.0:dm.ed-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.4,fsscc_profile_v1.0:dm.ed-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-4.5,fsscc_profile_v1.0:dm.ed-4,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.1,fsscc_profile_v1.0:dm.ed-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.2,fsscc_profile_v1.0:dm.ed-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.3,fsscc_profile_v1.0:dm.ed-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-5.4,fsscc_profile_v1.0:dm.ed-5,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.1,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.2,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.3,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.4,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.5,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.6,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-6.7,fsscc_profile_v1.0:dm.ed-6,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.1,fsscc_profile_v1.0:dm.ed-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.2,fsscc_profile_v1.0:dm.ed-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.3,fsscc_profile_v1.0:dm.ed-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.ed-7.4,fsscc_profile_v1.0:dm.ed-7,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.1,fsscc_profile_v1.0:dm.rs-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.2,fsscc_profile_v1.0:dm.rs-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-1.3,fsscc_profile_v1.0:dm.rs-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.1,fsscc_profile_v1.0:dm.rs-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.2,fsscc_profile_v1.0:dm.rs-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.3,fsscc_profile_v1.0:dm.rs-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.4,fsscc_profile_v1.0:dm.rs-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.rs-2.5,fsscc_profile_v1.0:dm.rs-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1.1,fsscc_profile_v1.0:dm.be-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-1.2,fsscc_profile_v1.0:dm.be-1,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2.1,fsscc_profile_v1.0:dm.be-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-2.2,fsscc_profile_v1.0:dm.be-2,,skos:broadMatch
+fsscc_profile_v1.0,fsscc_profile_v1.0:dm.be-3.1,fsscc_profile_v1.0:dm.be-3,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g,ffiec_cat_v2017.05:d1,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm,ffiec_cat_v2017.05:d1,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r,ffiec_cat_v2017.05:d1,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc,ffiec_cat_v2017.05:d1,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti,ffiec_cat_v2017.05:d2,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma,ffiec_cat_v2017.05:d2,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is,ffiec_cat_v2017.05:d2,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc,ffiec_cat_v2017.05:d3,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc,ffiec_cat_v2017.05:d3,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc,ffiec_cat_v2017.05:d3,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c,ffiec_cat_v2017.05:d4,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm,ffiec_cat_v2017.05:d4,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir,ffiec_cat_v2017.05:d5,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr,ffiec_cat_v2017.05:d5,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er,ffiec_cat_v2017.05:d5,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov,ffiec_cat_v2017.05:d1.g,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp,ffiec_cat_v2017.05:d1.g,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it,ffiec_cat_v2017.05:d1.g,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp,ffiec_cat_v2017.05:d1.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra,ffiec_cat_v2017.05:d1.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au,ffiec_cat_v2017.05:d1.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st,ffiec_cat_v2017.05:d1.r,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr,ffiec_cat_v2017.05:d1.tc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu,ffiec_cat_v2017.05:d1.tc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti,ffiec_cat_v2017.05:d2.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma,ffiec_cat_v2017.05:d2.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is,ffiec_cat_v2017.05:d2.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im,ffiec_cat_v2017.05:d3.pc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am,ffiec_cat_v2017.05:d3.pc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de,ffiec_cat_v2017.05:d3.pc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se,ffiec_cat_v2017.05:d3.pc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th,ffiec_cat_v2017.05:d3.dc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an,ffiec_cat_v2017.05:d3.dc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev,ffiec_cat_v2017.05:d3.dc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa,ffiec_cat_v2017.05:d3.cc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re,ffiec_cat_v2017.05:d3.cc,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co,ffiec_cat_v2017.05:d4.c,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd,ffiec_cat_v2017.05:d4.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co,ffiec_cat_v2017.05:d4.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om,ffiec_cat_v2017.05:d4.rm,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl,ffiec_cat_v2017.05:d5.ir,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te,ffiec_cat_v2017.05:d5.ir,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de,ffiec_cat_v2017.05:d5.dr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re,ffiec_cat_v2017.05:d5.dr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es,ffiec_cat_v2017.05:d5.er,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b,ffiec_cat_v2017.05:d1.g.ov,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e,ffiec_cat_v2017.05:d1.g.ov,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int,ffiec_cat_v2017.05:d1.g.ov,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a,ffiec_cat_v2017.05:d1.g.ov,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn,ffiec_cat_v2017.05:d1.g.ov,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b,ffiec_cat_v2017.05:d1.g.sp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e,ffiec_cat_v2017.05:d1.g.sp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int,ffiec_cat_v2017.05:d1.g.sp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a,ffiec_cat_v2017.05:d1.g.sp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.inn,ffiec_cat_v2017.05:d1.g.sp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b,ffiec_cat_v2017.05:d1.g.it,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e,ffiec_cat_v2017.05:d1.g.it,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int,ffiec_cat_v2017.05:d1.g.it,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a,ffiec_cat_v2017.05:d1.g.it,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn,ffiec_cat_v2017.05:d1.g.it,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.b,ffiec_cat_v2017.05:d1.rm.rmp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e,ffiec_cat_v2017.05:d1.rm.rmp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int,ffiec_cat_v2017.05:d1.rm.rmp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a,ffiec_cat_v2017.05:d1.rm.rmp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn,ffiec_cat_v2017.05:d1.rm.rmp,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b,ffiec_cat_v2017.05:d1.rm.ra,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e,ffiec_cat_v2017.05:d1.rm.ra,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.int,ffiec_cat_v2017.05:d1.rm.ra,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.a,ffiec_cat_v2017.05:d1.rm.ra,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn,ffiec_cat_v2017.05:d1.rm.ra,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b,ffiec_cat_v2017.05:d1.rm.au,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e,ffiec_cat_v2017.05:d1.rm.au,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int,ffiec_cat_v2017.05:d1.rm.au,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a,ffiec_cat_v2017.05:d1.rm.au,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn,ffiec_cat_v2017.05:d1.rm.au,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b,ffiec_cat_v2017.05:d1.r.st,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e,ffiec_cat_v2017.05:d1.r.st,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.int,ffiec_cat_v2017.05:d1.r.st,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a,ffiec_cat_v2017.05:d1.r.st,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.inn,ffiec_cat_v2017.05:d1.r.st,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b,ffiec_cat_v2017.05:d1.tc.tr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e,ffiec_cat_v2017.05:d1.tc.tr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int,ffiec_cat_v2017.05:d1.tc.tr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.a,ffiec_cat_v2017.05:d1.tc.tr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.inn,ffiec_cat_v2017.05:d1.tc.tr,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.b,ffiec_cat_v2017.05:d1.tc.cu,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e,ffiec_cat_v2017.05:d1.tc.cu,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int,ffiec_cat_v2017.05:d1.tc.cu,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.a,ffiec_cat_v2017.05:d1.tc.cu,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.inn,ffiec_cat_v2017.05:d1.tc.cu,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b,ffiec_cat_v2017.05:d2.ti.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.e,ffiec_cat_v2017.05:d2.ti.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int,ffiec_cat_v2017.05:d2.ti.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a,ffiec_cat_v2017.05:d2.ti.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn,ffiec_cat_v2017.05:d2.ti.ti,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b,ffiec_cat_v2017.05:d2.ma.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e,ffiec_cat_v2017.05:d2.ma.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int,ffiec_cat_v2017.05:d2.ma.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a,ffiec_cat_v2017.05:d2.ma.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn,ffiec_cat_v2017.05:d2.ma.ma,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b,ffiec_cat_v2017.05:d2.is.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e,ffiec_cat_v2017.05:d2.is.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int,ffiec_cat_v2017.05:d2.is.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a,ffiec_cat_v2017.05:d2.is.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn,ffiec_cat_v2017.05:d2.is.is,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b,ffiec_cat_v2017.05:d3.pc.im,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e,ffiec_cat_v2017.05:d3.pc.im,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int,ffiec_cat_v2017.05:d3.pc.im,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a,ffiec_cat_v2017.05:d3.pc.im,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn,ffiec_cat_v2017.05:d3.pc.im,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b,ffiec_cat_v2017.05:d3.pc.am,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e,ffiec_cat_v2017.05:d3.pc.am,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int,ffiec_cat_v2017.05:d3.pc.am,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a,ffiec_cat_v2017.05:d3.pc.am,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn,ffiec_cat_v2017.05:d3.pc.am,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.b,ffiec_cat_v2017.05:d3.pc.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e,ffiec_cat_v2017.05:d3.pc.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int,ffiec_cat_v2017.05:d3.pc.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a,ffiec_cat_v2017.05:d3.pc.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.inn,ffiec_cat_v2017.05:d3.pc.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b,ffiec_cat_v2017.05:d3.pc.se,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.e,ffiec_cat_v2017.05:d3.pc.se,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int,ffiec_cat_v2017.05:d3.pc.se,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a,ffiec_cat_v2017.05:d3.pc.se,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.inn,ffiec_cat_v2017.05:d3.pc.se,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b,ffiec_cat_v2017.05:d3.dc.th,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e,ffiec_cat_v2017.05:d3.dc.th,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int,ffiec_cat_v2017.05:d3.dc.th,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a,ffiec_cat_v2017.05:d3.dc.th,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn,ffiec_cat_v2017.05:d3.dc.th,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b,ffiec_cat_v2017.05:d3.dc.an,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e,ffiec_cat_v2017.05:d3.dc.an,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int,ffiec_cat_v2017.05:d3.dc.an,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a,ffiec_cat_v2017.05:d3.dc.an,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn,ffiec_cat_v2017.05:d3.dc.an,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b,ffiec_cat_v2017.05:d3.dc.ev,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.e,ffiec_cat_v2017.05:d3.dc.ev,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int,ffiec_cat_v2017.05:d3.dc.ev,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a,ffiec_cat_v2017.05:d3.dc.ev,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn,ffiec_cat_v2017.05:d3.dc.ev,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b,ffiec_cat_v2017.05:d3.cc.pa,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e,ffiec_cat_v2017.05:d3.cc.pa,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.int,ffiec_cat_v2017.05:d3.cc.pa,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a,ffiec_cat_v2017.05:d3.cc.pa,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn,ffiec_cat_v2017.05:d3.cc.pa,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.b,ffiec_cat_v2017.05:d3.cc.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e,ffiec_cat_v2017.05:d3.cc.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int,ffiec_cat_v2017.05:d3.cc.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.a,ffiec_cat_v2017.05:d3.cc.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.inn,ffiec_cat_v2017.05:d3.cc.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b,ffiec_cat_v2017.05:d4.c.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e,ffiec_cat_v2017.05:d4.c.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int,ffiec_cat_v2017.05:d4.c.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a,ffiec_cat_v2017.05:d4.c.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn,ffiec_cat_v2017.05:d4.c.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b,ffiec_cat_v2017.05:d4.rm.dd,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e,ffiec_cat_v2017.05:d4.rm.dd,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int,ffiec_cat_v2017.05:d4.rm.dd,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a,ffiec_cat_v2017.05:d4.rm.dd,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn,ffiec_cat_v2017.05:d4.rm.dd,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b,ffiec_cat_v2017.05:d4.rm.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e,ffiec_cat_v2017.05:d4.rm.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.int,ffiec_cat_v2017.05:d4.rm.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a,ffiec_cat_v2017.05:d4.rm.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.inn,ffiec_cat_v2017.05:d4.rm.co,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b,ffiec_cat_v2017.05:d4.rm.om,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e,ffiec_cat_v2017.05:d4.rm.om,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int,ffiec_cat_v2017.05:d4.rm.om,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.a,ffiec_cat_v2017.05:d4.rm.om,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.inn,ffiec_cat_v2017.05:d4.rm.om,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b,ffiec_cat_v2017.05:d5.ir.pl,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e,ffiec_cat_v2017.05:d5.ir.pl,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int,ffiec_cat_v2017.05:d5.ir.pl,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a,ffiec_cat_v2017.05:d5.ir.pl,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn,ffiec_cat_v2017.05:d5.ir.pl,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b,ffiec_cat_v2017.05:d5.ir.te,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e,ffiec_cat_v2017.05:d5.ir.te,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int,ffiec_cat_v2017.05:d5.ir.te,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a,ffiec_cat_v2017.05:d5.ir.te,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn,ffiec_cat_v2017.05:d5.ir.te,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b,ffiec_cat_v2017.05:d5.dr.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.e,ffiec_cat_v2017.05:d5.dr.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int,ffiec_cat_v2017.05:d5.dr.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a,ffiec_cat_v2017.05:d5.dr.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.inn,ffiec_cat_v2017.05:d5.dr.de,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.b,ffiec_cat_v2017.05:d5.dr.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e,ffiec_cat_v2017.05:d5.dr.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int,ffiec_cat_v2017.05:d5.dr.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a,ffiec_cat_v2017.05:d5.dr.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn,ffiec_cat_v2017.05:d5.dr.re,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b,ffiec_cat_v2017.05:d5.er.es,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e,ffiec_cat_v2017.05:d5.er.es,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int,ffiec_cat_v2017.05:d5.er.es,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a,ffiec_cat_v2017.05:d5.er.es,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.inn,ffiec_cat_v2017.05:d5.er.es,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.1,ffiec_cat_v2017.05:d1.g.ov.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.2,ffiec_cat_v2017.05:d1.g.ov.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.3,ffiec_cat_v2017.05:d1.g.ov.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.4,ffiec_cat_v2017.05:d1.g.ov.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.b.5,ffiec_cat_v2017.05:d1.g.ov.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.1,ffiec_cat_v2017.05:d1.g.ov.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.2,ffiec_cat_v2017.05:d1.g.ov.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.3,ffiec_cat_v2017.05:d1.g.ov.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.e.4,ffiec_cat_v2017.05:d1.g.ov.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.1,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.2,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.3,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.4,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.5,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.6,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.7,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.int.8,ffiec_cat_v2017.05:d1.g.ov.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.1,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.2,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.3,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.4,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.5,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.a.6,ffiec_cat_v2017.05:d1.g.ov.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn.1,ffiec_cat_v2017.05:d1.g.ov.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.ov.inn.2,ffiec_cat_v2017.05:d1.g.ov.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.1,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.2,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.3,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.4,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.5,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.6,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.b.7,ffiec_cat_v2017.05:d1.g.sp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.1,ffiec_cat_v2017.05:d1.g.sp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.2,ffiec_cat_v2017.05:d1.g.sp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.e.3,ffiec_cat_v2017.05:d1.g.sp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.1,ffiec_cat_v2017.05:d1.g.sp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.2,ffiec_cat_v2017.05:d1.g.sp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.3,ffiec_cat_v2017.05:d1.g.sp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.4,ffiec_cat_v2017.05:d1.g.sp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.int.5,ffiec_cat_v2017.05:d1.g.sp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.1,ffiec_cat_v2017.05:d1.g.sp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.2,ffiec_cat_v2017.05:d1.g.sp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.3,ffiec_cat_v2017.05:d1.g.sp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.4,ffiec_cat_v2017.05:d1.g.sp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.a.5,ffiec_cat_v2017.05:d1.g.sp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.sp.inn.1,ffiec_cat_v2017.05:d1.g.sp.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.1,ffiec_cat_v2017.05:d1.g.it.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.2,ffiec_cat_v2017.05:d1.g.it.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.3,ffiec_cat_v2017.05:d1.g.it.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.b.4,ffiec_cat_v2017.05:d1.g.it.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.1,ffiec_cat_v2017.05:d1.g.it.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.2,ffiec_cat_v2017.05:d1.g.it.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.3,ffiec_cat_v2017.05:d1.g.it.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.e.4,ffiec_cat_v2017.05:d1.g.it.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int.1,ffiec_cat_v2017.05:d1.g.it.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.int.2,ffiec_cat_v2017.05:d1.g.it.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.1,ffiec_cat_v2017.05:d1.g.it.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.2,ffiec_cat_v2017.05:d1.g.it.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.3,ffiec_cat_v2017.05:d1.g.it.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.a.4,ffiec_cat_v2017.05:d1.g.it.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn.1,ffiec_cat_v2017.05:d1.g.it.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.g.it.inn.2,ffiec_cat_v2017.05:d1.g.it.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.b.1,ffiec_cat_v2017.05:d1.rm.rmp.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.1,ffiec_cat_v2017.05:d1.rm.rmp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.2,ffiec_cat_v2017.05:d1.rm.rmp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.e.3,ffiec_cat_v2017.05:d1.rm.rmp.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.1,ffiec_cat_v2017.05:d1.rm.rmp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.2,ffiec_cat_v2017.05:d1.rm.rmp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.3,ffiec_cat_v2017.05:d1.rm.rmp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.4,ffiec_cat_v2017.05:d1.rm.rmp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.int.5,ffiec_cat_v2017.05:d1.rm.rmp.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.1,ffiec_cat_v2017.05:d1.rm.rmp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.2,ffiec_cat_v2017.05:d1.rm.rmp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.3,ffiec_cat_v2017.05:d1.rm.rmp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.4,ffiec_cat_v2017.05:d1.rm.rmp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.a.5,ffiec_cat_v2017.05:d1.rm.rmp.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn.1,ffiec_cat_v2017.05:d1.rm.rmp.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.rmp.inn.2,ffiec_cat_v2017.05:d1.rm.rmp.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.1,ffiec_cat_v2017.05:d1.rm.ra.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.2,ffiec_cat_v2017.05:d1.rm.ra.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.b.3,ffiec_cat_v2017.05:d1.rm.ra.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.1,ffiec_cat_v2017.05:d1.rm.ra.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.2,ffiec_cat_v2017.05:d1.rm.ra.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.e.3,ffiec_cat_v2017.05:d1.rm.ra.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.int.1,ffiec_cat_v2017.05:d1.rm.ra.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.a.1,ffiec_cat_v2017.05:d1.rm.ra.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.1,ffiec_cat_v2017.05:d1.rm.ra.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.2,ffiec_cat_v2017.05:d1.rm.ra.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.ra.inn.3,ffiec_cat_v2017.05:d1.rm.ra.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.1,ffiec_cat_v2017.05:d1.rm.au.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.2,ffiec_cat_v2017.05:d1.rm.au.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.3,ffiec_cat_v2017.05:d1.rm.au.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.b.4,ffiec_cat_v2017.05:d1.rm.au.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.1,ffiec_cat_v2017.05:d1.rm.au.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.2,ffiec_cat_v2017.05:d1.rm.au.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.3,ffiec_cat_v2017.05:d1.rm.au.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.4,ffiec_cat_v2017.05:d1.rm.au.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.e.5,ffiec_cat_v2017.05:d1.rm.au.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.1,ffiec_cat_v2017.05:d1.rm.au.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.2,ffiec_cat_v2017.05:d1.rm.au.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.3,ffiec_cat_v2017.05:d1.rm.au.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.int.4,ffiec_cat_v2017.05:d1.rm.au.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.1,ffiec_cat_v2017.05:d1.rm.au.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.2,ffiec_cat_v2017.05:d1.rm.au.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.a.3,ffiec_cat_v2017.05:d1.rm.au.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn.1,ffiec_cat_v2017.05:d1.rm.au.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.rm.au.inn.2,ffiec_cat_v2017.05:d1.rm.au.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b.1,ffiec_cat_v2017.05:d1.r.st.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.b.2,ffiec_cat_v2017.05:d1.r.st.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.1,ffiec_cat_v2017.05:d1.r.st.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.2,ffiec_cat_v2017.05:d1.r.st.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.3,ffiec_cat_v2017.05:d1.r.st.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.e.4,ffiec_cat_v2017.05:d1.r.st.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.int.1,ffiec_cat_v2017.05:d1.r.st.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a.1,ffiec_cat_v2017.05:d1.r.st.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.a.2,ffiec_cat_v2017.05:d1.r.st.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.r.st.inn.1,ffiec_cat_v2017.05:d1.r.st.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.1,ffiec_cat_v2017.05:d1.tc.tr.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.2,ffiec_cat_v2017.05:d1.tc.tr.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.3,ffiec_cat_v2017.05:d1.tc.tr.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.b.4,ffiec_cat_v2017.05:d1.tc.tr.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.1,ffiec_cat_v2017.05:d1.tc.tr.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.2,ffiec_cat_v2017.05:d1.tc.tr.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.3,ffiec_cat_v2017.05:d1.tc.tr.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.4,ffiec_cat_v2017.05:d1.tc.tr.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.e.5,ffiec_cat_v2017.05:d1.tc.tr.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.1,ffiec_cat_v2017.05:d1.tc.tr.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.2,ffiec_cat_v2017.05:d1.tc.tr.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.3,ffiec_cat_v2017.05:d1.tc.tr.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.int.4,ffiec_cat_v2017.05:d1.tc.tr.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.a.1,ffiec_cat_v2017.05:d1.tc.tr.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.tr.inn.1,ffiec_cat_v2017.05:d1.tc.tr.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.b.1,ffiec_cat_v2017.05:d1.tc.cu.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.1,ffiec_cat_v2017.05:d1.tc.cu.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.2,ffiec_cat_v2017.05:d1.tc.cu.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.e.3,ffiec_cat_v2017.05:d1.tc.cu.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.1,ffiec_cat_v2017.05:d1.tc.cu.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.2,ffiec_cat_v2017.05:d1.tc.cu.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.int.3,ffiec_cat_v2017.05:d1.tc.cu.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.a.1,ffiec_cat_v2017.05:d1.tc.cu.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d1.tc.cu.inn.1,ffiec_cat_v2017.05:d1.tc.cu.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.1,ffiec_cat_v2017.05:d2.ti.ti.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.2,ffiec_cat_v2017.05:d2.ti.ti.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.b.3,ffiec_cat_v2017.05:d2.ti.ti.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.e.1,ffiec_cat_v2017.05:d2.ti.ti.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.1,ffiec_cat_v2017.05:d2.ti.ti.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.2,ffiec_cat_v2017.05:d2.ti.ti.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.int.3,ffiec_cat_v2017.05:d2.ti.ti.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.1,ffiec_cat_v2017.05:d2.ti.ti.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.2,ffiec_cat_v2017.05:d2.ti.ti.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.a.3,ffiec_cat_v2017.05:d2.ti.ti.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn.1,ffiec_cat_v2017.05:d2.ti.ti.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ti.ti.inn.2,ffiec_cat_v2017.05:d2.ti.ti.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b.1,ffiec_cat_v2017.05:d2.ma.ma.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.b.2,ffiec_cat_v2017.05:d2.ma.ma.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.1,ffiec_cat_v2017.05:d2.ma.ma.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.2,ffiec_cat_v2017.05:d2.ma.ma.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.3,ffiec_cat_v2017.05:d2.ma.ma.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.e.4,ffiec_cat_v2017.05:d2.ma.ma.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.1,ffiec_cat_v2017.05:d2.ma.ma.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.2,ffiec_cat_v2017.05:d2.ma.ma.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.3,ffiec_cat_v2017.05:d2.ma.ma.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.int.4,ffiec_cat_v2017.05:d2.ma.ma.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.1,ffiec_cat_v2017.05:d2.ma.ma.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.2,ffiec_cat_v2017.05:d2.ma.ma.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.3,ffiec_cat_v2017.05:d2.ma.ma.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.4,ffiec_cat_v2017.05:d2.ma.ma.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.a.5,ffiec_cat_v2017.05:d2.ma.ma.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.1,ffiec_cat_v2017.05:d2.ma.ma.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.2,ffiec_cat_v2017.05:d2.ma.ma.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.ma.ma.inn.3,ffiec_cat_v2017.05:d2.ma.ma.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.1,ffiec_cat_v2017.05:d2.is.is.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.2,ffiec_cat_v2017.05:d2.is.is.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.b.3,ffiec_cat_v2017.05:d2.is.is.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e.1,ffiec_cat_v2017.05:d2.is.is.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.e.2,ffiec_cat_v2017.05:d2.is.is.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.1,ffiec_cat_v2017.05:d2.is.is.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.2,ffiec_cat_v2017.05:d2.is.is.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.3,ffiec_cat_v2017.05:d2.is.is.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.int.4,ffiec_cat_v2017.05:d2.is.is.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.1,ffiec_cat_v2017.05:d2.is.is.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.2,ffiec_cat_v2017.05:d2.is.is.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.a.3,ffiec_cat_v2017.05:d2.is.is.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.1,ffiec_cat_v2017.05:d2.is.is.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.2,ffiec_cat_v2017.05:d2.is.is.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d2.is.is.inn.3,ffiec_cat_v2017.05:d2.is.is.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.1,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.2,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.3,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.4,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.5,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.6,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.7,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.8,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.9,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.b.10,ffiec_cat_v2017.05:d3.pc.im.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.1,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.2,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.3,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.4,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.5,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.6,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.7,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.e.8,ffiec_cat_v2017.05:d3.pc.im.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.1,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.2,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.3,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.4,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.5,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.int.6,ffiec_cat_v2017.05:d3.pc.im.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.1,ffiec_cat_v2017.05:d3.pc.im.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.2,ffiec_cat_v2017.05:d3.pc.im.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.a.3,ffiec_cat_v2017.05:d3.pc.im.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.1,ffiec_cat_v2017.05:d3.pc.im.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.2,ffiec_cat_v2017.05:d3.pc.im.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.3,ffiec_cat_v2017.05:d3.pc.im.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.im.inn.4,ffiec_cat_v2017.05:d3.pc.im.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.1,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.2,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.3,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.4,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.5,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.6,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.7,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.8,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.9,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.10,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.11,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.12,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.13,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.14,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.15,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.16,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.17,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.b.18,ffiec_cat_v2017.05:d3.pc.am.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.1,ffiec_cat_v2017.05:d3.pc.am.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.2,ffiec_cat_v2017.05:d3.pc.am.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.3,ffiec_cat_v2017.05:d3.pc.am.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.4,ffiec_cat_v2017.05:d3.pc.am.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.e.5,ffiec_cat_v2017.05:d3.pc.am.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.1,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.2,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.3,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.4,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.5,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.6,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.7,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.int.8,ffiec_cat_v2017.05:d3.pc.am.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a.1,ffiec_cat_v2017.05:d3.pc.am.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.a.2,ffiec_cat_v2017.05:d3.pc.am.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.1,ffiec_cat_v2017.05:d3.pc.am.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.2,ffiec_cat_v2017.05:d3.pc.am.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.3,ffiec_cat_v2017.05:d3.pc.am.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.4,ffiec_cat_v2017.05:d3.pc.am.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.am.inn.5,ffiec_cat_v2017.05:d3.pc.am.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.b.1,ffiec_cat_v2017.05:d3.pc.de.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.1,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.2,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.3,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.4,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.5,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.6,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.e.7,ffiec_cat_v2017.05:d3.pc.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.1,ffiec_cat_v2017.05:d3.pc.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.2,ffiec_cat_v2017.05:d3.pc.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.int.3,ffiec_cat_v2017.05:d3.pc.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a.1,ffiec_cat_v2017.05:d3.pc.de.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.a.2,ffiec_cat_v2017.05:d3.pc.de.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.de.inn.1,ffiec_cat_v2017.05:d3.pc.de.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.1,ffiec_cat_v2017.05:d3.pc.se.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.2,ffiec_cat_v2017.05:d3.pc.se.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.3,ffiec_cat_v2017.05:d3.pc.se.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.b.4,ffiec_cat_v2017.05:d3.pc.se.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.e.1,ffiec_cat_v2017.05:d3.pc.se.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.1,ffiec_cat_v2017.05:d3.pc.se.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.2,ffiec_cat_v2017.05:d3.pc.se.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.3,ffiec_cat_v2017.05:d3.pc.se.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.int.4,ffiec_cat_v2017.05:d3.pc.se.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.1,ffiec_cat_v2017.05:d3.pc.se.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.2,ffiec_cat_v2017.05:d3.pc.se.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.a.3,ffiec_cat_v2017.05:d3.pc.se.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.pc.se.inn.1,ffiec_cat_v2017.05:d3.pc.se.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.1,ffiec_cat_v2017.05:d3.dc.th.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.2,ffiec_cat_v2017.05:d3.dc.th.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.3,ffiec_cat_v2017.05:d3.dc.th.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.b.4,ffiec_cat_v2017.05:d3.dc.th.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.1,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.2,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.3,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.4,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.5,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.e.6,ffiec_cat_v2017.05:d3.dc.th.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int.1,ffiec_cat_v2017.05:d3.dc.th.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.int.2,ffiec_cat_v2017.05:d3.dc.th.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.1,ffiec_cat_v2017.05:d3.dc.th.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.2,ffiec_cat_v2017.05:d3.dc.th.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.a.3,ffiec_cat_v2017.05:d3.dc.th.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn.1,ffiec_cat_v2017.05:d3.dc.th.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.th.inn.2,ffiec_cat_v2017.05:d3.dc.th.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.1,ffiec_cat_v2017.05:d3.dc.an.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.2,ffiec_cat_v2017.05:d3.dc.an.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.3,ffiec_cat_v2017.05:d3.dc.an.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.4,ffiec_cat_v2017.05:d3.dc.an.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.b.5,ffiec_cat_v2017.05:d3.dc.an.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.1,ffiec_cat_v2017.05:d3.dc.an.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.2,ffiec_cat_v2017.05:d3.dc.an.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.3,ffiec_cat_v2017.05:d3.dc.an.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.e.4,ffiec_cat_v2017.05:d3.dc.an.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.1,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.2,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.3,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.4,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.5,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.int.6,ffiec_cat_v2017.05:d3.dc.an.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.1,ffiec_cat_v2017.05:d3.dc.an.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.2,ffiec_cat_v2017.05:d3.dc.an.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.3,ffiec_cat_v2017.05:d3.dc.an.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.4,ffiec_cat_v2017.05:d3.dc.an.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.a.5,ffiec_cat_v2017.05:d3.dc.an.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn.1,ffiec_cat_v2017.05:d3.dc.an.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.an.inn.2,ffiec_cat_v2017.05:d3.dc.an.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.1,ffiec_cat_v2017.05:d3.dc.ev.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.2,ffiec_cat_v2017.05:d3.dc.ev.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.3,ffiec_cat_v2017.05:d3.dc.ev.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.4,ffiec_cat_v2017.05:d3.dc.ev.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.b.5,ffiec_cat_v2017.05:d3.dc.ev.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.e.1,ffiec_cat_v2017.05:d3.dc.ev.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.1,ffiec_cat_v2017.05:d3.dc.ev.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.2,ffiec_cat_v2017.05:d3.dc.ev.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.int.3,ffiec_cat_v2017.05:d3.dc.ev.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.1,ffiec_cat_v2017.05:d3.dc.ev.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.2,ffiec_cat_v2017.05:d3.dc.ev.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.3,ffiec_cat_v2017.05:d3.dc.ev.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.a.4,ffiec_cat_v2017.05:d3.dc.ev.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn.1,ffiec_cat_v2017.05:d3.dc.ev.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.dc.ev.inn.2,ffiec_cat_v2017.05:d3.dc.ev.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.1,ffiec_cat_v2017.05:d3.cc.pa.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.2,ffiec_cat_v2017.05:d3.cc.pa.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.b.3,ffiec_cat_v2017.05:d3.cc.pa.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.1,ffiec_cat_v2017.05:d3.cc.pa.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.2,ffiec_cat_v2017.05:d3.cc.pa.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.3,ffiec_cat_v2017.05:d3.cc.pa.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.4,ffiec_cat_v2017.05:d3.cc.pa.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.e.5,ffiec_cat_v2017.05:d3.cc.pa.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.int.1,ffiec_cat_v2017.05:d3.cc.pa.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a.1,ffiec_cat_v2017.05:d3.cc.pa.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.a.2,ffiec_cat_v2017.05:d3.cc.pa.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn.1,ffiec_cat_v2017.05:d3.cc.pa.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.pa.inn.2,ffiec_cat_v2017.05:d3.cc.pa.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.b.1,ffiec_cat_v2017.05:d3.cc.re.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e.1,ffiec_cat_v2017.05:d3.cc.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.e.2,ffiec_cat_v2017.05:d3.cc.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.1,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.2,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.3,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.4,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.5,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.int.6,ffiec_cat_v2017.05:d3.cc.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.a.1,ffiec_cat_v2017.05:d3.cc.re.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d3.cc.re.inn.1,ffiec_cat_v2017.05:d3.cc.re.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.1,ffiec_cat_v2017.05:d4.c.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.2,ffiec_cat_v2017.05:d4.c.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.3,ffiec_cat_v2017.05:d4.c.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.b.4,ffiec_cat_v2017.05:d4.c.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.1,ffiec_cat_v2017.05:d4.c.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.2,ffiec_cat_v2017.05:d4.c.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.3,ffiec_cat_v2017.05:d4.c.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.e.4,ffiec_cat_v2017.05:d4.c.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.1,ffiec_cat_v2017.05:d4.c.co.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.2,ffiec_cat_v2017.05:d4.c.co.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.3,ffiec_cat_v2017.05:d4.c.co.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.int.4,ffiec_cat_v2017.05:d4.c.co.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a.1,ffiec_cat_v2017.05:d4.c.co.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.a.2,ffiec_cat_v2017.05:d4.c.co.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn.1,ffiec_cat_v2017.05:d4.c.co.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.c.co.inn.2,ffiec_cat_v2017.05:d4.c.co.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.1,ffiec_cat_v2017.05:d4.rm.dd.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.2,ffiec_cat_v2017.05:d4.rm.dd.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.b.3,ffiec_cat_v2017.05:d4.rm.dd.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e.1,ffiec_cat_v2017.05:d4.rm.dd.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.e.2,ffiec_cat_v2017.05:d4.rm.dd.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int.1,ffiec_cat_v2017.05:d4.rm.dd.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.int.2,ffiec_cat_v2017.05:d4.rm.dd.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a.1,ffiec_cat_v2017.05:d4.rm.dd.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.a.2,ffiec_cat_v2017.05:d4.rm.dd.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn.1,ffiec_cat_v2017.05:d4.rm.dd.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.dd.inn.2,ffiec_cat_v2017.05:d4.rm.dd.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.1,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.2,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.3,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.4,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.5,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.b.6,ffiec_cat_v2017.05:d4.rm.co.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.1,ffiec_cat_v2017.05:d4.rm.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.2,ffiec_cat_v2017.05:d4.rm.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.e.3,ffiec_cat_v2017.05:d4.rm.co.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.int.1,ffiec_cat_v2017.05:d4.rm.co.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a.1,ffiec_cat_v2017.05:d4.rm.co.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.a.2,ffiec_cat_v2017.05:d4.rm.co.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.co.inn.1,ffiec_cat_v2017.05:d4.rm.co.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.1,ffiec_cat_v2017.05:d4.rm.om.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.2,ffiec_cat_v2017.05:d4.rm.om.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.b.3,ffiec_cat_v2017.05:d4.rm.om.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.1,ffiec_cat_v2017.05:d4.rm.om.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.2,ffiec_cat_v2017.05:d4.rm.om.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.3,ffiec_cat_v2017.05:d4.rm.om.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.e.4,ffiec_cat_v2017.05:d4.rm.om.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int.1,ffiec_cat_v2017.05:d4.rm.om.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.int.2,ffiec_cat_v2017.05:d4.rm.om.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.a.1,ffiec_cat_v2017.05:d4.rm.om.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d4.rm.om.inn.1,ffiec_cat_v2017.05:d4.rm.om.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.1,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.2,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.3,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.4,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.5,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.b.6,ffiec_cat_v2017.05:d5.ir.pl.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.1,ffiec_cat_v2017.05:d5.ir.pl.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.2,ffiec_cat_v2017.05:d5.ir.pl.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.3,ffiec_cat_v2017.05:d5.ir.pl.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.4,ffiec_cat_v2017.05:d5.ir.pl.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.e.5,ffiec_cat_v2017.05:d5.ir.pl.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.1,ffiec_cat_v2017.05:d5.ir.pl.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.2,ffiec_cat_v2017.05:d5.ir.pl.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.3,ffiec_cat_v2017.05:d5.ir.pl.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.int.4,ffiec_cat_v2017.05:d5.ir.pl.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.1,ffiec_cat_v2017.05:d5.ir.pl.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.2,ffiec_cat_v2017.05:d5.ir.pl.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.a.3,ffiec_cat_v2017.05:d5.ir.pl.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn.1,ffiec_cat_v2017.05:d5.ir.pl.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.pl.inn.2,ffiec_cat_v2017.05:d5.ir.pl.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.1,ffiec_cat_v2017.05:d5.ir.te.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.2,ffiec_cat_v2017.05:d5.ir.te.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.b.3,ffiec_cat_v2017.05:d5.ir.te.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.1,ffiec_cat_v2017.05:d5.ir.te.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.2,ffiec_cat_v2017.05:d5.ir.te.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.e.3,ffiec_cat_v2017.05:d5.ir.te.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.1,ffiec_cat_v2017.05:d5.ir.te.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.2,ffiec_cat_v2017.05:d5.ir.te.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.3,ffiec_cat_v2017.05:d5.ir.te.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.4,ffiec_cat_v2017.05:d5.ir.te.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.int.5,ffiec_cat_v2017.05:d5.ir.te.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.1,ffiec_cat_v2017.05:d5.ir.te.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.2,ffiec_cat_v2017.05:d5.ir.te.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.3,ffiec_cat_v2017.05:d5.ir.te.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.4,ffiec_cat_v2017.05:d5.ir.te.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.a.5,ffiec_cat_v2017.05:d5.ir.te.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.1,ffiec_cat_v2017.05:d5.ir.te.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.2,ffiec_cat_v2017.05:d5.ir.te.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.3,ffiec_cat_v2017.05:d5.ir.te.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.ir.te.inn.4,ffiec_cat_v2017.05:d5.ir.te.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.1,ffiec_cat_v2017.05:d5.dr.de.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.2,ffiec_cat_v2017.05:d5.dr.de.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.b.3,ffiec_cat_v2017.05:d5.dr.de.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.e.1,ffiec_cat_v2017.05:d5.dr.de.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.1,ffiec_cat_v2017.05:d5.dr.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.2,ffiec_cat_v2017.05:d5.dr.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.3,ffiec_cat_v2017.05:d5.dr.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.4,ffiec_cat_v2017.05:d5.dr.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.int.5,ffiec_cat_v2017.05:d5.dr.de.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a.1,ffiec_cat_v2017.05:d5.dr.de.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.a.2,ffiec_cat_v2017.05:d5.dr.de.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.de.inn.1,ffiec_cat_v2017.05:d5.dr.de.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.b.1,ffiec_cat_v2017.05:d5.dr.re.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.1,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.2,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.3,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.4,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.5,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.6,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.7,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.e.8,ffiec_cat_v2017.05:d5.dr.re.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.1,ffiec_cat_v2017.05:d5.dr.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.2,ffiec_cat_v2017.05:d5.dr.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.3,ffiec_cat_v2017.05:d5.dr.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.int.4,ffiec_cat_v2017.05:d5.dr.re.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.1,ffiec_cat_v2017.05:d5.dr.re.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.2,ffiec_cat_v2017.05:d5.dr.re.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.a.3,ffiec_cat_v2017.05:d5.dr.re.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn.1,ffiec_cat_v2017.05:d5.dr.re.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.dr.re.inn.2,ffiec_cat_v2017.05:d5.dr.re.inn,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.1,ffiec_cat_v2017.05:d5.er.es.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.2,ffiec_cat_v2017.05:d5.er.es.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.3,ffiec_cat_v2017.05:d5.er.es.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.b.4,ffiec_cat_v2017.05:d5.er.es.b,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.1,ffiec_cat_v2017.05:d5.er.es.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.2,ffiec_cat_v2017.05:d5.er.es.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.e.3,ffiec_cat_v2017.05:d5.er.es.e,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.1,ffiec_cat_v2017.05:d5.er.es.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.2,ffiec_cat_v2017.05:d5.er.es.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.int.3,ffiec_cat_v2017.05:d5.er.es.int,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a.1,ffiec_cat_v2017.05:d5.er.es.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.a.2,ffiec_cat_v2017.05:d5.er.es.a,,skos:broadMatch
+ffiec_cat_v2017.05,ffiec_cat_v2017.05:d5.er.es.inn.1,ffiec_cat_v2017.05:d5.er.es.inn,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9,aicpa_tsc_v2017:cc,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1,aicpa_tsc_v2017:a,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1,aicpa_tsc_v2017:c,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1,aicpa_tsc_v2017:pi,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8,aicpa_tsc_v2017:p,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1,aicpa_tsc_v2017:cc1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2,aicpa_tsc_v2017:cc1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3,aicpa_tsc_v2017:cc1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4,aicpa_tsc_v2017:cc1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5,aicpa_tsc_v2017:cc1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1,aicpa_tsc_v2017:cc2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2,aicpa_tsc_v2017:cc2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3,aicpa_tsc_v2017:cc2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1,aicpa_tsc_v2017:cc3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2,aicpa_tsc_v2017:cc3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3,aicpa_tsc_v2017:cc3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4,aicpa_tsc_v2017:cc3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1,aicpa_tsc_v2017:cc4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2,aicpa_tsc_v2017:cc4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1,aicpa_tsc_v2017:cc5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2,aicpa_tsc_v2017:cc5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3,aicpa_tsc_v2017:cc5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6 ,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8,aicpa_tsc_v2017:cc6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1,aicpa_tsc_v2017:cc7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2,aicpa_tsc_v2017:cc7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3,aicpa_tsc_v2017:cc7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4,aicpa_tsc_v2017:cc7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5,aicpa_tsc_v2017:cc7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1,aicpa_tsc_v2017:cc8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1,aicpa_tsc_v2017:cc9,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2,aicpa_tsc_v2017:cc9,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1,aicpa_tsc_v2017:a1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2,aicpa_tsc_v2017:a1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3,aicpa_tsc_v2017:a1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1,aicpa_tsc_v2017:c1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2,aicpa_tsc_v2017:c1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.1,aicpa_tsc_v2017:pi1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2,aicpa_tsc_v2017:pi1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3,aicpa_tsc_v2017:pi1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4,aicpa_tsc_v2017:pi1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5,aicpa_tsc_v2017:pi1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1,aicpa_tsc_v2017:p1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1,aicpa_tsc_v2017:p2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1,aicpa_tsc_v2017:p3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2,aicpa_tsc_v2017:p3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.1,aicpa_tsc_v2017:p4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2,aicpa_tsc_v2017:p4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3,aicpa_tsc_v2017:p4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1,aicpa_tsc_v2017:p5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2,aicpa_tsc_v2017:p5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.2,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.3,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7,aicpa_tsc_v2017:p6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1,aicpa_tsc_v2017:p7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1,aicpa_tsc_v2017:p8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.1,aicpa_tsc_v2017:cc1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.2,aicpa_tsc_v2017:cc1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.3,aicpa_tsc_v2017:cc1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.4,aicpa_tsc_v2017:cc1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.1.5,aicpa_tsc_v2017:cc1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.1,aicpa_tsc_v2017:cc1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.2,aicpa_tsc_v2017:cc1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.3,aicpa_tsc_v2017:cc1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.2.4,aicpa_tsc_v2017:cc1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.1,aicpa_tsc_v2017:cc1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.2,aicpa_tsc_v2017:cc1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.3,aicpa_tsc_v2017:cc1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.4,aicpa_tsc_v2017:cc1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.3.5,aicpa_tsc_v2017:cc1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.1,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.2,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.3,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.4,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.5,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.6,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.4.7,aicpa_tsc_v2017:cc1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.1,aicpa_tsc_v2017:cc1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.2,aicpa_tsc_v2017:cc1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.3,aicpa_tsc_v2017:cc1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.4,aicpa_tsc_v2017:cc1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc1.5.5,aicpa_tsc_v2017:cc1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.1,aicpa_tsc_v2017:cc2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.2,aicpa_tsc_v2017:cc2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.3,aicpa_tsc_v2017:cc2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.1.4,aicpa_tsc_v2017:cc2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.1,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.2,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.3,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.4,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.5,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.6,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.7,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.8,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.9,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.10,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.2.11,aicpa_tsc_v2017:cc2.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.1,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.2,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.3,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.4,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.5,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.6,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.7,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.8,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.9,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.10,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc2.3.11,aicpa_tsc_v2017:cc2.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.1,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.2,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.3,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.4,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.5,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.6,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.7,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.8,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.9,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.10,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.11,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.12,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.13,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.14,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.15,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.1.16,aicpa_tsc_v2017:cc3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.1,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.2,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.3,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.4,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.5,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.6,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.7,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.2.8,aicpa_tsc_v2017:cc3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.1,aicpa_tsc_v2017:cc3.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.2,aicpa_tsc_v2017:cc3.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.3,aicpa_tsc_v2017:cc3.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.4,aicpa_tsc_v2017:cc3.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.3.5,aicpa_tsc_v2017:cc3.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.1,aicpa_tsc_v2017:cc3.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.2,aicpa_tsc_v2017:cc3.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.3,aicpa_tsc_v2017:cc3.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.4,aicpa_tsc_v2017:cc3.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc3.4.5,aicpa_tsc_v2017:cc3.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.1,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.2,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.3,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.4,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.5,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.6,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.7,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.1.8,aicpa_tsc_v2017:cc4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.1,aicpa_tsc_v2017:cc4.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.2,aicpa_tsc_v2017:cc4.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc4.2.3,aicpa_tsc_v2017:cc4.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.1,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.2,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.3,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.4,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.5,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.1.6,aicpa_tsc_v2017:cc5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.1,aicpa_tsc_v2017:cc5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.2,aicpa_tsc_v2017:cc5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.3,aicpa_tsc_v2017:cc5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.2.4,aicpa_tsc_v2017:cc5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.1,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.2,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.3,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.4,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.5,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc5.3.6,aicpa_tsc_v2017:cc5.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.1,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.2,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.3,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.4,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.5,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.6,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.7,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.8,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.9,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.1.10,aicpa_tsc_v2017:cc6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.1,aicpa_tsc_v2017:cc6.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.2,aicpa_tsc_v2017:cc6.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.2.3,aicpa_tsc_v2017:cc6.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.1,aicpa_tsc_v2017:cc6.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.2,aicpa_tsc_v2017:cc6.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.3.3,aicpa_tsc_v2017:cc6.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.1,aicpa_tsc_v2017:cc6.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.2,aicpa_tsc_v2017:cc6.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.4.3,aicpa_tsc_v2017:cc6.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5.1,aicpa_tsc_v2017:cc6.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.5.2,aicpa_tsc_v2017:cc6.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.1,aicpa_tsc_v2017:cc6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.2,aicpa_tsc_v2017:cc6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.3,aicpa_tsc_v2017:cc6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.6.4,aicpa_tsc_v2017:cc6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.1,aicpa_tsc_v2017:cc6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.2,aicpa_tsc_v2017:cc6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.3,aicpa_tsc_v2017:cc6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.7.4,aicpa_tsc_v2017:cc6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.1,aicpa_tsc_v2017:cc6.8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.2,aicpa_tsc_v2017:cc6.8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.3,aicpa_tsc_v2017:cc6.8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.4,aicpa_tsc_v2017:cc6.8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc6.8.5,aicpa_tsc_v2017:cc6.8,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.1,aicpa_tsc_v2017:cc7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.2,aicpa_tsc_v2017:cc7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.3,aicpa_tsc_v2017:cc7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.4,aicpa_tsc_v2017:cc7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.1.5,aicpa_tsc_v2017:cc7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.1,aicpa_tsc_v2017:cc7.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.2,aicpa_tsc_v2017:cc7.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.3,aicpa_tsc_v2017:cc7.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.2.4,aicpa_tsc_v2017:cc7.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.1,aicpa_tsc_v2017:cc7.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.2,aicpa_tsc_v2017:cc7.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.3,aicpa_tsc_v2017:cc7.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.4,aicpa_tsc_v2017:cc7.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.3.5,aicpa_tsc_v2017:cc7.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.1,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.2,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.3,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.4,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.5,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.6,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.7,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.8,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.9,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.10,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.11,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.12,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.4.13,aicpa_tsc_v2017:cc7.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.1,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.2,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.3,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.4,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.5,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc7.5.6,aicpa_tsc_v2017:cc7.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.1,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.2,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.3,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.4,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.5,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.6,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.7,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.8,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.9,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.10,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.11,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.12,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.13,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.14,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc8.1.15,aicpa_tsc_v2017:cc8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1.1,aicpa_tsc_v2017:cc9.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.1.2,aicpa_tsc_v2017:cc9.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.1,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.2,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.3,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.4,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.5,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.6,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.7,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.8,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.9,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.10,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.11,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:cc9.2.12,aicpa_tsc_v2017:cc9.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.1,aicpa_tsc_v2017:a1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.2,aicpa_tsc_v2017:a1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.1.3,aicpa_tsc_v2017:a1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.1,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.2,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.3,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.4,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.5,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.6,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.7,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.8,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.9,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.2.10,aicpa_tsc_v2017:a1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3.1,aicpa_tsc_v2017:a1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:a1.3.2,aicpa_tsc_v2017:a1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1.1,aicpa_tsc_v2017:c1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.1.2,aicpa_tsc_v2017:c1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2.1,aicpa_tsc_v2017:c1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:c1.2.2,aicpa_tsc_v2017:c1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.1.1,aicpa_tsc_v2017:pi1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.1,aicpa_tsc_v2017:pi1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.2,aicpa_tsc_v2017:pi1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.2.3,aicpa_tsc_v2017:pi1.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.1,aicpa_tsc_v2017:pi1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.2,aicpa_tsc_v2017:pi1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.3,aicpa_tsc_v2017:pi1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.4,aicpa_tsc_v2017:pi1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.3.5,aicpa_tsc_v2017:pi1.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.1,aicpa_tsc_v2017:pi1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.2,aicpa_tsc_v2017:pi1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.3,aicpa_tsc_v2017:pi1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.4.4,aicpa_tsc_v2017:pi1.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.1,aicpa_tsc_v2017:pi1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.2,aicpa_tsc_v2017:pi1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.3,aicpa_tsc_v2017:pi1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:pi1.5.4,aicpa_tsc_v2017:pi1.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.1,aicpa_tsc_v2017:p1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.2,aicpa_tsc_v2017:p1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.3,aicpa_tsc_v2017:p1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p1.1.4,aicpa_tsc_v2017:p1.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.1,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.2,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.3,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.4,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.5,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p2.1.6,aicpa_tsc_v2017:p2.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.1,aicpa_tsc_v2017:p3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.2,aicpa_tsc_v2017:p3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.3,aicpa_tsc_v2017:p3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.1.4,aicpa_tsc_v2017:p3.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2.1,aicpa_tsc_v2017:p3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p3.2.2,aicpa_tsc_v2017:p3.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.1.1,aicpa_tsc_v2017:p4.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2.1,aicpa_tsc_v2017:p4.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.2.2,aicpa_tsc_v2017:p4.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.1,aicpa_tsc_v2017:p4.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.2,aicpa_tsc_v2017:p4.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p4.3.3,aicpa_tsc_v2017:p4.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.1,aicpa_tsc_v2017:p5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.2,aicpa_tsc_v2017:p5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.3,aicpa_tsc_v2017:p5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.1.4,aicpa_tsc_v2017:p5.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.1,aicpa_tsc_v2017:p5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.2,aicpa_tsc_v2017:p5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p5.2.3,aicpa_tsc_v2017:p5.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.1,aicpa_tsc_v2017:p6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.2,aicpa_tsc_v2017:p6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.3,aicpa_tsc_v2017:p6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.1.4,aicpa_tsc_v2017:p6.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.2.1,aicpa_tsc_v2017:p6.2,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.3.1,aicpa_tsc_v2017:p6.3,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4.1,aicpa_tsc_v2017:p6.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.4.2,aicpa_tsc_v2017:p6.4,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5.1,aicpa_tsc_v2017:p6.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.5.2,aicpa_tsc_v2017:p6.5,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6.1,aicpa_tsc_v2017:p6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.6.2,aicpa_tsc_v2017:p6.6,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7.1,aicpa_tsc_v2017:p6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p6.7.2,aicpa_tsc_v2017:p6.7,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1.1,aicpa_tsc_v2017:p7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p7.1.2,aicpa_tsc_v2017:p7.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.1,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.2,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.3,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.4,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.5,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+aicpa_tsc_v2017,aicpa_tsc_v2017:p8.1.6,aicpa_tsc_v2017:p8.1,,skos:broadMatch
+scf,scf:gov-01,scf:gov,,skos:broadMatch
+scf,scf:gov-01.1,scf:gov,,skos:broadMatch
+scf,scf:gov-01.2,scf:gov,,skos:broadMatch
+scf,scf:gov-02,scf:gov,,skos:broadMatch
+scf,scf:gov-03,scf:gov,,skos:broadMatch
+scf,scf:gov-04,scf:gov,,skos:broadMatch
+scf,scf:gov-05,scf:gov,,skos:broadMatch
+scf,scf:gov-05.1,scf:gov,,skos:broadMatch
+scf,scf:gov-05.2,scf:gov,,skos:broadMatch
+scf,scf:gov-06,scf:gov,,skos:broadMatch
+scf,scf:gov-07,scf:gov,,skos:broadMatch
+scf,scf:gov-08,scf:gov,,skos:broadMatch
+scf,scf:gov-09,scf:gov,,skos:broadMatch
+scf,scf:gov-10,scf:gov,,skos:broadMatch
+scf,scf:gov-11,scf:gov,,skos:broadMatch
+scf,scf:gov-12,scf:gov,,skos:broadMatch
+scf,scf:gov-13,scf:gov,,skos:broadMatch
+scf,scf:gov-14,scf:gov,,skos:broadMatch
+scf,scf:gov-15,scf:gov,,skos:broadMatch
+scf,scf:gov-15.1,scf:gov,,skos:broadMatch
+scf,scf:gov-15.2,scf:gov,,skos:broadMatch
+scf,scf:gov-15.3,scf:gov,,skos:broadMatch
+scf,scf:gov-15.4,scf:gov,,skos:broadMatch
+scf,scf:gov-15.5,scf:gov,,skos:broadMatch
+scf,scf:ast-01,scf:ast,,skos:broadMatch
+scf,scf:ast-01.1,scf:ast,,skos:broadMatch
+scf,scf:ast-01.2,scf:ast,,skos:broadMatch
+scf,scf:ast-01.3,scf:ast,,skos:broadMatch
+scf,scf:ast-02,scf:ast,,skos:broadMatch
+scf,scf:ast-02.1,scf:ast,,skos:broadMatch
+scf,scf:ast-02.2,scf:ast,,skos:broadMatch
+scf,scf:ast-02.3,scf:ast,,skos:broadMatch
+scf,scf:ast-02.4,scf:ast,,skos:broadMatch
+scf,scf:ast-02.5,scf:ast,,skos:broadMatch
+scf,scf:ast-02.6,scf:ast,,skos:broadMatch
+scf,scf:ast-02.7,scf:ast,,skos:broadMatch
+scf,scf:ast-02.8,scf:ast,,skos:broadMatch
+scf,scf:ast-02.9,scf:ast,,skos:broadMatch
+scf,scf:ast-02.10,scf:ast,,skos:broadMatch
+scf,scf:ast-02.11,scf:ast,,skos:broadMatch
+scf,scf:ast-03,scf:ast,,skos:broadMatch
+scf,scf:ast-03.1,scf:ast,,skos:broadMatch
+scf,scf:ast-03.2,scf:ast,,skos:broadMatch
+scf,scf:ast-04,scf:ast,,skos:broadMatch
+scf,scf:ast-04.1,scf:ast,,skos:broadMatch
+scf,scf:ast-04.2,scf:ast,,skos:broadMatch
+scf,scf:ast-04.3,scf:ast,,skos:broadMatch
+scf,scf:ast-05,scf:ast,,skos:broadMatch
+scf,scf:ast-05.1,scf:ast,,skos:broadMatch
+scf,scf:ast-06,scf:ast,,skos:broadMatch
+scf,scf:ast-06.1,scf:ast,,skos:broadMatch
+scf,scf:ast-07,scf:ast,,skos:broadMatch
+scf,scf:ast-08,scf:ast,,skos:broadMatch
+scf,scf:ast-09,scf:ast,,skos:broadMatch
+scf,scf:ast-10,scf:ast,,skos:broadMatch
+scf,scf:ast-11,scf:ast,,skos:broadMatch
+scf,scf:ast-12,scf:ast,,skos:broadMatch
+scf,scf:ast-13,scf:ast,,skos:broadMatch
+scf,scf:ast-14,scf:ast,,skos:broadMatch
+scf,scf:ast-14.1,scf:ast,,skos:broadMatch
+scf,scf:ast-14.2,scf:ast,,skos:broadMatch
+scf,scf:ast-15,scf:ast,,skos:broadMatch
+scf,scf:ast-15.1,scf:ast,,skos:broadMatch
+scf,scf:ast-16,scf:ast,,skos:broadMatch
+scf,scf:ast-17,scf:ast,,skos:broadMatch
+scf,scf:ast-18,scf:ast,,skos:broadMatch
+scf,scf:ast-19,scf:ast,,skos:broadMatch
+scf,scf:ast-20,scf:ast,,skos:broadMatch
+scf,scf:ast-21,scf:ast,,skos:broadMatch
+scf,scf:ast-22,scf:ast,,skos:broadMatch
+scf,scf:ast-23,scf:ast,,skos:broadMatch
+scf,scf:ast-24,scf:ast,,skos:broadMatch
+scf,scf:ast-25,scf:ast,,skos:broadMatch
+scf,scf:ast-26,scf:ast,,skos:broadMatch
+scf,scf:ast-27,scf:ast,,skos:broadMatch
+scf,scf:ast-28,scf:ast,,skos:broadMatch
+scf,scf:ast-28.1,scf:ast,,skos:broadMatch
+scf,scf:ast-29,scf:ast,,skos:broadMatch
+scf,scf:ast-29.1,scf:ast,,skos:broadMatch
+scf,scf:ast-30,scf:ast,,skos:broadMatch
+scf,scf:bcd-01,scf:bcd,,skos:broadMatch
+scf,scf:bcd-01.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-01.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-01.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-01.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-02,scf:bcd,,skos:broadMatch
+scf,scf:bcd-02.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-02.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-02.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-02.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-03,scf:bcd,,skos:broadMatch
+scf,scf:bcd-03.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-03.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-04,scf:bcd,,skos:broadMatch
+scf,scf:bcd-04.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-04.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-05,scf:bcd,,skos:broadMatch
+scf,scf:bcd-06,scf:bcd,,skos:broadMatch
+scf,scf:bcd-07,scf:bcd,,skos:broadMatch
+scf,scf:bcd-08,scf:bcd,,skos:broadMatch
+scf,scf:bcd-08.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-08.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-09.5,scf:bcd,,skos:broadMatch
+scf,scf:bcd-10,scf:bcd,,skos:broadMatch
+scf,scf:bcd-10.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-10.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-10.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-10.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.5,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.6,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.7,scf:bcd,,skos:broadMatch
+scf,scf:bcd-11.8,scf:bcd,,skos:broadMatch
+scf,scf:bcd-12,scf:bcd,,skos:broadMatch
+scf,scf:bcd-12.1,scf:bcd,,skos:broadMatch
+scf,scf:bcd-12.2,scf:bcd,,skos:broadMatch
+scf,scf:bcd-12.3,scf:bcd,,skos:broadMatch
+scf,scf:bcd-12.4,scf:bcd,,skos:broadMatch
+scf,scf:bcd-13,scf:bcd,,skos:broadMatch
+scf,scf:bcd-14,scf:bcd,,skos:broadMatch
+scf,scf:bcd-15,scf:bcd,,skos:broadMatch
+scf,scf:cap-01,scf:cap,,skos:broadMatch
+scf,scf:cap-02,scf:cap,,skos:broadMatch
+scf,scf:cap-03,scf:cap,,skos:broadMatch
+scf,scf:cap-04,scf:cap,,skos:broadMatch
+scf,scf:chg-01,scf:chg,,skos:broadMatch
+scf,scf:chg-02,scf:chg,,skos:broadMatch
+scf,scf:chg-02.1,scf:chg,,skos:broadMatch
+scf,scf:chg-02.2,scf:chg,,skos:broadMatch
+scf,scf:chg-02.3,scf:chg,,skos:broadMatch
+scf,scf:chg-02.4,scf:chg,,skos:broadMatch
+scf,scf:chg-02.5,scf:chg,,skos:broadMatch
+scf,scf:chg-03,scf:chg,,skos:broadMatch
+scf,scf:chg-04,scf:chg,,skos:broadMatch
+scf,scf:chg-04.1,scf:chg,,skos:broadMatch
+scf,scf:chg-04.2,scf:chg,,skos:broadMatch
+scf,scf:chg-04.3,scf:chg,,skos:broadMatch
+scf,scf:chg-04.4,scf:chg,,skos:broadMatch
+scf,scf:chg-04.5,scf:chg,,skos:broadMatch
+scf,scf:chg-05,scf:chg,,skos:broadMatch
+scf,scf:chg-06,scf:chg,,skos:broadMatch
+scf,scf:chg-06.1,scf:chg,,skos:broadMatch
+scf,scf:cld-01,scf:cld,,skos:broadMatch
+scf,scf:cld-01.1,scf:cld,,skos:broadMatch
+scf,scf:cld-01.2,scf:cld,,skos:broadMatch
+scf,scf:cld-02,scf:cld,,skos:broadMatch
+scf,scf:cld-03,scf:cld,,skos:broadMatch
+scf,scf:cld-04,scf:cld,,skos:broadMatch
+scf,scf:cld-05,scf:cld,,skos:broadMatch
+scf,scf:cld-06,scf:cld,,skos:broadMatch
+scf,scf:cld-06.1,scf:cld,,skos:broadMatch
+scf,scf:cld-06.2,scf:cld,,skos:broadMatch
+scf,scf:cld-06.3,scf:cld,,skos:broadMatch
+scf,scf:cld-06.4,scf:cld,,skos:broadMatch
+scf,scf:cld-07,scf:cld,,skos:broadMatch
+scf,scf:cld-08,scf:cld,,skos:broadMatch
+scf,scf:cld-09,scf:cld,,skos:broadMatch
+scf,scf:cld-10,scf:cld,,skos:broadMatch
+scf,scf:cld-11,scf:cld,,skos:broadMatch
+scf,scf:cld-12,scf:cld,,skos:broadMatch
+scf,scf:cpl-01,scf:cpl,,skos:broadMatch
+scf,scf:cpl-01.1,scf:cpl,,skos:broadMatch
+scf,scf:cpl-01.2,scf:cpl,,skos:broadMatch
+scf,scf:cpl-02,scf:cpl,,skos:broadMatch
+scf,scf:cpl-02.1,scf:cpl,,skos:broadMatch
+scf,scf:cpl-03,scf:cpl,,skos:broadMatch
+scf,scf:cpl-03.1,scf:cpl,,skos:broadMatch
+scf,scf:cpl-03.2,scf:cpl,,skos:broadMatch
+scf,scf:cpl-04,scf:cpl,,skos:broadMatch
+scf,scf:cpl-05,scf:cpl,,skos:broadMatch
+scf,scf:cpl-05.1,scf:cpl,,skos:broadMatch
+scf,scf:cpl-05.2,scf:cpl,,skos:broadMatch
+scf,scf:cpl-06,scf:cpl,,skos:broadMatch
+scf,scf:cfg-01,scf:cfg,,skos:broadMatch
+scf,scf:cfg-01.1,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.1,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.2,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.3,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.4,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.5,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.6,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.7,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.8,scf:cfg,,skos:broadMatch
+scf,scf:cfg-02.9,scf:cfg,,skos:broadMatch
+scf,scf:cfg-03,scf:cfg,,skos:broadMatch
+scf,scf:cfg-03.1,scf:cfg,,skos:broadMatch
+scf,scf:cfg-03.2,scf:cfg,,skos:broadMatch
+scf,scf:cfg-03.3,scf:cfg,,skos:broadMatch
+scf,scf:cfg-03.4,scf:cfg,,skos:broadMatch
+scf,scf:cfg-04,scf:cfg,,skos:broadMatch
+scf,scf:cfg-04.1,scf:cfg,,skos:broadMatch
+scf,scf:cfg-04.2,scf:cfg,,skos:broadMatch
+scf,scf:cfg-05,scf:cfg,,skos:broadMatch
+scf,scf:cfg-05.1,scf:cfg,,skos:broadMatch
+scf,scf:cfg-05.2,scf:cfg,,skos:broadMatch
+scf,scf:cfg-06,scf:cfg,,skos:broadMatch
+scf,scf:cfg-07,scf:cfg,,skos:broadMatch
+scf,scf:cfg-08,scf:cfg,,skos:broadMatch
+scf,scf:cfg-08.1,scf:cfg,,skos:broadMatch
+scf,scf:mon-01,scf:mon,,skos:broadMatch
+scf,scf:mon-01.1,scf:mon,,skos:broadMatch
+scf,scf:mon-01.2,scf:mon,,skos:broadMatch
+scf,scf:mon-01.3,scf:mon,,skos:broadMatch
+scf,scf:mon-01.4,scf:mon,,skos:broadMatch
+scf,scf:mon-01.5,scf:mon,,skos:broadMatch
+scf,scf:mon-01.6,scf:mon,,skos:broadMatch
+scf,scf:mon-01.7,scf:mon,,skos:broadMatch
+scf,scf:mon-01.8,scf:mon,,skos:broadMatch
+scf,scf:mon-01.9,scf:mon,,skos:broadMatch
+scf,scf:mon-01.10,scf:mon,,skos:broadMatch
+scf,scf:mon-01.11,scf:mon,,skos:broadMatch
+scf,scf:mon-01.12,scf:mon,,skos:broadMatch
+scf,scf:mon-01.13,scf:mon,,skos:broadMatch
+scf,scf:mon-01.14,scf:mon,,skos:broadMatch
+scf,scf:mon-01.15,scf:mon,,skos:broadMatch
+scf,scf:mon-01.16,scf:mon,,skos:broadMatch
+scf,scf:mon-01.17,scf:mon,,skos:broadMatch
+scf,scf:mon-02,scf:mon,,skos:broadMatch
+scf,scf:mon-02.1,scf:mon,,skos:broadMatch
+scf,scf:mon-02.2,scf:mon,,skos:broadMatch
+scf,scf:mon-02.3,scf:mon,,skos:broadMatch
+scf,scf:mon-02.4,scf:mon,,skos:broadMatch
+scf,scf:mon-02.5,scf:mon,,skos:broadMatch
+scf,scf:mon-02.6,scf:mon,,skos:broadMatch
+scf,scf:mon-02.7,scf:mon,,skos:broadMatch
+scf,scf:mon-02.8,scf:mon,,skos:broadMatch
+scf,scf:mon-03,scf:mon,,skos:broadMatch
+scf,scf:mon-03.1,scf:mon,,skos:broadMatch
+scf,scf:mon-03.2,scf:mon,,skos:broadMatch
+scf,scf:mon-03.3,scf:mon,,skos:broadMatch
+scf,scf:mon-03.4,scf:mon,,skos:broadMatch
+scf,scf:mon-03.5,scf:mon,,skos:broadMatch
+scf,scf:mon-03.6,scf:mon,,skos:broadMatch
+scf,scf:mon-03.7,scf:mon,,skos:broadMatch
+scf,scf:mon-04,scf:mon,,skos:broadMatch
+scf,scf:mon-05,scf:mon,,skos:broadMatch
+scf,scf:mon-05.1,scf:mon,,skos:broadMatch
+scf,scf:mon-05.2,scf:mon,,skos:broadMatch
+scf,scf:mon-06,scf:mon,,skos:broadMatch
+scf,scf:mon-06.1,scf:mon,,skos:broadMatch
+scf,scf:mon-06.2,scf:mon,,skos:broadMatch
+scf,scf:mon-07,scf:mon,,skos:broadMatch
+scf,scf:mon-07.1,scf:mon,,skos:broadMatch
+scf,scf:mon-08,scf:mon,,skos:broadMatch
+scf,scf:mon-08.1,scf:mon,,skos:broadMatch
+scf,scf:mon-08.2,scf:mon,,skos:broadMatch
+scf,scf:mon-08.3,scf:mon,,skos:broadMatch
+scf,scf:mon-08.4,scf:mon,,skos:broadMatch
+scf,scf:mon-09,scf:mon,,skos:broadMatch
+scf,scf:mon-09.1,scf:mon,,skos:broadMatch
+scf,scf:mon-10,scf:mon,,skos:broadMatch
+scf,scf:mon-11,scf:mon,,skos:broadMatch
+scf,scf:mon-11.1,scf:mon,,skos:broadMatch
+scf,scf:mon-11.2,scf:mon,,skos:broadMatch
+scf,scf:mon-11.3,scf:mon,,skos:broadMatch
+scf,scf:mon-12,scf:mon,,skos:broadMatch
+scf,scf:mon-13,scf:mon,,skos:broadMatch
+scf,scf:mon-14,scf:mon,,skos:broadMatch
+scf,scf:mon-14.1,scf:mon,,skos:broadMatch
+scf,scf:mon-15,scf:mon,,skos:broadMatch
+scf,scf:mon-16,scf:mon,,skos:broadMatch
+scf,scf:mon-16.1,scf:mon,,skos:broadMatch
+scf,scf:mon-16.2,scf:mon,,skos:broadMatch
+scf,scf:mon-16.3,scf:mon,,skos:broadMatch
+scf,scf:mon-16.4,scf:mon,,skos:broadMatch
+scf,scf:cry-01,scf:cry,,skos:broadMatch
+scf,scf:cry-01.1,scf:cry,,skos:broadMatch
+scf,scf:cry-01.2,scf:cry,,skos:broadMatch
+scf,scf:cry-01.3,scf:cry,,skos:broadMatch
+scf,scf:cry-01.4,scf:cry,,skos:broadMatch
+scf,scf:cry-01.5,scf:cry,,skos:broadMatch
+scf,scf:cry-02,scf:cry,,skos:broadMatch
+scf,scf:cry-03,scf:cry,,skos:broadMatch
+scf,scf:cry-04,scf:cry,,skos:broadMatch
+scf,scf:cry-05,scf:cry,,skos:broadMatch
+scf,scf:cry-05.1,scf:cry,,skos:broadMatch
+scf,scf:cry-05.2,scf:cry,,skos:broadMatch
+scf,scf:cry-05.3,scf:cry,,skos:broadMatch
+scf,scf:cry-06,scf:cry,,skos:broadMatch
+scf,scf:cry-07,scf:cry,,skos:broadMatch
+scf,scf:cry-08,scf:cry,,skos:broadMatch
+scf,scf:cry-08.1,scf:cry,,skos:broadMatch
+scf,scf:cry-09,scf:cry,,skos:broadMatch
+scf,scf:cry-09.1,scf:cry,,skos:broadMatch
+scf,scf:cry-09.2,scf:cry,,skos:broadMatch
+scf,scf:cry-09.3,scf:cry,,skos:broadMatch
+scf,scf:cry-09.4,scf:cry,,skos:broadMatch
+scf,scf:cry-09.5,scf:cry,,skos:broadMatch
+scf,scf:cry-09.6,scf:cry,,skos:broadMatch
+scf,scf:cry-09.7,scf:cry,,skos:broadMatch
+scf,scf:cry-10,scf:cry,,skos:broadMatch
+scf,scf:cry-11,scf:cry,,skos:broadMatch
+scf,scf:dch-01,scf:dch,,skos:broadMatch
+scf,scf:dch-01.1,scf:dch,,skos:broadMatch
+scf,scf:dch-01.2,scf:dch,,skos:broadMatch
+scf,scf:dch-01.3,scf:dch,,skos:broadMatch
+scf,scf:dch-02,scf:dch,,skos:broadMatch
+scf,scf:dch-02.1,scf:dch,,skos:broadMatch
+scf,scf:dch-03,scf:dch,,skos:broadMatch
+scf,scf:dch-03.1,scf:dch,,skos:broadMatch
+scf,scf:dch-03.2,scf:dch,,skos:broadMatch
+scf,scf:dch-03.3,scf:dch,,skos:broadMatch
+scf,scf:dch-04,scf:dch,,skos:broadMatch
+scf,scf:dch-04.1,scf:dch,,skos:broadMatch
+scf,scf:dch-05,scf:dch,,skos:broadMatch
+scf,scf:dch-05.1,scf:dch,,skos:broadMatch
+scf,scf:dch-05.2,scf:dch,,skos:broadMatch
+scf,scf:dch-05.3,scf:dch,,skos:broadMatch
+scf,scf:dch-05.4,scf:dch,,skos:broadMatch
+scf,scf:dch-05.5,scf:dch,,skos:broadMatch
+scf,scf:dch-05.6,scf:dch,,skos:broadMatch
+scf,scf:dch-05.7,scf:dch,,skos:broadMatch
+scf,scf:dch-05.8,scf:dch,,skos:broadMatch
+scf,scf:dch-05.9,scf:dch,,skos:broadMatch
+scf,scf:dch-05.10,scf:dch,,skos:broadMatch
+scf,scf:dch-05.11,scf:dch,,skos:broadMatch
+scf,scf:dch-06,scf:dch,,skos:broadMatch
+scf,scf:dch-06.1,scf:dch,,skos:broadMatch
+scf,scf:dch-06.2,scf:dch,,skos:broadMatch
+scf,scf:dch-06.3,scf:dch,,skos:broadMatch
+scf,scf:dch-06.4,scf:dch,,skos:broadMatch
+scf,scf:dch-06.5,scf:dch,,skos:broadMatch
+scf,scf:dch-07,scf:dch,,skos:broadMatch
+scf,scf:dch-07.1,scf:dch,,skos:broadMatch
+scf,scf:dch-07.2,scf:dch,,skos:broadMatch
+scf,scf:dch-08,scf:dch,,skos:broadMatch
+scf,scf:dch-09,scf:dch,,skos:broadMatch
+scf,scf:dch-09.1,scf:dch,,skos:broadMatch
+scf,scf:dch-09.2,scf:dch,,skos:broadMatch
+scf,scf:dch-09.3,scf:dch,,skos:broadMatch
+scf,scf:dch-09.4,scf:dch,,skos:broadMatch
+scf,scf:dch-09.5,scf:dch,,skos:broadMatch
+scf,scf:dch-10,scf:dch,,skos:broadMatch
+scf,scf:dch-10.1,scf:dch,,skos:broadMatch
+scf,scf:dch-10.2,scf:dch,,skos:broadMatch
+scf,scf:dch-11,scf:dch,,skos:broadMatch
+scf,scf:dch-12,scf:dch,,skos:broadMatch
+scf,scf:dch-13,scf:dch,,skos:broadMatch
+scf,scf:dch-13.1,scf:dch,,skos:broadMatch
+scf,scf:dch-13.2,scf:dch,,skos:broadMatch
+scf,scf:dch-13.3,scf:dch,,skos:broadMatch
+scf,scf:dch-13.4,scf:dch,,skos:broadMatch
+scf,scf:dch-14,scf:dch,,skos:broadMatch
+scf,scf:dch-14.1,scf:dch,,skos:broadMatch
+scf,scf:dch-14.2,scf:dch,,skos:broadMatch
+scf,scf:dch-14.3,scf:dch,,skos:broadMatch
+scf,scf:dch-15,scf:dch,,skos:broadMatch
+scf,scf:dch-16,scf:dch,,skos:broadMatch
+scf,scf:dch-17,scf:dch,,skos:broadMatch
+scf,scf:dch-18,scf:dch,,skos:broadMatch
+scf,scf:dch-18.1,scf:dch,,skos:broadMatch
+scf,scf:dch-18.2,scf:dch,,skos:broadMatch
+scf,scf:dch-18.3,scf:dch,,skos:broadMatch
+scf,scf:dch-19,scf:dch,,skos:broadMatch
+scf,scf:dch-20,scf:dch,,skos:broadMatch
+scf,scf:dch-21,scf:dch,,skos:broadMatch
+scf,scf:dch-22,scf:dch,,skos:broadMatch
+scf,scf:dch-22.1,scf:dch,,skos:broadMatch
+scf,scf:dch-22.2,scf:dch,,skos:broadMatch
+scf,scf:dch-22.3,scf:dch,,skos:broadMatch
+scf,scf:dch-23,scf:dch,,skos:broadMatch
+scf,scf:dch-23.1,scf:dch,,skos:broadMatch
+scf,scf:dch-23.2,scf:dch,,skos:broadMatch
+scf,scf:dch-23.3,scf:dch,,skos:broadMatch
+scf,scf:dch-23.4,scf:dch,,skos:broadMatch
+scf,scf:dch-23.5,scf:dch,,skos:broadMatch
+scf,scf:dch-23.6,scf:dch,,skos:broadMatch
+scf,scf:dch-23.7,scf:dch,,skos:broadMatch
+scf,scf:dch-23.8,scf:dch,,skos:broadMatch
+scf,scf:dch-23.9,scf:dch,,skos:broadMatch
+scf,scf:dch-24,scf:dch,,skos:broadMatch
+scf,scf:dch-24.1,scf:dch,,skos:broadMatch
+scf,scf:dch-25,scf:dch,,skos:broadMatch
+scf,scf:dch-25.1,scf:dch,,skos:broadMatch
+scf,scf:dch-26,scf:dch,,skos:broadMatch
+scf,scf:emb-01,scf:emb,,skos:broadMatch
+scf,scf:emb-02,scf:emb,,skos:broadMatch
+scf,scf:emb-03,scf:emb,,skos:broadMatch
+scf,scf:emb-04,scf:emb,,skos:broadMatch
+scf,scf:emb-05,scf:emb,,skos:broadMatch
+scf,scf:emb-06,scf:emb,,skos:broadMatch
+scf,scf:emb-07,scf:emb,,skos:broadMatch
+scf,scf:emb-08,scf:emb,,skos:broadMatch
+scf,scf:emb-09,scf:emb,,skos:broadMatch
+scf,scf:emb-10,scf:emb,,skos:broadMatch
+scf,scf:emb-11,scf:emb,,skos:broadMatch
+scf,scf:emb-12,scf:emb,,skos:broadMatch
+scf,scf:emb-13,scf:emb,,skos:broadMatch
+scf,scf:emb-14,scf:emb,,skos:broadMatch
+scf,scf:emb-15,scf:emb,,skos:broadMatch
+scf,scf:emb-16,scf:emb,,skos:broadMatch
+scf,scf:emb-17,scf:emb,,skos:broadMatch
+scf,scf:emb-18,scf:emb,,skos:broadMatch
+scf,scf:emb-19,scf:emb,,skos:broadMatch
+scf,scf:end-01,scf:end,,skos:broadMatch
+scf,scf:end-02,scf:end,,skos:broadMatch
+scf,scf:end-03,scf:end,,skos:broadMatch
+scf,scf:end-03.1,scf:end,,skos:broadMatch
+scf,scf:end-03.2,scf:end,,skos:broadMatch
+scf,scf:end-04,scf:end,,skos:broadMatch
+scf,scf:end-04.1,scf:end,,skos:broadMatch
+scf,scf:end-04.2,scf:end,,skos:broadMatch
+scf,scf:end-04.3,scf:end,,skos:broadMatch
+scf,scf:end-04.4,scf:end,,skos:broadMatch
+scf,scf:end-04.5,scf:end,,skos:broadMatch
+scf,scf:end-04.6,scf:end,,skos:broadMatch
+scf,scf:end-04.7,scf:end,,skos:broadMatch
+scf,scf:end-05,scf:end,,skos:broadMatch
+scf,scf:end-06,scf:end,,skos:broadMatch
+scf,scf:end-06.1,scf:end,,skos:broadMatch
+scf,scf:end-06.2,scf:end,,skos:broadMatch
+scf,scf:end-06.3,scf:end,,skos:broadMatch
+scf,scf:end-06.4,scf:end,,skos:broadMatch
+scf,scf:end-06.5,scf:end,,skos:broadMatch
+scf,scf:end-06.6,scf:end,,skos:broadMatch
+scf,scf:end-06.7,scf:end,,skos:broadMatch
+scf,scf:end-07,scf:end,,skos:broadMatch
+scf,scf:end-08,scf:end,,skos:broadMatch
+scf,scf:end-08.1,scf:end,,skos:broadMatch
+scf,scf:end-08.2,scf:end,,skos:broadMatch
+scf,scf:end-09,scf:end,,skos:broadMatch
+scf,scf:end-10,scf:end,,skos:broadMatch
+scf,scf:end-11,scf:end,,skos:broadMatch
+scf,scf:end-12,scf:end,,skos:broadMatch
+scf,scf:end-13,scf:end,,skos:broadMatch
+scf,scf:end-13.1,scf:end,,skos:broadMatch
+scf,scf:end-13.2,scf:end,,skos:broadMatch
+scf,scf:end-13.3,scf:end,,skos:broadMatch
+scf,scf:end-13.4,scf:end,,skos:broadMatch
+scf,scf:end-14,scf:end,,skos:broadMatch
+scf,scf:end-14.1,scf:end,,skos:broadMatch
+scf,scf:end-14.2,scf:end,,skos:broadMatch
+scf,scf:end-15,scf:end,,skos:broadMatch
+scf,scf:end-16,scf:end,,skos:broadMatch
+scf,scf:end-16.1,scf:end,,skos:broadMatch
+scf,scf:hrs-01,scf:hrs,,skos:broadMatch
+scf,scf:hrs-02,scf:hrs,,skos:broadMatch
+scf,scf:hrs-02.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-02.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-03,scf:hrs,,skos:broadMatch
+scf,scf:hrs-03.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-03.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-04,scf:hrs,,skos:broadMatch
+scf,scf:hrs-04.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-04.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-04.3,scf:hrs,,skos:broadMatch
+scf,scf:hrs-04.4,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.3,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.4,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.5,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.6,scf:hrs,,skos:broadMatch
+scf,scf:hrs-05.7,scf:hrs,,skos:broadMatch
+scf,scf:hrs-06,scf:hrs,,skos:broadMatch
+scf,scf:hrs-06.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-06.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-07,scf:hrs,,skos:broadMatch
+scf,scf:hrs-07.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-08,scf:hrs,,skos:broadMatch
+scf,scf:hrs-09,scf:hrs,,skos:broadMatch
+scf,scf:hrs-09.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-09.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-09.3,scf:hrs,,skos:broadMatch
+scf,scf:hrs-09.4,scf:hrs,,skos:broadMatch
+scf,scf:hrs-10,scf:hrs,,skos:broadMatch
+scf,scf:hrs-11,scf:hrs,,skos:broadMatch
+scf,scf:hrs-12,scf:hrs,,skos:broadMatch
+scf,scf:hrs-12.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-13,scf:hrs,,skos:broadMatch
+scf,scf:hrs-13.1,scf:hrs,,skos:broadMatch
+scf,scf:hrs-13.2,scf:hrs,,skos:broadMatch
+scf,scf:hrs-13.3,scf:hrs,,skos:broadMatch
+scf,scf:hrs-13.4,scf:hrs,,skos:broadMatch
+scf,scf:iac-01,scf:iac,,skos:broadMatch
+scf,scf:iac-01.1,scf:iac,,skos:broadMatch
+scf,scf:iac-02,scf:iac,,skos:broadMatch
+scf,scf:iac-02.1,scf:iac,,skos:broadMatch
+scf,scf:iac-02.2,scf:iac,,skos:broadMatch
+scf,scf:iac-02.3,scf:iac,,skos:broadMatch
+scf,scf:iac-02.4,scf:iac,,skos:broadMatch
+scf,scf:iac-03,scf:iac,,skos:broadMatch
+scf,scf:iac-03.1,scf:iac,,skos:broadMatch
+scf,scf:iac-03.2,scf:iac,,skos:broadMatch
+scf,scf:iac-03.3,scf:iac,,skos:broadMatch
+scf,scf:iac-03.4,scf:iac,,skos:broadMatch
+scf,scf:iac-03.5,scf:iac,,skos:broadMatch
+scf,scf:iac-04,scf:iac,,skos:broadMatch
+scf,scf:iac-04.1,scf:iac,,skos:broadMatch
+scf,scf:iac-05,scf:iac,,skos:broadMatch
+scf,scf:iac-05.1,scf:iac,,skos:broadMatch
+scf,scf:iac-05.2,scf:iac,,skos:broadMatch
+scf,scf:iac-06,scf:iac,,skos:broadMatch
+scf,scf:iac-06.1,scf:iac,,skos:broadMatch
+scf,scf:iac-06.2,scf:iac,,skos:broadMatch
+scf,scf:iac-06.3,scf:iac,,skos:broadMatch
+scf,scf:iac-06.4,scf:iac,,skos:broadMatch
+scf,scf:iac-07,scf:iac,,skos:broadMatch
+scf,scf:iac-07.1,scf:iac,,skos:broadMatch
+scf,scf:iac-07.2,scf:iac,,skos:broadMatch
+scf,scf:iac-08,scf:iac,,skos:broadMatch
+scf,scf:iac-09,scf:iac,,skos:broadMatch
+scf,scf:iac-09.1,scf:iac,,skos:broadMatch
+scf,scf:iac-09.2,scf:iac,,skos:broadMatch
+scf,scf:iac-09.3,scf:iac,,skos:broadMatch
+scf,scf:iac-09.4,scf:iac,,skos:broadMatch
+scf,scf:iac-09.5,scf:iac,,skos:broadMatch
+scf,scf:iac-09.6,scf:iac,,skos:broadMatch
+scf,scf:iac-10,scf:iac,,skos:broadMatch
+scf,scf:iac-10.1,scf:iac,,skos:broadMatch
+scf,scf:iac-10.2,scf:iac,,skos:broadMatch
+scf,scf:iac-10.3,scf:iac,,skos:broadMatch
+scf,scf:iac-10.4,scf:iac,,skos:broadMatch
+scf,scf:iac-10.5,scf:iac,,skos:broadMatch
+scf,scf:iac-10.6,scf:iac,,skos:broadMatch
+scf,scf:iac-10.7,scf:iac,,skos:broadMatch
+scf,scf:iac-10.8,scf:iac,,skos:broadMatch
+scf,scf:iac-10.9,scf:iac,,skos:broadMatch
+scf,scf:iac-10.10,scf:iac,,skos:broadMatch
+scf,scf:iac-10.11,scf:iac,,skos:broadMatch
+scf,scf:iac-10.12,scf:iac,,skos:broadMatch
+scf,scf:iac-11,scf:iac,,skos:broadMatch
+scf,scf:iac-12,scf:iac,,skos:broadMatch
+scf,scf:iac-12.1,scf:iac,,skos:broadMatch
+scf,scf:iac-13,scf:iac,,skos:broadMatch
+scf,scf:iac-13.1,scf:iac,,skos:broadMatch
+scf,scf:iac-13.2,scf:iac,,skos:broadMatch
+scf,scf:iac-14,scf:iac,,skos:broadMatch
+scf,scf:iac-15,scf:iac,,skos:broadMatch
+scf,scf:iac-15.1,scf:iac,,skos:broadMatch
+scf,scf:iac-15.2,scf:iac,,skos:broadMatch
+scf,scf:iac-15.3,scf:iac,,skos:broadMatch
+scf,scf:iac-15.4,scf:iac,,skos:broadMatch
+scf,scf:iac-15.5,scf:iac,,skos:broadMatch
+scf,scf:iac-15.6,scf:iac,,skos:broadMatch
+scf,scf:iac-15.7,scf:iac,,skos:broadMatch
+scf,scf:iac-15.8,scf:iac,,skos:broadMatch
+scf,scf:iac-15.9,scf:iac,,skos:broadMatch
+scf,scf:iac-16,scf:iac,,skos:broadMatch
+scf,scf:iac-16.1,scf:iac,,skos:broadMatch
+scf,scf:iac-16.2,scf:iac,,skos:broadMatch
+scf,scf:iac-17,scf:iac,,skos:broadMatch
+scf,scf:iac-18,scf:iac,,skos:broadMatch
+scf,scf:iac-19,scf:iac,,skos:broadMatch
+scf,scf:iac-20,scf:iac,,skos:broadMatch
+scf,scf:iac-20.1,scf:iac,,skos:broadMatch
+scf,scf:iac-20.2,scf:iac,,skos:broadMatch
+scf,scf:iac-20.3,scf:iac,,skos:broadMatch
+scf,scf:iac-20.4,scf:iac,,skos:broadMatch
+scf,scf:iac-20.5,scf:iac,,skos:broadMatch
+scf,scf:iac-20.6,scf:iac,,skos:broadMatch
+scf,scf:iac-21,scf:iac,,skos:broadMatch
+scf,scf:iac-21.1,scf:iac,,skos:broadMatch
+scf,scf:iac-21.2,scf:iac,,skos:broadMatch
+scf,scf:iac-21.3,scf:iac,,skos:broadMatch
+scf,scf:iac-21.4,scf:iac,,skos:broadMatch
+scf,scf:iac-21.5,scf:iac,,skos:broadMatch
+scf,scf:iac-21.6,scf:iac,,skos:broadMatch
+scf,scf:iac-21.7,scf:iac,,skos:broadMatch
+scf,scf:iac-22,scf:iac,,skos:broadMatch
+scf,scf:iac-23,scf:iac,,skos:broadMatch
+scf,scf:iac-24,scf:iac,,skos:broadMatch
+scf,scf:iac-24.1,scf:iac,,skos:broadMatch
+scf,scf:iac-25,scf:iac,,skos:broadMatch
+scf,scf:iac-25.1,scf:iac,,skos:broadMatch
+scf,scf:iac-26,scf:iac,,skos:broadMatch
+scf,scf:iac-27,scf:iac,,skos:broadMatch
+scf,scf:iac-28,scf:iac,,skos:broadMatch
+scf,scf:iac-28.1,scf:iac,,skos:broadMatch
+scf,scf:iac-28.2,scf:iac,,skos:broadMatch
+scf,scf:iac-28.3,scf:iac,,skos:broadMatch
+scf,scf:iac-28.4,scf:iac,,skos:broadMatch
+scf,scf:iac-28.5,scf:iac,,skos:broadMatch
+scf,scf:iac-29,scf:iac,,skos:broadMatch
+scf,scf:iro-01,scf:iro,,skos:broadMatch
+scf,scf:iro-02,scf:iro,,skos:broadMatch
+scf,scf:iro-02.1,scf:iro,,skos:broadMatch
+scf,scf:iro-02.2,scf:iro,,skos:broadMatch
+scf,scf:iro-02.3,scf:iro,,skos:broadMatch
+scf,scf:iro-02.4,scf:iro,,skos:broadMatch
+scf,scf:iro-02.5,scf:iro,,skos:broadMatch
+scf,scf:iro-02.6,scf:iro,,skos:broadMatch
+scf,scf:iro-03,scf:iro,,skos:broadMatch
+scf,scf:iro-04,scf:iro,,skos:broadMatch
+scf,scf:iro-04.1,scf:iro,,skos:broadMatch
+scf,scf:iro-04.2,scf:iro,,skos:broadMatch
+scf,scf:iro-04.3,scf:iro,,skos:broadMatch
+scf,scf:iro-05,scf:iro,,skos:broadMatch
+scf,scf:iro-05.1,scf:iro,,skos:broadMatch
+scf,scf:iro-05.2,scf:iro,,skos:broadMatch
+scf,scf:iro-06,scf:iro,,skos:broadMatch
+scf,scf:iro-06.1,scf:iro,,skos:broadMatch
+scf,scf:iro-07,scf:iro,,skos:broadMatch
+scf,scf:iro-08,scf:iro,,skos:broadMatch
+scf,scf:iro-09,scf:iro,,skos:broadMatch
+scf,scf:iro-09.1,scf:iro,,skos:broadMatch
+scf,scf:iro-10,scf:iro,,skos:broadMatch
+scf,scf:iro-10.1,scf:iro,,skos:broadMatch
+scf,scf:iro-10.2,scf:iro,,skos:broadMatch
+scf,scf:iro-10.3,scf:iro,,skos:broadMatch
+scf,scf:iro-10.4,scf:iro,,skos:broadMatch
+scf,scf:iro-11,scf:iro,,skos:broadMatch
+scf,scf:iro-11.1,scf:iro,,skos:broadMatch
+scf,scf:iro-11.2,scf:iro,,skos:broadMatch
+scf,scf:iro-12,scf:iro,,skos:broadMatch
+scf,scf:iro-12.1,scf:iro,,skos:broadMatch
+scf,scf:iro-12.2,scf:iro,,skos:broadMatch
+scf,scf:iro-12.3,scf:iro,,skos:broadMatch
+scf,scf:iro-12.4,scf:iro,,skos:broadMatch
+scf,scf:iro-13,scf:iro,,skos:broadMatch
+scf,scf:iro-14,scf:iro,,skos:broadMatch
+scf,scf:iro-15,scf:iro,,skos:broadMatch
+scf,scf:iro-16,scf:iro,,skos:broadMatch
+scf,scf:iao-01,scf:iao,,skos:broadMatch
+scf,scf:iao-01.1,scf:iao,,skos:broadMatch
+scf,scf:iao-02,scf:iao,,skos:broadMatch
+scf,scf:iao-02.1,scf:iao,,skos:broadMatch
+scf,scf:iao-02.2,scf:iao,,skos:broadMatch
+scf,scf:iao-02.3,scf:iao,,skos:broadMatch
+scf,scf:iao-02.4,scf:iao,,skos:broadMatch
+scf,scf:iao-03,scf:iao,,skos:broadMatch
+scf,scf:iao-03.1,scf:iao,,skos:broadMatch
+scf,scf:iao-03.2,scf:iao,,skos:broadMatch
+scf,scf:iao-04,scf:iao,,skos:broadMatch
+scf,scf:iao-05,scf:iao,,skos:broadMatch
+scf,scf:iao-05.1,scf:iao,,skos:broadMatch
+scf,scf:iao-06,scf:iao,,skos:broadMatch
+scf,scf:iao-07,scf:iao,,skos:broadMatch
+scf,scf:mnt-01,scf:mnt,,skos:broadMatch
+scf,scf:mnt-02,scf:mnt,,skos:broadMatch
+scf,scf:mnt-02.1,scf:mnt,,skos:broadMatch
+scf,scf:mnt-03,scf:mnt,,skos:broadMatch
+scf,scf:mnt-03.1,scf:mnt,,skos:broadMatch
+scf,scf:mnt-03.2,scf:mnt,,skos:broadMatch
+scf,scf:mnt-03.3,scf:mnt,,skos:broadMatch
+scf,scf:mnt-04,scf:mnt,,skos:broadMatch
+scf,scf:mnt-04.1,scf:mnt,,skos:broadMatch
+scf,scf:mnt-04.2,scf:mnt,,skos:broadMatch
+scf,scf:mnt-04.3,scf:mnt,,skos:broadMatch
+scf,scf:mnt-04.4,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.1,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.2,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.3,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.4,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.5,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.6,scf:mnt,,skos:broadMatch
+scf,scf:mnt-05.7,scf:mnt,,skos:broadMatch
+scf,scf:mnt-06,scf:mnt,,skos:broadMatch
+scf,scf:mnt-06.1,scf:mnt,,skos:broadMatch
+scf,scf:mnt-06.2,scf:mnt,,skos:broadMatch
+scf,scf:mnt-07,scf:mnt,,skos:broadMatch
+scf,scf:mnt-08,scf:mnt,,skos:broadMatch
+scf,scf:mnt-09,scf:mnt,,skos:broadMatch
+scf,scf:mnt-10,scf:mnt,,skos:broadMatch
+scf,scf:mnt-11,scf:mnt,,skos:broadMatch
+scf,scf:mdm-01,scf:mdm,,skos:broadMatch
+scf,scf:mdm-02,scf:mdm,,skos:broadMatch
+scf,scf:mdm-03,scf:mdm,,skos:broadMatch
+scf,scf:mdm-04,scf:mdm,,skos:broadMatch
+scf,scf:mdm-05,scf:mdm,,skos:broadMatch
+scf,scf:mdm-06,scf:mdm,,skos:broadMatch
+scf,scf:mdm-07,scf:mdm,,skos:broadMatch
+scf,scf:mdm-08,scf:mdm,,skos:broadMatch
+scf,scf:mdm-09,scf:mdm,,skos:broadMatch
+scf,scf:mdm-10,scf:mdm,,skos:broadMatch
+scf,scf:mdm-11,scf:mdm,,skos:broadMatch
+scf,scf:net-01,scf:net,,skos:broadMatch
+scf,scf:net-01.1,scf:net,,skos:broadMatch
+scf,scf:net-02,scf:net,,skos:broadMatch
+scf,scf:net-02.1,scf:net,,skos:broadMatch
+scf,scf:net-02.2,scf:net,,skos:broadMatch
+scf,scf:net-02.3,scf:net,,skos:broadMatch
+scf,scf:net-03,scf:net,,skos:broadMatch
+scf,scf:net-03.1,scf:net,,skos:broadMatch
+scf,scf:net-03.2,scf:net,,skos:broadMatch
+scf,scf:net-03.3,scf:net,,skos:broadMatch
+scf,scf:net-03.4,scf:net,,skos:broadMatch
+scf,scf:net-03.5,scf:net,,skos:broadMatch
+scf,scf:net-03.6,scf:net,,skos:broadMatch
+scf,scf:net-03.7,scf:net,,skos:broadMatch
+scf,scf:net-03.8,scf:net,,skos:broadMatch
+scf,scf:net-04,scf:net,,skos:broadMatch
+scf,scf:net-04.1,scf:net,,skos:broadMatch
+scf,scf:net-04.2,scf:net,,skos:broadMatch
+scf,scf:net-04.3,scf:net,,skos:broadMatch
+scf,scf:net-04.4,scf:net,,skos:broadMatch
+scf,scf:net-04.5,scf:net,,skos:broadMatch
+scf,scf:net-04.6,scf:net,,skos:broadMatch
+scf,scf:net-04.7,scf:net,,skos:broadMatch
+scf,scf:net-04.8,scf:net,,skos:broadMatch
+scf,scf:net-04.9,scf:net,,skos:broadMatch
+scf,scf:net-04.10,scf:net,,skos:broadMatch
+scf,scf:net-04.11,scf:net,,skos:broadMatch
+scf,scf:net-04.12,scf:net,,skos:broadMatch
+scf,scf:net-04.13,scf:net,,skos:broadMatch
+scf,scf:net-05,scf:net,,skos:broadMatch
+scf,scf:net-05.1,scf:net,,skos:broadMatch
+scf,scf:net-05.2,scf:net,,skos:broadMatch
+scf,scf:net-06,scf:net,,skos:broadMatch
+scf,scf:net-06.1,scf:net,,skos:broadMatch
+scf,scf:net-06.2,scf:net,,skos:broadMatch
+scf,scf:net-06.3,scf:net,,skos:broadMatch
+scf,scf:net-06.4,scf:net,,skos:broadMatch
+scf,scf:net-06.5,scf:net,,skos:broadMatch
+scf,scf:net-07,scf:net,,skos:broadMatch
+scf,scf:net-08,scf:net,,skos:broadMatch
+scf,scf:net-08.1,scf:net,,skos:broadMatch
+scf,scf:net-08.2,scf:net,,skos:broadMatch
+scf,scf:net-09,scf:net,,skos:broadMatch
+scf,scf:net-09.1,scf:net,,skos:broadMatch
+scf,scf:net-09.2,scf:net,,skos:broadMatch
+scf,scf:net-10,scf:net,,skos:broadMatch
+scf,scf:net-10.1,scf:net,,skos:broadMatch
+scf,scf:net-10.2,scf:net,,skos:broadMatch
+scf,scf:net-10.3,scf:net,,skos:broadMatch
+scf,scf:net-10.4,scf:net,,skos:broadMatch
+scf,scf:net-11,scf:net,,skos:broadMatch
+scf,scf:net-12,scf:net,,skos:broadMatch
+scf,scf:net-12.1,scf:net,,skos:broadMatch
+scf,scf:net-12.2,scf:net,,skos:broadMatch
+scf,scf:net-13,scf:net,,skos:broadMatch
+scf,scf:net-14,scf:net,,skos:broadMatch
+scf,scf:net-14.1,scf:net,,skos:broadMatch
+scf,scf:net-14.2,scf:net,,skos:broadMatch
+scf,scf:net-14.3,scf:net,,skos:broadMatch
+scf,scf:net-14.4,scf:net,,skos:broadMatch
+scf,scf:net-14.5,scf:net,,skos:broadMatch
+scf,scf:net-14.6,scf:net,,skos:broadMatch
+scf,scf:net-14.7,scf:net,,skos:broadMatch
+scf,scf:net-14.8,scf:net,,skos:broadMatch
+scf,scf:net-15,scf:net,,skos:broadMatch
+scf,scf:net-15.1,scf:net,,skos:broadMatch
+scf,scf:net-15.2,scf:net,,skos:broadMatch
+scf,scf:net-15.3,scf:net,,skos:broadMatch
+scf,scf:net-15.4,scf:net,,skos:broadMatch
+scf,scf:net-15.5,scf:net,,skos:broadMatch
+scf,scf:net-16,scf:net,,skos:broadMatch
+scf,scf:net-17,scf:net,,skos:broadMatch
+scf,scf:net-18,scf:net,,skos:broadMatch
+scf,scf:net-18.1,scf:net,,skos:broadMatch
+scf,scf:net-18.2,scf:net,,skos:broadMatch
+scf,scf:net-18.3,scf:net,,skos:broadMatch
+scf,scf:pes-01,scf:pes,,skos:broadMatch
+scf,scf:pes-01.1,scf:pes,,skos:broadMatch
+scf,scf:pes-02,scf:pes,,skos:broadMatch
+scf,scf:pes-02.1,scf:pes,,skos:broadMatch
+scf,scf:pes-02.2,scf:pes,,skos:broadMatch
+scf,scf:pes-03,scf:pes,,skos:broadMatch
+scf,scf:pes-03.1,scf:pes,,skos:broadMatch
+scf,scf:pes-03.2,scf:pes,,skos:broadMatch
+scf,scf:pes-03.3,scf:pes,,skos:broadMatch
+scf,scf:pes-03.4,scf:pes,,skos:broadMatch
+scf,scf:pes-04,scf:pes,,skos:broadMatch
+scf,scf:pes-04.1,scf:pes,,skos:broadMatch
+scf,scf:pes-04.2,scf:pes,,skos:broadMatch
+scf,scf:pes-04.3,scf:pes,,skos:broadMatch
+scf,scf:pes-05,scf:pes,,skos:broadMatch
+scf,scf:pes-05.1,scf:pes,,skos:broadMatch
+scf,scf:pes-05.2,scf:pes,,skos:broadMatch
+scf,scf:pes-06,scf:pes,,skos:broadMatch
+scf,scf:pes-06.1,scf:pes,,skos:broadMatch
+scf,scf:pes-06.2,scf:pes,,skos:broadMatch
+scf,scf:pes-06.3,scf:pes,,skos:broadMatch
+scf,scf:pes-06.4,scf:pes,,skos:broadMatch
+scf,scf:pes-06.5,scf:pes,,skos:broadMatch
+scf,scf:pes-06.6,scf:pes,,skos:broadMatch
+scf,scf:pes-07,scf:pes,,skos:broadMatch
+scf,scf:pes-07.1,scf:pes,,skos:broadMatch
+scf,scf:pes-07.2,scf:pes,,skos:broadMatch
+scf,scf:pes-07.3,scf:pes,,skos:broadMatch
+scf,scf:pes-07.4,scf:pes,,skos:broadMatch
+scf,scf:pes-07.5,scf:pes,,skos:broadMatch
+scf,scf:pes-07.6,scf:pes,,skos:broadMatch
+scf,scf:pes-07.7,scf:pes,,skos:broadMatch
+scf,scf:pes-08,scf:pes,,skos:broadMatch
+scf,scf:pes-08.1,scf:pes,,skos:broadMatch
+scf,scf:pes-08.2,scf:pes,,skos:broadMatch
+scf,scf:pes-08.3,scf:pes,,skos:broadMatch
+scf,scf:pes-09,scf:pes,,skos:broadMatch
+scf,scf:pes-09.1,scf:pes,,skos:broadMatch
+scf,scf:pes-10,scf:pes,,skos:broadMatch
+scf,scf:pes-11,scf:pes,,skos:broadMatch
+scf,scf:pes-12,scf:pes,,skos:broadMatch
+scf,scf:pes-12.1,scf:pes,,skos:broadMatch
+scf,scf:pes-12.2,scf:pes,,skos:broadMatch
+scf,scf:pes-13,scf:pes,,skos:broadMatch
+scf,scf:pes-14,scf:pes,,skos:broadMatch
+scf,scf:pes-15,scf:pes,,skos:broadMatch
+scf,scf:pes-16,scf:pes,,skos:broadMatch
+scf,scf:pes-17,scf:pes,,skos:broadMatch
+scf,scf:pes-18,scf:pes,,skos:broadMatch
+scf,scf:pri-01,scf:pri,,skos:broadMatch
+scf,scf:pri-01.1,scf:pri,,skos:broadMatch
+scf,scf:pri-01.2,scf:pri,,skos:broadMatch
+scf,scf:pri-01.3,scf:pri,,skos:broadMatch
+scf,scf:pri-01.4,scf:pri,,skos:broadMatch
+scf,scf:pri-01.5,scf:pri,,skos:broadMatch
+scf,scf:pri-01.6,scf:pri,,skos:broadMatch
+scf,scf:pri-01.7,scf:pri,,skos:broadMatch
+scf,scf:pri-02,scf:pri,,skos:broadMatch
+scf,scf:pri-02.1,scf:pri,,skos:broadMatch
+scf,scf:pri-02.2,scf:pri,,skos:broadMatch
+scf,scf:pri-02.3,scf:pri,,skos:broadMatch
+scf,scf:pri-02.4,scf:pri,,skos:broadMatch
+scf,scf:pri-02.5,scf:pri,,skos:broadMatch
+scf,scf:pri-02.6,scf:pri,,skos:broadMatch
+scf,scf:pri-02.7,scf:pri,,skos:broadMatch
+scf,scf:pri-03,scf:pri,,skos:broadMatch
+scf,scf:pri-03.1,scf:pri,,skos:broadMatch
+scf,scf:pri-03.2,scf:pri,,skos:broadMatch
+scf,scf:pri-03.3,scf:pri,,skos:broadMatch
+scf,scf:pri-03.4,scf:pri,,skos:broadMatch
+scf,scf:pri-03.5,scf:pri,,skos:broadMatch
+scf,scf:pri-03.6,scf:pri,,skos:broadMatch
+scf,scf:pri-03.7,scf:pri,,skos:broadMatch
+scf,scf:pri-03.8,scf:pri,,skos:broadMatch
+scf,scf:pri-04,scf:pri,,skos:broadMatch
+scf,scf:pri-04.1,scf:pri,,skos:broadMatch
+scf,scf:pri-04.2,scf:pri,,skos:broadMatch
+scf,scf:pri-04.3,scf:pri,,skos:broadMatch
+scf,scf:pri-04.4,scf:pri,,skos:broadMatch
+scf,scf:pri-04.5,scf:pri,,skos:broadMatch
+scf,scf:pri-04.6,scf:pri,,skos:broadMatch
+scf,scf:pri-05,scf:pri,,skos:broadMatch
+scf,scf:pri-05.1,scf:pri,,skos:broadMatch
+scf,scf:pri-05.2,scf:pri,,skos:broadMatch
+scf,scf:pri-05.3,scf:pri,,skos:broadMatch
+scf,scf:pri-05.4,scf:pri,,skos:broadMatch
+scf,scf:pri-05.5,scf:pri,,skos:broadMatch
+scf,scf:pri-05.6,scf:pri,,skos:broadMatch
+scf,scf:pri-05.7,scf:pri,,skos:broadMatch
+scf,scf:pri-06,scf:pri,,skos:broadMatch
+scf,scf:pri-06.1,scf:pri,,skos:broadMatch
+scf,scf:pri-06.2,scf:pri,,skos:broadMatch
+scf,scf:pri-06.3,scf:pri,,skos:broadMatch
+scf,scf:pri-06.4,scf:pri,,skos:broadMatch
+scf,scf:pri-06.5,scf:pri,,skos:broadMatch
+scf,scf:pri-06.6,scf:pri,,skos:broadMatch
+scf,scf:pri-06.7,scf:pri,,skos:broadMatch
+scf,scf:pri-07,scf:pri,,skos:broadMatch
+scf,scf:pri-07.1,scf:pri,,skos:broadMatch
+scf,scf:pri-07.2,scf:pri,,skos:broadMatch
+scf,scf:pri-07.3,scf:pri,,skos:broadMatch
+scf,scf:pri-07.4,scf:pri,,skos:broadMatch
+scf,scf:pri-08,scf:pri,,skos:broadMatch
+scf,scf:pri-09,scf:pri,,skos:broadMatch
+scf,scf:pri-10,scf:pri,,skos:broadMatch
+scf,scf:pri-10.1,scf:pri,,skos:broadMatch
+scf,scf:pri-10.2,scf:pri,,skos:broadMatch
+scf,scf:pri-11,scf:pri,,skos:broadMatch
+scf,scf:pri-12,scf:pri,,skos:broadMatch
+scf,scf:pri-13,scf:pri,,skos:broadMatch
+scf,scf:pri-14,scf:pri,,skos:broadMatch
+scf,scf:pri-14.1,scf:pri,,skos:broadMatch
+scf,scf:pri-14.2,scf:pri,,skos:broadMatch
+scf,scf:pri-15,scf:pri,,skos:broadMatch
+scf,scf:pri-16,scf:pri,,skos:broadMatch
+scf,scf:pri-17,scf:pri,,skos:broadMatch
+scf,scf:pri-17.1,scf:pri,,skos:broadMatch
+scf,scf:pri-17.2,scf:pri,,skos:broadMatch
+scf,scf:prm-01,scf:prm,,skos:broadMatch
+scf,scf:prm-01.1,scf:prm,,skos:broadMatch
+scf,scf:prm-01.2,scf:prm,,skos:broadMatch
+scf,scf:prm-02,scf:prm,,skos:broadMatch
+scf,scf:prm-03,scf:prm,,skos:broadMatch
+scf,scf:prm-04,scf:prm,,skos:broadMatch
+scf,scf:prm-05,scf:prm,,skos:broadMatch
+scf,scf:prm-06,scf:prm,,skos:broadMatch
+scf,scf:prm-07,scf:prm,,skos:broadMatch
+scf,scf:prm-08,scf:prm,,skos:broadMatch
+scf,scf:rsk-01,scf:rsk,,skos:broadMatch
+scf,scf:rsk-01.1,scf:rsk,,skos:broadMatch
+scf,scf:rsk-02,scf:rsk,,skos:broadMatch
+scf,scf:rsk-02.1,scf:rsk,,skos:broadMatch
+scf,scf:rsk-03,scf:rsk,,skos:broadMatch
+scf,scf:rsk-04,scf:rsk,,skos:broadMatch
+scf,scf:rsk-04.1,scf:rsk,,skos:broadMatch
+scf,scf:rsk-05,scf:rsk,,skos:broadMatch
+scf,scf:rsk-06,scf:rsk,,skos:broadMatch
+scf,scf:rsk-06.1,scf:rsk,,skos:broadMatch
+scf,scf:rsk-06.2,scf:rsk,,skos:broadMatch
+scf,scf:rsk-07,scf:rsk,,skos:broadMatch
+scf,scf:rsk-08,scf:rsk,,skos:broadMatch
+scf,scf:rsk-09,scf:rsk,,skos:broadMatch
+scf,scf:rsk-09.1,scf:rsk,,skos:broadMatch
+scf,scf:rsk-10,scf:rsk,,skos:broadMatch
+scf,scf:rsk-11,scf:rsk,,skos:broadMatch
+scf,scf:sea-01,scf:sea,,skos:broadMatch
+scf,scf:sea-01.1,scf:sea,,skos:broadMatch
+scf,scf:sea-02,scf:sea,,skos:broadMatch
+scf,scf:sea-02.1,scf:sea,,skos:broadMatch
+scf,scf:sea-02.2,scf:sea,,skos:broadMatch
+scf,scf:sea-02.3,scf:sea,,skos:broadMatch
+scf,scf:sea-03,scf:sea,,skos:broadMatch
+scf,scf:sea-03.1,scf:sea,,skos:broadMatch
+scf,scf:sea-03.2,scf:sea,,skos:broadMatch
+scf,scf:sea-04,scf:sea,,skos:broadMatch
+scf,scf:sea-04.1,scf:sea,,skos:broadMatch
+scf,scf:sea-04.2,scf:sea,,skos:broadMatch
+scf,scf:sea-04.3,scf:sea,,skos:broadMatch
+scf,scf:sea-05,scf:sea,,skos:broadMatch
+scf,scf:sea-06,scf:sea,,skos:broadMatch
+scf,scf:sea-07,scf:sea,,skos:broadMatch
+scf,scf:sea-07.1,scf:sea,,skos:broadMatch
+scf,scf:sea-07.2,scf:sea,,skos:broadMatch
+scf,scf:sea-07.3,scf:sea,,skos:broadMatch
+scf,scf:sea-08,scf:sea,,skos:broadMatch
+scf,scf:sea-08.1,scf:sea,,skos:broadMatch
+scf,scf:sea-09,scf:sea,,skos:broadMatch
+scf,scf:sea-09.1,scf:sea,,skos:broadMatch
+scf,scf:sea-10,scf:sea,,skos:broadMatch
+scf,scf:sea-11,scf:sea,,skos:broadMatch
+scf,scf:sea-12,scf:sea,,skos:broadMatch
+scf,scf:sea-13,scf:sea,,skos:broadMatch
+scf,scf:sea-13.1,scf:sea,,skos:broadMatch
+scf,scf:sea-14,scf:sea,,skos:broadMatch
+scf,scf:sea-14.1,scf:sea,,skos:broadMatch
+scf,scf:sea-14.2,scf:sea,,skos:broadMatch
+scf,scf:sea-15,scf:sea,,skos:broadMatch
+scf,scf:sea-16,scf:sea,,skos:broadMatch
+scf,scf:sea-17,scf:sea,,skos:broadMatch
+scf,scf:sea-18,scf:sea,,skos:broadMatch
+scf,scf:sea-18.1,scf:sea,,skos:broadMatch
+scf,scf:sea-18.2,scf:sea,,skos:broadMatch
+scf,scf:sea-19,scf:sea,,skos:broadMatch
+scf,scf:sea-20,scf:sea,,skos:broadMatch
+scf,scf:ops-01,scf:ops,,skos:broadMatch
+scf,scf:ops-01.1,scf:ops,,skos:broadMatch
+scf,scf:ops-02,scf:ops,,skos:broadMatch
+scf,scf:ops-03,scf:ops,,skos:broadMatch
+scf,scf:ops-04,scf:ops,,skos:broadMatch
+scf,scf:ops-05,scf:ops,,skos:broadMatch
+scf,scf:sat-01,scf:sat,,skos:broadMatch
+scf,scf:sat-02,scf:sat,,skos:broadMatch
+scf,scf:sat-02.1,scf:sat,,skos:broadMatch
+scf,scf:sat-02.2,scf:sat,,skos:broadMatch
+scf,scf:sat-03,scf:sat,,skos:broadMatch
+scf,scf:sat-03.1,scf:sat,,skos:broadMatch
+scf,scf:sat-03.2,scf:sat,,skos:broadMatch
+scf,scf:sat-03.3,scf:sat,,skos:broadMatch
+scf,scf:sat-03.4,scf:sat,,skos:broadMatch
+scf,scf:sat-03.5,scf:sat,,skos:broadMatch
+scf,scf:sat-03.6,scf:sat,,skos:broadMatch
+scf,scf:sat-03.7,scf:sat,,skos:broadMatch
+scf,scf:sat-03.8,scf:sat,,skos:broadMatch
+scf,scf:sat-04,scf:sat,,skos:broadMatch
+scf,scf:tda-01,scf:tda,,skos:broadMatch
+scf,scf:tda-01.1,scf:tda,,skos:broadMatch
+scf,scf:tda-01.2,scf:tda,,skos:broadMatch
+scf,scf:tda-01.3,scf:tda,,skos:broadMatch
+scf,scf:tda-02,scf:tda,,skos:broadMatch
+scf,scf:tda-02.1,scf:tda,,skos:broadMatch
+scf,scf:tda-02.2,scf:tda,,skos:broadMatch
+scf,scf:tda-02.3,scf:tda,,skos:broadMatch
+scf,scf:tda-02.4,scf:tda,,skos:broadMatch
+scf,scf:tda-02.5,scf:tda,,skos:broadMatch
+scf,scf:tda-02.6,scf:tda,,skos:broadMatch
+scf,scf:tda-02.7,scf:tda,,skos:broadMatch
+scf,scf:tda-03,scf:tda,,skos:broadMatch
+scf,scf:tda-03.1,scf:tda,,skos:broadMatch
+scf,scf:tda-04,scf:tda,,skos:broadMatch
+scf,scf:tda-04.1,scf:tda,,skos:broadMatch
+scf,scf:tda-04.2,scf:tda,,skos:broadMatch
+scf,scf:tda-05,scf:tda,,skos:broadMatch
+scf,scf:tda-05.1,scf:tda,,skos:broadMatch
+scf,scf:tda-05.2,scf:tda,,skos:broadMatch
+scf,scf:tda-06,scf:tda,,skos:broadMatch
+scf,scf:tda-06.1,scf:tda,,skos:broadMatch
+scf,scf:tda-06.2,scf:tda,,skos:broadMatch
+scf,scf:tda-06.3,scf:tda,,skos:broadMatch
+scf,scf:tda-06.4,scf:tda,,skos:broadMatch
+scf,scf:tda-06.5,scf:tda,,skos:broadMatch
+scf,scf:tda-07,scf:tda,,skos:broadMatch
+scf,scf:tda-08,scf:tda,,skos:broadMatch
+scf,scf:tda-08.1,scf:tda,,skos:broadMatch
+scf,scf:tda-09,scf:tda,,skos:broadMatch
+scf,scf:tda-09.1,scf:tda,,skos:broadMatch
+scf,scf:tda-09.2,scf:tda,,skos:broadMatch
+scf,scf:tda-09.3,scf:tda,,skos:broadMatch
+scf,scf:tda-09.4,scf:tda,,skos:broadMatch
+scf,scf:tda-09.5,scf:tda,,skos:broadMatch
+scf,scf:tda-09.6,scf:tda,,skos:broadMatch
+scf,scf:tda-09.7,scf:tda,,skos:broadMatch
+scf,scf:tda-10,scf:tda,,skos:broadMatch
+scf,scf:tda-10.1,scf:tda,,skos:broadMatch
+scf,scf:tda-11,scf:tda,,skos:broadMatch
+scf,scf:tda-11.1,scf:tda,,skos:broadMatch
+scf,scf:tda-11.2,scf:tda,,skos:broadMatch
+scf,scf:tda-12,scf:tda,,skos:broadMatch
+scf,scf:tda-13,scf:tda,,skos:broadMatch
+scf,scf:tda-14,scf:tda,,skos:broadMatch
+scf,scf:tda-14.1,scf:tda,,skos:broadMatch
+scf,scf:tda-14.2,scf:tda,,skos:broadMatch
+scf,scf:tda-15,scf:tda,,skos:broadMatch
+scf,scf:tda-16,scf:tda,,skos:broadMatch
+scf,scf:tda-17,scf:tda,,skos:broadMatch
+scf,scf:tda-17.1,scf:tda,,skos:broadMatch
+scf,scf:tda-18,scf:tda,,skos:broadMatch
+scf,scf:tda-19,scf:tda,,skos:broadMatch
+scf,scf:tda-20,scf:tda,,skos:broadMatch
+scf,scf:tda-20.1,scf:tda,,skos:broadMatch
+scf,scf:tda-20.2,scf:tda,,skos:broadMatch
+scf,scf:tda-20.3,scf:tda,,skos:broadMatch
+scf,scf:tpm-01,scf:tpm,,skos:broadMatch
+scf,scf:tpm-01.1,scf:tpm,,skos:broadMatch
+scf,scf:tpm-02,scf:tpm,,skos:broadMatch
+scf,scf:tpm-03,scf:tpm,,skos:broadMatch
+scf,scf:tpm-03.1,scf:tpm,,skos:broadMatch
+scf,scf:tpm-03.2,scf:tpm,,skos:broadMatch
+scf,scf:tpm-03.3,scf:tpm,,skos:broadMatch
+scf,scf:tpm-04,scf:tpm,,skos:broadMatch
+scf,scf:tpm-04.1,scf:tpm,,skos:broadMatch
+scf,scf:tpm-04.2,scf:tpm,,skos:broadMatch
+scf,scf:tpm-04.3,scf:tpm,,skos:broadMatch
+scf,scf:tpm-04.4,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.1,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.2,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.3,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.4,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.5,scf:tpm,,skos:broadMatch
+scf,scf:tpm-05.6,scf:tpm,,skos:broadMatch
+scf,scf:tpm-06,scf:tpm,,skos:broadMatch
+scf,scf:tpm-07,scf:tpm,,skos:broadMatch
+scf,scf:tpm-08,scf:tpm,,skos:broadMatch
+scf,scf:tpm-09,scf:tpm,,skos:broadMatch
+scf,scf:tpm-10,scf:tpm,,skos:broadMatch
+scf,scf:tpm-11,scf:tpm,,skos:broadMatch
+scf,scf:thr-01,scf:thr,,skos:broadMatch
+scf,scf:thr-02,scf:thr,,skos:broadMatch
+scf,scf:thr-03,scf:thr,,skos:broadMatch
+scf,scf:thr-04,scf:thr,,skos:broadMatch
+scf,scf:thr-05,scf:thr,,skos:broadMatch
+scf,scf:thr-06,scf:thr,,skos:broadMatch
+scf,scf:thr-07,scf:thr,,skos:broadMatch
+scf,scf:thr-08,scf:thr,,skos:broadMatch
+scf,scf:vpm-01,scf:vpm,,skos:broadMatch
+scf,scf:vpm-01.1,scf:vpm,,skos:broadMatch
+scf,scf:vpm-02,scf:vpm,,skos:broadMatch
+scf,scf:vpm-03,scf:vpm,,skos:broadMatch
+scf,scf:vpm-04,scf:vpm,,skos:broadMatch
+scf,scf:vpm-04.1,scf:vpm,,skos:broadMatch
+scf,scf:vpm-04.2,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05.1,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05.2,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05.3,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05.4,scf:vpm,,skos:broadMatch
+scf,scf:vpm-05.5,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.1,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.2,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.3,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.4,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.5,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.6,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.7,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.8,scf:vpm,,skos:broadMatch
+scf,scf:vpm-06.9,scf:vpm,,skos:broadMatch
+scf,scf:vpm-07,scf:vpm,,skos:broadMatch
+scf,scf:vpm-07.1,scf:vpm,,skos:broadMatch
+scf,scf:vpm-08,scf:vpm,,skos:broadMatch
+scf,scf:vpm-09,scf:vpm,,skos:broadMatch
+scf,scf:vpm-10,scf:vpm,,skos:broadMatch
+scf,scf:web-01,scf:web,,skos:broadMatch
+scf,scf:web-01.1,scf:web,,skos:broadMatch
+scf,scf:web-02,scf:web,,skos:broadMatch
+scf,scf:web-03,scf:web,,skos:broadMatch
+scf,scf:web-04,scf:web,,skos:broadMatch
+scf,scf:web-05,scf:web,,skos:broadMatch
+scf,scf:web-06,scf:web,,skos:broadMatch
+scf,scf:web-07,scf:web,,skos:broadMatch
+scf,scf:web-08,scf:web,,skos:broadMatch
+scf,scf:web-09,scf:web,,skos:broadMatch
+scf,scf:web-10,scf:web,,skos:broadMatch
+scf,scf:web-11,scf:web,,skos:broadMatch
+scf,scf:web-12,scf:web,,skos:broadMatch
+scf,scf:web-13,scf:web,,skos:broadMatch
diff --git a/data/relationships.json b/data/relationships.json
index dc0a69b..ec102c8 100644
--- a/data/relationships.json
+++ b/data/relationships.json
@@ -8224,333 +8224,19093 @@
     "type_raw": null,
     "type_skos": "skos:broadMatch"
   },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.1",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.2",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.3",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.4",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.5",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.10.6",
+    "tail": "nist_800_171_v1:3.10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.11.1",
+    "tail": "nist_800_171_v1:3.11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.11.2",
+    "tail": "nist_800_171_v1:3.11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.11.3",
+    "tail": "nist_800_171_v1:3.11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.12.1",
+    "tail": "nist_800_171_v1:3.12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.12.2",
+    "tail": "nist_800_171_v1:3.12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.12.3",
+    "tail": "nist_800_171_v1:3.12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.12.4",
+    "tail": "nist_800_171_v1:3.12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.1",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.10",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.11",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.12",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.13",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.14",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.15",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.16",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.2",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.3",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.4",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.5",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.6",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.7",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.8",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.13.9",
+    "tail": "nist_800_171_v1:3.13",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.1",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.2",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.3",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.4",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.5",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.6",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.14.7",
+    "tail": "nist_800_171_v1:3.14",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.2.1",
+    "tail": "nist_800_171_v1:3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.2.2",
+    "tail": "nist_800_171_v1:3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.2.3",
+    "tail": "nist_800_171_v1:3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.1",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.2",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.3",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.4",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.5",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.6",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.7",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.8",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.3.9",
+    "tail": "nist_800_171_v1:3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.1",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.2",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.3",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.4",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.5",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.6",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.7",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.8",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.4.9",
+    "tail": "nist_800_171_v1:3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.1",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.10",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.11",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.2",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.3",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.4",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.5",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.6",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.7",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.8",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.5.9",
+    "tail": "nist_800_171_v1:3.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.6.1",
+    "tail": "nist_800_171_v1:3.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.6.2",
+    "tail": "nist_800_171_v1:3.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.6.3",
+    "tail": "nist_800_171_v1:3.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.1",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.2",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.3",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.4",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.5",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.7.6",
+    "tail": "nist_800_171_v1:3.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.1",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.2",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.3",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.4",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.5",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.6",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.7",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.8",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.8.9",
+    "tail": "nist_800_171_v1:3.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.9.1",
+    "tail": "nist_800_171_v1:3.9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "nist_800_171_v1",
+    "head": "nist_800_171_v1:3.9.2",
+    "tail": "nist_800_171_v1:3.9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
   {
     "source": "cis_csc_v7.1",
     "head": "cis_csc_v7.1:1",
     "tail": "nist_800_171_v1:3.1.1",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:11.5",
+    "tail": "nist_800_171_v1:3.1.12",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:11.5",
+    "tail": "nist_800_171_v1:3.1.13",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:16.11",
+    "tail": "nist_800_171_v1:3.1.10",
+    "type_raw": null,
+    "type_skos": "skos:closeMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:16.11",
+    "tail": "nist_800_171_v1:3.1.10",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:11.5",
+    "tail": "nist_800_171_v1:3.1.13",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.11",
+    "tail": "nist_800_171_v1:3.1.13",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.12",
+    "tail": "nist_800_171_v1:3.1.12",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.2",
+    "tail": "nist_800_171_v1:3.1.16",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.11",
+    "tail": "nist_800_171_v1:3.1.16",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.11",
+    "tail": "nist_800_171_v1:3.1.17",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.7",
+    "tail": "nist_800_171_v1:3.1.1",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.1",
+    "tail": "nist_800_171_v1:3.1.1",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.2",
+    "tail": "nist_800_171_v1:3.1.1",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:4",
+    "tail": "nist_800_171_v1:3.1.4",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:4",
+    "tail": "nist_800_171_v1:3.1.5",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:4",
+    "tail": "nist_800_171_v1:3.1.6",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:4.1",
+    "tail": "nist_800_171_v1:3.1.7",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.4",
+    "tail": "nist_800_171_v1:3.10.1",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.4",
+    "tail": "nist_800_171_v1:3.10.2",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.5",
+    "tail": "nist_800_171_v1:3.10.2",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12",
+    "tail": "nist_800_171_v1:3.1.22",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12",
+    "tail": "nist_800_171_v1:3.1.3",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:12.12",
+    "tail": "nist_800_171_v1:3.1.16",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.5",
+    "tail": "nist_800_171_v1:3.10.4",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "cis_csc_v7.1",
+    "head": "cis_csc_v7.1:1.5",
+    "tail": "nist_800_171_v1:3.10.5",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-11",
+    "tail": "cis_csc_v7.1:16.11",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-11(1)",
+    "tail": "nist_800_171_v1:3.1.10",
+    "type_raw": null,
+    "type_skos": "skos:closeMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-13",
+    "tail": "cis_csc_v7.1:1.7",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-16(2)",
+    "tail": "cis_csc_v7.1:14.6",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(1)",
+    "tail": "cis_csc_v7.1:12.12",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(1)",
+    "tail": "cis_csc_v7.1:13.1",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(1)",
+    "tail": "cis_csc_v7.1:14.5",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(2)",
+    "tail": "cis_csc_v7.1:11.5",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(2)",
+    "tail": "cis_csc_v7.1:16.5",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(2)",
+    "tail": "cis_csc_v7.1:16.4",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-17(2)",
+    "tail": "nist_800_171_v1:3.1.17",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-19(5)",
+    "tail": "cis_csc_v7.1:13.6",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-18(1)",
+    "tail": "cis_csc_v7.1:15.8",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-18(3)",
+    "tail": "cis_csc_v7.1:15.4",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-2(4)",
+    "tail": "cis_csc_v7.1:16",
+    "type_raw": null,
+    "type_skos": "skos:closeMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-2(12)",
+    "tail": "cis_csc_v7.1:16.13",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-2(7)",
+    "tail": "cis_csc_v7.1:4",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-2(3)",
+    "tail": "cis_csc_v7.1:16.9",
+    "type_raw": null,
+    "type_skos": "skos:closeMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-18(5)",
+    "tail": "cis_csc_v7.1:15.9",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-20",
+    "tail": "cis_csc_v7.1:13.8",
+    "type_raw": null,
+    "type_skos": "skos:relatedMatch"
+  },
+  {
+    "source": "nist_800_53_v4",
+    "head": "nist_800_53_v4:ac-20(2)",
+    "tail": "nist_800_171_v1:3.1.21",
+    "type_raw": null,
+    "type_skos": "skos:closeMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te",
+    "tail": "fsscc_profile_v1.0:gv",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am",
+    "tail": "fsscc_profile_v1.0:id",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra",
+    "tail": "fsscc_profile_v1.0:id",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ma",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt",
+    "tail": "fsscc_profile_v1.0:pr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae",
+    "tail": "fsscc_profile_v1.0:de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm",
+    "tail": "fsscc_profile_v1.0:de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp",
+    "tail": "fsscc_profile_v1.0:de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.rp",
+    "tail": "fsscc_profile_v1.0:rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co",
+    "tail": "fsscc_profile_v1.0:rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an",
+    "tail": "fsscc_profile_v1.0:rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi",
+    "tail": "fsscc_profile_v1.0:rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im",
+    "tail": "fsscc_profile_v1.0:rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp",
+    "tail": "fsscc_profile_v1.0:rc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.im",
+    "tail": "fsscc_profile_v1.0:rc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co",
+    "tail": "fsscc_profile_v1.0:rc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id",
+    "tail": "fsscc_profile_v1.0:dm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed",
+    "tail": "fsscc_profile_v1.0:dm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs",
+    "tail": "fsscc_profile_v1.0:dm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be",
+    "tail": "fsscc_profile_v1.0:dm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1",
+    "tail": "fsscc_profile_v1.0:gv.sf",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-2",
+    "tail": "fsscc_profile_v1.0:gv.sf",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-3",
+    "tail": "fsscc_profile_v1.0:gv.sf",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-4",
+    "tail": "fsscc_profile_v1.0:gv.sf",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1",
+    "tail": "fsscc_profile_v1.0:gv.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-2",
+    "tail": "fsscc_profile_v1.0:gv.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-3",
+    "tail": "fsscc_profile_v1.0:gv.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-1",
+    "tail": "fsscc_profile_v1.0:gv.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-2",
+    "tail": "fsscc_profile_v1.0:gv.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-3",
+    "tail": "fsscc_profile_v1.0:gv.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-1",
+    "tail": "fsscc_profile_v1.0:gv.rr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-2",
+    "tail": "fsscc_profile_v1.0:gv.rr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-1",
+    "tail": "fsscc_profile_v1.0:gv.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-2",
+    "tail": "fsscc_profile_v1.0:gv.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-1",
+    "tail": "fsscc_profile_v1.0:gv.ir",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-2",
+    "tail": "fsscc_profile_v1.0:gv.ir",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-3",
+    "tail": "fsscc_profile_v1.0:gv.ir",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-1",
+    "tail": "fsscc_profile_v1.0:gv.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-2",
+    "tail": "fsscc_profile_v1.0:gv.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-3",
+    "tail": "fsscc_profile_v1.0:gv.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te-1",
+    "tail": "fsscc_profile_v1.0:gv.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te-2",
+    "tail": "fsscc_profile_v1.0:gv.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-1",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-2",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-3",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-4",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-5",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-6",
+    "tail": "fsscc_profile_v1.0:id.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-1",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-2",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-3",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-4",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-6",
+    "tail": "fsscc_profile_v1.0:id.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-1",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-2",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-3",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-4",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-5",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-6",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-7",
+    "tail": "fsscc_profile_v1.0:pr.ac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-1",
+    "tail": "fsscc_profile_v1.0:pr.at",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-2",
+    "tail": "fsscc_profile_v1.0:pr.at",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-3",
+    "tail": "fsscc_profile_v1.0:pr.at",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-4",
+    "tail": "fsscc_profile_v1.0:pr.at",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-5",
+    "tail": "fsscc_profile_v1.0:pr.at",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-1",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-2",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-3",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-4",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-5",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-6",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-7",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-8",
+    "tail": "fsscc_profile_v1.0:pr.ds",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-1",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-2",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-3",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-4",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-5",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-6",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-7",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-8",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-9",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-10",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-11",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-12",
+    "tail": "fsscc_profile_v1.0:pr.ip",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ma-1",
+    "tail": "fsscc_profile_v1.0:pr.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ma-2",
+    "tail": "fsscc_profile_v1.0:pr.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-1",
+    "tail": "fsscc_profile_v1.0:pr.pt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-2",
+    "tail": "fsscc_profile_v1.0:pr.pt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-3",
+    "tail": "fsscc_profile_v1.0:pr.pt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-4",
+    "tail": "fsscc_profile_v1.0:pr.pt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-5",
+    "tail": "fsscc_profile_v1.0:pr.pt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-1",
+    "tail": "fsscc_profile_v1.0:de.ae",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-2",
+    "tail": "fsscc_profile_v1.0:de.ae",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-3",
+    "tail": "fsscc_profile_v1.0:de.ae",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-4",
+    "tail": "fsscc_profile_v1.0:de.ae",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-5",
+    "tail": "fsscc_profile_v1.0:de.ae",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-1",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-2",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-3",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-4",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-5",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-6",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-7",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-8",
+    "tail": "fsscc_profile_v1.0:de.cm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-1",
+    "tail": "fsscc_profile_v1.0:de.dp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-2",
+    "tail": "fsscc_profile_v1.0:de.dp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-3",
+    "tail": "fsscc_profile_v1.0:de.dp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-4",
+    "tail": "fsscc_profile_v1.0:de.dp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-5",
+    "tail": "fsscc_profile_v1.0:de.dp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.rp-1",
+    "tail": "fsscc_profile_v1.0:rs.rp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-1",
+    "tail": "fsscc_profile_v1.0:rs.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-2",
+    "tail": "fsscc_profile_v1.0:rs.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-3",
+    "tail": "fsscc_profile_v1.0:rs.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-4",
+    "tail": "fsscc_profile_v1.0:rs.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-5",
+    "tail": "fsscc_profile_v1.0:rs.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-1",
+    "tail": "fsscc_profile_v1.0:rs.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-2",
+    "tail": "fsscc_profile_v1.0:rs.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-3",
+    "tail": "fsscc_profile_v1.0:rs.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-4",
+    "tail": "fsscc_profile_v1.0:rs.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-5",
+    "tail": "fsscc_profile_v1.0:rs.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-1",
+    "tail": "fsscc_profile_v1.0:rs.mi",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-2",
+    "tail": "fsscc_profile_v1.0:rs.mi",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-3",
+    "tail": "fsscc_profile_v1.0:rs.mi",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-1",
+    "tail": "fsscc_profile_v1.0:rs.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-2",
+    "tail": "fsscc_profile_v1.0:rs.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1",
+    "tail": "fsscc_profile_v1.0:rc.rp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.im-1",
+    "tail": "fsscc_profile_v1.0:rc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.im-2",
+    "tail": "fsscc_profile_v1.0:rc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-1",
+    "tail": "fsscc_profile_v1.0:rc.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-2",
+    "tail": "fsscc_profile_v1.0:rc.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-3",
+    "tail": "fsscc_profile_v1.0:rc.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-1",
+    "tail": "fsscc_profile_v1.0:dm.id",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-2",
+    "tail": "fsscc_profile_v1.0:dm.id",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-1",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-3",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-5",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-7",
+    "tail": "fsscc_profile_v1.0:dm.ed",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-1",
+    "tail": "fsscc_profile_v1.0:dm.rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2",
+    "tail": "fsscc_profile_v1.0:dm.rs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-1",
+    "tail": "fsscc_profile_v1.0:dm.be",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-2",
+    "tail": "fsscc_profile_v1.0:dm.be",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-3",
+    "tail": "fsscc_profile_v1.0:dm.be",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1.1",
+    "tail": "fsscc_profile_v1.0:gv.sf-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1.2",
+    "tail": "fsscc_profile_v1.0:gv.sf-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1.3",
+    "tail": "fsscc_profile_v1.0:gv.sf-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1.4",
+    "tail": "fsscc_profile_v1.0:gv.sf-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-1.5",
+    "tail": "fsscc_profile_v1.0:gv.sf-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-2.1",
+    "tail": "fsscc_profile_v1.0:gv.sf-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-3.1",
+    "tail": "fsscc_profile_v1.0:gv.sf-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-3.2",
+    "tail": "fsscc_profile_v1.0:gv.sf-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-3.3",
+    "tail": "fsscc_profile_v1.0:gv.sf-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sf-4.1",
+    "tail": "fsscc_profile_v1.0:gv.sf-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.1",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.2",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.3",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.4",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.5",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-1.6",
+    "tail": "fsscc_profile_v1.0:gv.rm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-2.1",
+    "tail": "fsscc_profile_v1.0:gv.rm-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-2.2",
+    "tail": "fsscc_profile_v1.0:gv.rm-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-2.3",
+    "tail": "fsscc_profile_v1.0:gv.rm-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-3.1",
+    "tail": "fsscc_profile_v1.0:gv.rm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-3.2",
+    "tail": "fsscc_profile_v1.0:gv.rm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rm-3.3",
+    "tail": "fsscc_profile_v1.0:gv.rm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-1.1",
+    "tail": "fsscc_profile_v1.0:gv.pl-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-1.2",
+    "tail": "fsscc_profile_v1.0:gv.pl-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-2.1",
+    "tail": "fsscc_profile_v1.0:gv.pl-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-2.2",
+    "tail": "fsscc_profile_v1.0:gv.pl-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-2.3",
+    "tail": "fsscc_profile_v1.0:gv.pl-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-3.1",
+    "tail": "fsscc_profile_v1.0:gv.pl-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-3.2",
+    "tail": "fsscc_profile_v1.0:gv.pl-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.pl-3.3",
+    "tail": "fsscc_profile_v1.0:gv.pl-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-1.1",
+    "tail": "fsscc_profile_v1.0:gv.rr-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-2.1",
+    "tail": "fsscc_profile_v1.0:gv.rr-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-2.2",
+    "tail": "fsscc_profile_v1.0:gv.rr-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-2.3",
+    "tail": "fsscc_profile_v1.0:gv.rr-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.rr-2.4",
+    "tail": "fsscc_profile_v1.0:gv.rr-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-1.1",
+    "tail": "fsscc_profile_v1.0:gv.sp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-1.2",
+    "tail": "fsscc_profile_v1.0:gv.sp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-2.1",
+    "tail": "fsscc_profile_v1.0:gv.sp-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-2.2",
+    "tail": "fsscc_profile_v1.0:gv.sp-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.sp-2.3",
+    "tail": "fsscc_profile_v1.0:gv.sp-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-1.1",
+    "tail": "fsscc_profile_v1.0:gv.ir-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-1.2",
+    "tail": "fsscc_profile_v1.0:gv.ir-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-1.3",
+    "tail": "fsscc_profile_v1.0:gv.ir-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-1.4",
+    "tail": "fsscc_profile_v1.0:gv.ir-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-2.1",
+    "tail": "fsscc_profile_v1.0:gv.ir-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-2.2",
+    "tail": "fsscc_profile_v1.0:gv.ir-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.ir-3.1",
+    "tail": "fsscc_profile_v1.0:gv.ir-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-1.1",
+    "tail": "fsscc_profile_v1.0:gv.au-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-1.2",
+    "tail": "fsscc_profile_v1.0:gv.au-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-1.3",
+    "tail": "fsscc_profile_v1.0:gv.au-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-1.4",
+    "tail": "fsscc_profile_v1.0:gv.au-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-2.1",
+    "tail": "fsscc_profile_v1.0:gv.au-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-2.2",
+    "tail": "fsscc_profile_v1.0:gv.au-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-3.1",
+    "tail": "fsscc_profile_v1.0:gv.au-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-3.2",
+    "tail": "fsscc_profile_v1.0:gv.au-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.au-3.3",
+    "tail": "fsscc_profile_v1.0:gv.au-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te-1.1",
+    "tail": "fsscc_profile_v1.0:gv.te-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te-1.2",
+    "tail": "fsscc_profile_v1.0:gv.te-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:gv.te-2.1",
+    "tail": "fsscc_profile_v1.0:gv.te-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-1.1",
+    "tail": "fsscc_profile_v1.0:id.am-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-2.1",
+    "tail": "fsscc_profile_v1.0:id.am-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-3.1",
+    "tail": "fsscc_profile_v1.0:id.am-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-3.2",
+    "tail": "fsscc_profile_v1.0:id.am-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-3.3",
+    "tail": "fsscc_profile_v1.0:id.am-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-4.1",
+    "tail": "fsscc_profile_v1.0:id.am-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-5.1",
+    "tail": "fsscc_profile_v1.0:id.am-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-5.2",
+    "tail": "fsscc_profile_v1.0:id.am-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.am-6.1",
+    "tail": "fsscc_profile_v1.0:id.am-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-1.1",
+    "tail": "fsscc_profile_v1.0:id.ra-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-2.1",
+    "tail": "fsscc_profile_v1.0:id.ra-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-3.1",
+    "tail": "fsscc_profile_v1.0:id.ra-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-3.2",
+    "tail": "fsscc_profile_v1.0:id.ra-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-3.3",
+    "tail": "fsscc_profile_v1.0:id.ra-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-4.1",
+    "tail": "fsscc_profile_v1.0:id.ra-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.1",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.2",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.3",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.4",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.5",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-5.6",
+    "tail": "fsscc_profile_v1.0:id.ra-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-6.1",
+    "tail": "fsscc_profile_v1.0:id.ra-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:id.ra-6.2",
+    "tail": "fsscc_profile_v1.0:id.ra-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-1.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-1.2",
+    "tail": "fsscc_profile_v1.0:pr.ac-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-1.3",
+    "tail": "fsscc_profile_v1.0:pr.ac-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-2.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-3.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-3.2",
+    "tail": "fsscc_profile_v1.0:pr.ac-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-4.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-4.2",
+    "tail": "fsscc_profile_v1.0:pr.ac-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-4.3",
+    "tail": "fsscc_profile_v1.0:pr.ac-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-5.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-5.2",
+    "tail": "fsscc_profile_v1.0:pr.ac-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-6.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-7.1",
+    "tail": "fsscc_profile_v1.0:pr.ac-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ac-7.2",
+    "tail": "fsscc_profile_v1.0:pr.ac-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-1.1",
+    "tail": "fsscc_profile_v1.0:pr.at-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-1.2",
+    "tail": "fsscc_profile_v1.0:pr.at-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-1.3",
+    "tail": "fsscc_profile_v1.0:pr.at-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-2.1",
+    "tail": "fsscc_profile_v1.0:pr.at-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-2.2",
+    "tail": "fsscc_profile_v1.0:pr.at-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-2.3",
+    "tail": "fsscc_profile_v1.0:pr.at-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-3.1",
+    "tail": "fsscc_profile_v1.0:pr.at-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-3.2",
+    "tail": "fsscc_profile_v1.0:pr.at-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-3.3",
+    "tail": "fsscc_profile_v1.0:pr.at-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-4.1",
+    "tail": "fsscc_profile_v1.0:pr.at-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-4.2",
+    "tail": "fsscc_profile_v1.0:pr.at-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.at-5.1",
+    "tail": "fsscc_profile_v1.0:pr.at-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-1.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-1.2",
+    "tail": "fsscc_profile_v1.0:pr.ds-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-2.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-2.2",
+    "tail": "fsscc_profile_v1.0:pr.ds-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-3.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-4.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-5.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-6.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-7.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ds-8.1",
+    "tail": "fsscc_profile_v1.0:pr.ds-8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-1.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-1.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-1.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-2.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-2.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-2.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-3.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-4.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-4.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-4.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-4.4",
+    "tail": "fsscc_profile_v1.0:pr.ip-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-5.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-6.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-7.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-8.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-9.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-9.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-10.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-10.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-10.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-10.4",
+    "tail": "fsscc_profile_v1.0:pr.ip-10",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-11.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-11.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-11.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-11",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-12.1",
+    "tail": "fsscc_profile_v1.0:pr.ip-12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-12.2",
+    "tail": "fsscc_profile_v1.0:pr.ip-12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-12.3",
+    "tail": "fsscc_profile_v1.0:pr.ip-12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ip-12.4",
+    "tail": "fsscc_profile_v1.0:pr.ip-12",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ma-1.1",
+    "tail": "fsscc_profile_v1.0:pr.ma-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.ma-2.1",
+    "tail": "fsscc_profile_v1.0:pr.ma-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-1.1",
+    "tail": "fsscc_profile_v1.0:pr.pt-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-1.2",
+    "tail": "fsscc_profile_v1.0:pr.pt-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-2.1",
+    "tail": "fsscc_profile_v1.0:pr.pt-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-3.1",
+    "tail": "fsscc_profile_v1.0:pr.pt-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-4.1",
+    "tail": "fsscc_profile_v1.0:pr.pt-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:pr.pt-5.1",
+    "tail": "fsscc_profile_v1.0:pr.pt-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-1.1",
+    "tail": "fsscc_profile_v1.0:de.ae-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-2.1",
+    "tail": "fsscc_profile_v1.0:de.ae-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-3.1",
+    "tail": "fsscc_profile_v1.0:de.ae-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-3.2",
+    "tail": "fsscc_profile_v1.0:de.ae-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-4.1",
+    "tail": "fsscc_profile_v1.0:de.ae-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.ae-5.1",
+    "tail": "fsscc_profile_v1.0:de.ae-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-1.1",
+    "tail": "fsscc_profile_v1.0:de.cm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-1.2",
+    "tail": "fsscc_profile_v1.0:de.cm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-1.3",
+    "tail": "fsscc_profile_v1.0:de.cm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-1.4",
+    "tail": "fsscc_profile_v1.0:de.cm-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-2.1",
+    "tail": "fsscc_profile_v1.0:de.cm-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-3.1",
+    "tail": "fsscc_profile_v1.0:de.cm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-3.2",
+    "tail": "fsscc_profile_v1.0:de.cm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-3.3",
+    "tail": "fsscc_profile_v1.0:de.cm-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-4.1",
+    "tail": "fsscc_profile_v1.0:de.cm-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-4.2",
+    "tail": "fsscc_profile_v1.0:de.cm-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-5.1",
+    "tail": "fsscc_profile_v1.0:de.cm-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-6.1",
+    "tail": "fsscc_profile_v1.0:de.cm-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-6.2",
+    "tail": "fsscc_profile_v1.0:de.cm-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-6.3",
+    "tail": "fsscc_profile_v1.0:de.cm-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-7.1",
+    "tail": "fsscc_profile_v1.0:de.cm-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-7.2",
+    "tail": "fsscc_profile_v1.0:de.cm-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-7.3",
+    "tail": "fsscc_profile_v1.0:de.cm-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-7.4",
+    "tail": "fsscc_profile_v1.0:de.cm-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-8.1",
+    "tail": "fsscc_profile_v1.0:de.cm-8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.cm-8.2",
+    "tail": "fsscc_profile_v1.0:de.cm-8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-1.1",
+    "tail": "fsscc_profile_v1.0:de.dp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-2.1",
+    "tail": "fsscc_profile_v1.0:de.dp-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-3.1",
+    "tail": "fsscc_profile_v1.0:de.dp-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-4.1",
+    "tail": "fsscc_profile_v1.0:de.dp-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-4.2",
+    "tail": "fsscc_profile_v1.0:de.dp-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:de.dp-5.1",
+    "tail": "fsscc_profile_v1.0:de.dp-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.rp-1.1",
+    "tail": "fsscc_profile_v1.0:rs.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-1.1",
+    "tail": "fsscc_profile_v1.0:rs.co-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-1.2",
+    "tail": "fsscc_profile_v1.0:rs.co-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-1.3",
+    "tail": "fsscc_profile_v1.0:rs.co-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-2.1",
+    "tail": "fsscc_profile_v1.0:rs.co-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-2.2",
+    "tail": "fsscc_profile_v1.0:rs.co-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-2.3",
+    "tail": "fsscc_profile_v1.0:rs.co-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-2.4",
+    "tail": "fsscc_profile_v1.0:rs.co-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-3.1",
+    "tail": "fsscc_profile_v1.0:rs.co-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-3.2",
+    "tail": "fsscc_profile_v1.0:rs.co-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-4.1",
+    "tail": "fsscc_profile_v1.0:rs.co-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-5.1",
+    "tail": "fsscc_profile_v1.0:rs.co-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-5.2",
+    "tail": "fsscc_profile_v1.0:rs.co-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.co-5.3",
+    "tail": "fsscc_profile_v1.0:rs.co-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-1.1",
+    "tail": "fsscc_profile_v1.0:rs.an-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-2.1",
+    "tail": "fsscc_profile_v1.0:rs.an-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-2.2",
+    "tail": "fsscc_profile_v1.0:rs.an-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-3.1",
+    "tail": "fsscc_profile_v1.0:rs.an-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-4.1",
+    "tail": "fsscc_profile_v1.0:rs.an-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-5.1",
+    "tail": "fsscc_profile_v1.0:rs.an-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-5.2",
+    "tail": "fsscc_profile_v1.0:rs.an-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.an-5.3",
+    "tail": "fsscc_profile_v1.0:rs.an-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-1.1",
+    "tail": "fsscc_profile_v1.0:rs.mi-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-1.2",
+    "tail": "fsscc_profile_v1.0:rs.mi-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-2.1",
+    "tail": "fsscc_profile_v1.0:rs.mi-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-3.1",
+    "tail": "fsscc_profile_v1.0:rs.mi-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.mi-3.2",
+    "tail": "fsscc_profile_v1.0:rs.mi-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-1.1",
+    "tail": "fsscc_profile_v1.0:rs.im-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-1.2",
+    "tail": "fsscc_profile_v1.0:rs.im-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-1.3",
+    "tail": "fsscc_profile_v1.0:rs.im-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rs.im-2.1",
+    "tail": "fsscc_profile_v1.0:rs.im-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.1",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.2",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.3",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.4",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.5",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.rp-1.6",
+    "tail": "fsscc_profile_v1.0:rc.rp-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.im-1.1",
+    "tail": "fsscc_profile_v1.0:rc.im-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.im-2.1",
+    "tail": "fsscc_profile_v1.0:rc.im-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-1.1",
+    "tail": "fsscc_profile_v1.0:rc.co-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-1.2",
+    "tail": "fsscc_profile_v1.0:rc.co-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-2.1",
+    "tail": "fsscc_profile_v1.0:rc.co-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:rc.co-3.1",
+    "tail": "fsscc_profile_v1.0:rc.co-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-1.1",
+    "tail": "fsscc_profile_v1.0:dm.id-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-1.2",
+    "tail": "fsscc_profile_v1.0:dm.id-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-1.3",
+    "tail": "fsscc_profile_v1.0:dm.id-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-1.4",
+    "tail": "fsscc_profile_v1.0:dm.id-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.id-2.1",
+    "tail": "fsscc_profile_v1.0:dm.id-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-1.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-1.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-1.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2.4",
+    "tail": "fsscc_profile_v1.0:dm.ed-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-2.5",
+    "tail": "fsscc_profile_v1.0:dm.ed-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-3.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-3.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4.4",
+    "tail": "fsscc_profile_v1.0:dm.ed-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-4.5",
+    "tail": "fsscc_profile_v1.0:dm.ed-4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-5.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-5.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-5.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-5.4",
+    "tail": "fsscc_profile_v1.0:dm.ed-5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.4",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.5",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.6",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-6.7",
+    "tail": "fsscc_profile_v1.0:dm.ed-6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-7.1",
+    "tail": "fsscc_profile_v1.0:dm.ed-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-7.2",
+    "tail": "fsscc_profile_v1.0:dm.ed-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-7.3",
+    "tail": "fsscc_profile_v1.0:dm.ed-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.ed-7.4",
+    "tail": "fsscc_profile_v1.0:dm.ed-7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-1.1",
+    "tail": "fsscc_profile_v1.0:dm.rs-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-1.2",
+    "tail": "fsscc_profile_v1.0:dm.rs-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-1.3",
+    "tail": "fsscc_profile_v1.0:dm.rs-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2.1",
+    "tail": "fsscc_profile_v1.0:dm.rs-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2.2",
+    "tail": "fsscc_profile_v1.0:dm.rs-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2.3",
+    "tail": "fsscc_profile_v1.0:dm.rs-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2.4",
+    "tail": "fsscc_profile_v1.0:dm.rs-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.rs-2.5",
+    "tail": "fsscc_profile_v1.0:dm.rs-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-1.1",
+    "tail": "fsscc_profile_v1.0:dm.be-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-1.2",
+    "tail": "fsscc_profile_v1.0:dm.be-1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-2.1",
+    "tail": "fsscc_profile_v1.0:dm.be-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-2.2",
+    "tail": "fsscc_profile_v1.0:dm.be-2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "fsscc_profile_v1.0",
+    "head": "fsscc_profile_v1.0:dm.be-3.1",
+    "tail": "fsscc_profile_v1.0:dm.be-3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g",
+    "tail": "ffiec_cat_v2017.05:d1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm",
+    "tail": "ffiec_cat_v2017.05:d1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r",
+    "tail": "ffiec_cat_v2017.05:d1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc",
+    "tail": "ffiec_cat_v2017.05:d1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti",
+    "tail": "ffiec_cat_v2017.05:d2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma",
+    "tail": "ffiec_cat_v2017.05:d2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is",
+    "tail": "ffiec_cat_v2017.05:d2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc",
+    "tail": "ffiec_cat_v2017.05:d3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc",
+    "tail": "ffiec_cat_v2017.05:d3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc",
+    "tail": "ffiec_cat_v2017.05:d3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c",
+    "tail": "ffiec_cat_v2017.05:d4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm",
+    "tail": "ffiec_cat_v2017.05:d4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir",
+    "tail": "ffiec_cat_v2017.05:d5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr",
+    "tail": "ffiec_cat_v2017.05:d5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er",
+    "tail": "ffiec_cat_v2017.05:d5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov",
+    "tail": "ffiec_cat_v2017.05:d1.g",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp",
+    "tail": "ffiec_cat_v2017.05:d1.g",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it",
+    "tail": "ffiec_cat_v2017.05:d1.g",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "tail": "ffiec_cat_v2017.05:d1.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra",
+    "tail": "ffiec_cat_v2017.05:d1.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au",
+    "tail": "ffiec_cat_v2017.05:d1.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st",
+    "tail": "ffiec_cat_v2017.05:d1.r",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr",
+    "tail": "ffiec_cat_v2017.05:d1.tc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu",
+    "tail": "ffiec_cat_v2017.05:d1.tc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti",
+    "tail": "ffiec_cat_v2017.05:d2.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma",
+    "tail": "ffiec_cat_v2017.05:d2.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is",
+    "tail": "ffiec_cat_v2017.05:d2.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im",
+    "tail": "ffiec_cat_v2017.05:d3.pc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am",
+    "tail": "ffiec_cat_v2017.05:d3.pc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de",
+    "tail": "ffiec_cat_v2017.05:d3.pc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se",
+    "tail": "ffiec_cat_v2017.05:d3.pc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th",
+    "tail": "ffiec_cat_v2017.05:d3.dc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an",
+    "tail": "ffiec_cat_v2017.05:d3.dc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev",
+    "tail": "ffiec_cat_v2017.05:d3.dc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa",
+    "tail": "ffiec_cat_v2017.05:d3.cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re",
+    "tail": "ffiec_cat_v2017.05:d3.cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co",
+    "tail": "ffiec_cat_v2017.05:d4.c",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd",
+    "tail": "ffiec_cat_v2017.05:d4.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co",
+    "tail": "ffiec_cat_v2017.05:d4.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om",
+    "tail": "ffiec_cat_v2017.05:d4.rm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl",
+    "tail": "ffiec_cat_v2017.05:d5.ir",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te",
+    "tail": "ffiec_cat_v2017.05:d5.ir",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de",
+    "tail": "ffiec_cat_v2017.05:d5.dr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re",
+    "tail": "ffiec_cat_v2017.05:d5.dr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es",
+    "tail": "ffiec_cat_v2017.05:d5.er",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.inn",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.e",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.inn",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.b",
+    "tail": "ffiec_cat_v2017.05:d1.g.it",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.e",
+    "tail": "ffiec_cat_v2017.05:d1.g.it",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.int",
+    "tail": "ffiec_cat_v2017.05:d1.g.it",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.a",
+    "tail": "ffiec_cat_v2017.05:d1.g.it",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.inn",
+    "tail": "ffiec_cat_v2017.05:d1.g.it",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.b",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.e",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.inn",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.b",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.e",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.int",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.a",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.inn",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.a",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.inn",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.b",
+    "tail": "ffiec_cat_v2017.05:d1.r.st",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.e",
+    "tail": "ffiec_cat_v2017.05:d1.r.st",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.int",
+    "tail": "ffiec_cat_v2017.05:d1.r.st",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.a",
+    "tail": "ffiec_cat_v2017.05:d1.r.st",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.inn",
+    "tail": "ffiec_cat_v2017.05:d1.r.st",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.a",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.inn",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.b",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.e",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.int",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.a",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.inn",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.b",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.e",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.int",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.a",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.inn",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.b",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.inn",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.b",
+    "tail": "ffiec_cat_v2017.05:d2.is.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.e",
+    "tail": "ffiec_cat_v2017.05:d2.is.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.int",
+    "tail": "ffiec_cat_v2017.05:d2.is.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.a",
+    "tail": "ffiec_cat_v2017.05:d2.is.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.inn",
+    "tail": "ffiec_cat_v2017.05:d2.is.is",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.a",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.a",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.b",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.int",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.a",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.inn",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.e",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.a",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.inn",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.int",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.a",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.inn",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.inn",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.e",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.int",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.inn",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.b",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.int",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.a",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.inn",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.b",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.e",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.a",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.inn",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.b",
+    "tail": "ffiec_cat_v2017.05:d4.c.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.e",
+    "tail": "ffiec_cat_v2017.05:d4.c.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.int",
+    "tail": "ffiec_cat_v2017.05:d4.c.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.a",
+    "tail": "ffiec_cat_v2017.05:d4.c.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.inn",
+    "tail": "ffiec_cat_v2017.05:d4.c.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.b",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.e",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.int",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.a",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.inn",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.e",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.int",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.a",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.inn",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.b",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.int",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.a",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.inn",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.a",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.inn",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.b",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.e",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.b",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.e",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.a",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.inn",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.b",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.a",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.inn",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.b",
+    "tail": "ffiec_cat_v2017.05:d5.er.es",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.e",
+    "tail": "ffiec_cat_v2017.05:d5.er.es",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.int",
+    "tail": "ffiec_cat_v2017.05:d5.er.es",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.a",
+    "tail": "ffiec_cat_v2017.05:d5.er.es",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.inn",
+    "tail": "ffiec_cat_v2017.05:d5.er.es",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.b.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.e.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.6",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.7",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.int.8",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.a.6",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.ov.inn.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.ov.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.6",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.b.7",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.int.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.a.5",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.sp.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.sp.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.b.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.e.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.a.3",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.a.4",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.g.it.inn.2",
+    "tail": "ffiec_cat_v2017.05:d1.g.it.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int.4",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.int.5",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a.4",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.a.5",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.rmp.inn.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.rmp.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.inn.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.ra.inn.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.ra.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.b.4",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e.4",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.e.5",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.int.4",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.a.3",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.rm.au.inn.2",
+    "tail": "ffiec_cat_v2017.05:d1.rm.au.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.e.4",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.a.2",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.r.st.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.r.st.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.b.2",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.b.3",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.b.4",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e.4",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.e.5",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.int.4",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.tr.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.tr.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.b.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.e.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.e.2",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.e.3",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.int.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.int.2",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.int.3",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.a.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d1.tc.cu.inn.1",
+    "tail": "ffiec_cat_v2017.05:d1.tc.cu.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.b.1",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.b.2",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.b.3",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.e.1",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.int.1",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.int.2",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.int.3",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.a.1",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.a.2",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.a.3",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.inn.1",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ti.ti.inn.2",
+    "tail": "ffiec_cat_v2017.05:d2.ti.ti.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.b.1",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.b.2",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.e.1",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.e.2",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.e.3",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.e.4",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.int.1",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.int.2",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.int.3",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.int.4",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a.1",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a.2",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a.3",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a.4",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.a.5",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.inn.1",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.inn.2",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.ma.ma.inn.3",
+    "tail": "ffiec_cat_v2017.05:d2.ma.ma.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.b.1",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.b.2",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.b.3",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.e.1",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.e.2",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.int.1",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.int.2",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.int.3",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.int.4",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.a.1",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.a.2",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.a.3",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.inn.1",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.inn.2",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d2.is.is.inn.3",
+    "tail": "ffiec_cat_v2017.05:d2.is.is.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.7",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.8",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.9",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.b.10",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.7",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.e.8",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.int.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.a.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.inn.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.im.inn.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.im.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.7",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.8",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.9",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.10",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.11",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.12",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.13",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.14",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.15",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.16",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.17",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.b.18",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.e.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.7",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.int.8",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.am.inn.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.am.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.5",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.6",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.e.7",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.de.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.de.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.int.4",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.a.3",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.pc.se.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.pc.se.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.5",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.e.6",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.a.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.th.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.th.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.b.5",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.5",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.int.6",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.a.5",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.an.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.an.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.b.5",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.a.3",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.a.4",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.dc.ev.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.dc.ev.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.b.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.b.3",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e.3",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e.4",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.e.5",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.a.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.pa.inn.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.pa.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.b.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.e.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.e.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.2",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.3",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.4",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.5",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.int.6",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.a.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d3.cc.re.inn.1",
+    "tail": "ffiec_cat_v2017.05:d3.cc.re.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.b.1",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.b.2",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.b.3",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.b.4",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.e.1",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.e.2",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.e.3",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.e.4",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.int.1",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.int.2",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.int.3",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.int.4",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.a.1",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.a.2",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.inn.1",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.c.co.inn.2",
+    "tail": "ffiec_cat_v2017.05:d4.c.co.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.b.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.b.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.b.3",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.e.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.e.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.int.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.int.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.a.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.a.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.inn.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.dd.inn.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.dd.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.3",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.4",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.5",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.b.6",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.e.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.e.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.e.3",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.int.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.a.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.a.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.co.inn.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.co.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.b.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.b.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.b.3",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.e.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.e.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.e.3",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.e.4",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.int.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.int.2",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.a.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d4.rm.om.inn.1",
+    "tail": "ffiec_cat_v2017.05:d4.rm.om.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.5",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.b.6",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.e.5",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.int.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.int.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.int.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.int.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.a.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.a.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.a.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.inn.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.pl.inn.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.pl.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.b.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.b.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.b.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.e.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.e.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.e.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.int.5",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.a.5",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.inn.1",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.inn.2",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.inn.3",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.ir.te.inn.4",
+    "tail": "ffiec_cat_v2017.05:d5.ir.te.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.b.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.b.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.b.3",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.e.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int.3",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int.4",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.int.5",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.a.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.a.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.de.inn.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.de.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.b.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.3",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.4",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.5",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.6",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.7",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.e.8",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.int.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.int.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.int.3",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.int.4",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.a.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.a.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.a.3",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.inn.1",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.dr.re.inn.2",
+    "tail": "ffiec_cat_v2017.05:d5.dr.re.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.b.1",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.b.2",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.b.3",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.b.4",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.b",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.e.1",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.e.2",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.e.3",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.e",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.int.1",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.int.2",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.int.3",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.int",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.a.1",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.a.2",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "ffiec_cat_v2017.05",
+    "head": "ffiec_cat_v2017.05:d5.er.es.inn.1",
+    "tail": "ffiec_cat_v2017.05:d5.er.es.inn",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9",
+    "tail": "aicpa_tsc_v2017:cc",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1",
+    "tail": "aicpa_tsc_v2017:a",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1",
+    "tail": "aicpa_tsc_v2017:c",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1",
+    "tail": "aicpa_tsc_v2017:pi",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p7",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8",
+    "tail": "aicpa_tsc_v2017:p",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1",
+    "tail": "aicpa_tsc_v2017:cc1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.2",
+    "tail": "aicpa_tsc_v2017:cc1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3",
+    "tail": "aicpa_tsc_v2017:cc1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4",
+    "tail": "aicpa_tsc_v2017:cc1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5",
+    "tail": "aicpa_tsc_v2017:cc1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.1",
+    "tail": "aicpa_tsc_v2017:cc2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2",
+    "tail": "aicpa_tsc_v2017:cc2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3",
+    "tail": "aicpa_tsc_v2017:cc2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1",
+    "tail": "aicpa_tsc_v2017:cc3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2",
+    "tail": "aicpa_tsc_v2017:cc3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3",
+    "tail": "aicpa_tsc_v2017:cc3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4",
+    "tail": "aicpa_tsc_v2017:cc3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1",
+    "tail": "aicpa_tsc_v2017:cc4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.2",
+    "tail": "aicpa_tsc_v2017:cc4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1",
+    "tail": "aicpa_tsc_v2017:cc5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.2",
+    "tail": "aicpa_tsc_v2017:cc5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3",
+    "tail": "aicpa_tsc_v2017:cc5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.2",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.3",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.4",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.5",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6 ",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.7",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8",
+    "tail": "aicpa_tsc_v2017:cc6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1",
+    "tail": "aicpa_tsc_v2017:cc7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.2",
+    "tail": "aicpa_tsc_v2017:cc7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3",
+    "tail": "aicpa_tsc_v2017:cc7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4",
+    "tail": "aicpa_tsc_v2017:cc7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5",
+    "tail": "aicpa_tsc_v2017:cc7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1",
+    "tail": "aicpa_tsc_v2017:cc8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.1",
+    "tail": "aicpa_tsc_v2017:cc9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2",
+    "tail": "aicpa_tsc_v2017:cc9",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.1",
+    "tail": "aicpa_tsc_v2017:a1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2",
+    "tail": "aicpa_tsc_v2017:a1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.3",
+    "tail": "aicpa_tsc_v2017:a1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.1",
+    "tail": "aicpa_tsc_v2017:c1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.2",
+    "tail": "aicpa_tsc_v2017:c1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.1",
+    "tail": "aicpa_tsc_v2017:pi1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.2",
+    "tail": "aicpa_tsc_v2017:pi1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3",
+    "tail": "aicpa_tsc_v2017:pi1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.4",
+    "tail": "aicpa_tsc_v2017:pi1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.5",
+    "tail": "aicpa_tsc_v2017:pi1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1.1",
+    "tail": "aicpa_tsc_v2017:p1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1",
+    "tail": "aicpa_tsc_v2017:p2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.1",
+    "tail": "aicpa_tsc_v2017:p3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.2",
+    "tail": "aicpa_tsc_v2017:p3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.1",
+    "tail": "aicpa_tsc_v2017:p4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.2",
+    "tail": "aicpa_tsc_v2017:p4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.3",
+    "tail": "aicpa_tsc_v2017:p4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.1",
+    "tail": "aicpa_tsc_v2017:p5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.2",
+    "tail": "aicpa_tsc_v2017:p5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.1",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.2",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.3",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.4",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.5",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.6",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.7",
+    "tail": "aicpa_tsc_v2017:p6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p7.1",
+    "tail": "aicpa_tsc_v2017:p7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1",
+    "tail": "aicpa_tsc_v2017:p8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1.1",
+    "tail": "aicpa_tsc_v2017:cc1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1.2",
+    "tail": "aicpa_tsc_v2017:cc1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1.3",
+    "tail": "aicpa_tsc_v2017:cc1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1.4",
+    "tail": "aicpa_tsc_v2017:cc1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.1.5",
+    "tail": "aicpa_tsc_v2017:cc1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.2.1",
+    "tail": "aicpa_tsc_v2017:cc1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.2.2",
+    "tail": "aicpa_tsc_v2017:cc1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.2.3",
+    "tail": "aicpa_tsc_v2017:cc1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.2.4",
+    "tail": "aicpa_tsc_v2017:cc1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3.1",
+    "tail": "aicpa_tsc_v2017:cc1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3.2",
+    "tail": "aicpa_tsc_v2017:cc1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3.3",
+    "tail": "aicpa_tsc_v2017:cc1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3.4",
+    "tail": "aicpa_tsc_v2017:cc1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.3.5",
+    "tail": "aicpa_tsc_v2017:cc1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.1",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.2",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.3",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.4",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.5",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.6",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.4.7",
+    "tail": "aicpa_tsc_v2017:cc1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5.1",
+    "tail": "aicpa_tsc_v2017:cc1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5.2",
+    "tail": "aicpa_tsc_v2017:cc1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5.3",
+    "tail": "aicpa_tsc_v2017:cc1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5.4",
+    "tail": "aicpa_tsc_v2017:cc1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc1.5.5",
+    "tail": "aicpa_tsc_v2017:cc1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.1.1",
+    "tail": "aicpa_tsc_v2017:cc2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.1.2",
+    "tail": "aicpa_tsc_v2017:cc2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.1.3",
+    "tail": "aicpa_tsc_v2017:cc2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.1.4",
+    "tail": "aicpa_tsc_v2017:cc2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.1",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.2",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.3",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.4",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.5",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.6",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.7",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.8",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.9",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.10",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.2.11",
+    "tail": "aicpa_tsc_v2017:cc2.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.1",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.2",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.3",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.4",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.5",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.6",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.7",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.8",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.9",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.10",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc2.3.11",
+    "tail": "aicpa_tsc_v2017:cc2.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.1",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.2",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.3",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.4",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.5",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.6",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.7",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.8",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.9",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.10",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.11",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.12",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.13",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.14",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.15",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.1.16",
+    "tail": "aicpa_tsc_v2017:cc3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.1",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.2",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.3",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.4",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.5",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.6",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.7",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.2.8",
+    "tail": "aicpa_tsc_v2017:cc3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3.1",
+    "tail": "aicpa_tsc_v2017:cc3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3.2",
+    "tail": "aicpa_tsc_v2017:cc3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3.3",
+    "tail": "aicpa_tsc_v2017:cc3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3.4",
+    "tail": "aicpa_tsc_v2017:cc3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.3.5",
+    "tail": "aicpa_tsc_v2017:cc3.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4.1",
+    "tail": "aicpa_tsc_v2017:cc3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4.2",
+    "tail": "aicpa_tsc_v2017:cc3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4.3",
+    "tail": "aicpa_tsc_v2017:cc3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4.4",
+    "tail": "aicpa_tsc_v2017:cc3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc3.4.5",
+    "tail": "aicpa_tsc_v2017:cc3.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.1",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.2",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.3",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.4",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.5",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.6",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.7",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.1.8",
+    "tail": "aicpa_tsc_v2017:cc4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.2.1",
+    "tail": "aicpa_tsc_v2017:cc4.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.2.2",
+    "tail": "aicpa_tsc_v2017:cc4.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc4.2.3",
+    "tail": "aicpa_tsc_v2017:cc4.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.1",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.2",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.3",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.4",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.5",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.1.6",
+    "tail": "aicpa_tsc_v2017:cc5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.2.1",
+    "tail": "aicpa_tsc_v2017:cc5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.2.2",
+    "tail": "aicpa_tsc_v2017:cc5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.2.3",
+    "tail": "aicpa_tsc_v2017:cc5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.2.4",
+    "tail": "aicpa_tsc_v2017:cc5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.1",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.2",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.3",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.4",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.5",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc5.3.6",
+    "tail": "aicpa_tsc_v2017:cc5.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.1",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.2",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.3",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.4",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.5",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.6",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.7",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.8",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.9",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.1.10",
+    "tail": "aicpa_tsc_v2017:cc6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.2.1",
+    "tail": "aicpa_tsc_v2017:cc6.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.2.2",
+    "tail": "aicpa_tsc_v2017:cc6.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.2.3",
+    "tail": "aicpa_tsc_v2017:cc6.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.3.1",
+    "tail": "aicpa_tsc_v2017:cc6.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.3.2",
+    "tail": "aicpa_tsc_v2017:cc6.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.3.3",
+    "tail": "aicpa_tsc_v2017:cc6.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.4.1",
+    "tail": "aicpa_tsc_v2017:cc6.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.4.2",
+    "tail": "aicpa_tsc_v2017:cc6.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.4.3",
+    "tail": "aicpa_tsc_v2017:cc6.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.5.1",
+    "tail": "aicpa_tsc_v2017:cc6.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.5.2",
+    "tail": "aicpa_tsc_v2017:cc6.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6.1",
+    "tail": "aicpa_tsc_v2017:cc6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6.2",
+    "tail": "aicpa_tsc_v2017:cc6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6.3",
+    "tail": "aicpa_tsc_v2017:cc6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.6.4",
+    "tail": "aicpa_tsc_v2017:cc6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.7.1",
+    "tail": "aicpa_tsc_v2017:cc6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.7.2",
+    "tail": "aicpa_tsc_v2017:cc6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.7.3",
+    "tail": "aicpa_tsc_v2017:cc6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.7.4",
+    "tail": "aicpa_tsc_v2017:cc6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8.1",
+    "tail": "aicpa_tsc_v2017:cc6.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8.2",
+    "tail": "aicpa_tsc_v2017:cc6.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8.3",
+    "tail": "aicpa_tsc_v2017:cc6.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8.4",
+    "tail": "aicpa_tsc_v2017:cc6.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc6.8.5",
+    "tail": "aicpa_tsc_v2017:cc6.8",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1.1",
+    "tail": "aicpa_tsc_v2017:cc7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1.2",
+    "tail": "aicpa_tsc_v2017:cc7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1.3",
+    "tail": "aicpa_tsc_v2017:cc7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1.4",
+    "tail": "aicpa_tsc_v2017:cc7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.1.5",
+    "tail": "aicpa_tsc_v2017:cc7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.2.1",
+    "tail": "aicpa_tsc_v2017:cc7.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.2.2",
+    "tail": "aicpa_tsc_v2017:cc7.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.2.3",
+    "tail": "aicpa_tsc_v2017:cc7.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.2.4",
+    "tail": "aicpa_tsc_v2017:cc7.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3.1",
+    "tail": "aicpa_tsc_v2017:cc7.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3.2",
+    "tail": "aicpa_tsc_v2017:cc7.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3.3",
+    "tail": "aicpa_tsc_v2017:cc7.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3.4",
+    "tail": "aicpa_tsc_v2017:cc7.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.3.5",
+    "tail": "aicpa_tsc_v2017:cc7.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.1",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.2",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.3",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.4",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.5",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.6",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.7",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.8",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.9",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.10",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.11",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.12",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.4.13",
+    "tail": "aicpa_tsc_v2017:cc7.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.1",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.2",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.3",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.4",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.5",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc7.5.6",
+    "tail": "aicpa_tsc_v2017:cc7.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.1",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.2",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.3",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.4",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.5",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.6",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.7",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.8",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.9",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.10",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.11",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.12",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.13",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.14",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc8.1.15",
+    "tail": "aicpa_tsc_v2017:cc8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.1.1",
+    "tail": "aicpa_tsc_v2017:cc9.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.1.2",
+    "tail": "aicpa_tsc_v2017:cc9.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.1",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.2",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.3",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.4",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.5",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.6",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.7",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.8",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.9",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.10",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.11",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:cc9.2.12",
+    "tail": "aicpa_tsc_v2017:cc9.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.1.1",
+    "tail": "aicpa_tsc_v2017:a1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.1.2",
+    "tail": "aicpa_tsc_v2017:a1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.1.3",
+    "tail": "aicpa_tsc_v2017:a1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.1",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.2",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.3",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.4",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.5",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.6",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.7",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.8",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.9",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.2.10",
+    "tail": "aicpa_tsc_v2017:a1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.3.1",
+    "tail": "aicpa_tsc_v2017:a1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:a1.3.2",
+    "tail": "aicpa_tsc_v2017:a1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.1.1",
+    "tail": "aicpa_tsc_v2017:c1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.1.2",
+    "tail": "aicpa_tsc_v2017:c1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.2.1",
+    "tail": "aicpa_tsc_v2017:c1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:c1.2.2",
+    "tail": "aicpa_tsc_v2017:c1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.1.1",
+    "tail": "aicpa_tsc_v2017:pi1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.2.1",
+    "tail": "aicpa_tsc_v2017:pi1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.2.2",
+    "tail": "aicpa_tsc_v2017:pi1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.2.3",
+    "tail": "aicpa_tsc_v2017:pi1.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3.1",
+    "tail": "aicpa_tsc_v2017:pi1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3.2",
+    "tail": "aicpa_tsc_v2017:pi1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3.3",
+    "tail": "aicpa_tsc_v2017:pi1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3.4",
+    "tail": "aicpa_tsc_v2017:pi1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.3.5",
+    "tail": "aicpa_tsc_v2017:pi1.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.4.1",
+    "tail": "aicpa_tsc_v2017:pi1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.4.2",
+    "tail": "aicpa_tsc_v2017:pi1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.4.3",
+    "tail": "aicpa_tsc_v2017:pi1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.4.4",
+    "tail": "aicpa_tsc_v2017:pi1.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.5.1",
+    "tail": "aicpa_tsc_v2017:pi1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.5.2",
+    "tail": "aicpa_tsc_v2017:pi1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.5.3",
+    "tail": "aicpa_tsc_v2017:pi1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:pi1.5.4",
+    "tail": "aicpa_tsc_v2017:pi1.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1.1.1",
+    "tail": "aicpa_tsc_v2017:p1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1.1.2",
+    "tail": "aicpa_tsc_v2017:p1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1.1.3",
+    "tail": "aicpa_tsc_v2017:p1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p1.1.4",
+    "tail": "aicpa_tsc_v2017:p1.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.1",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.2",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.3",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.4",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.5",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p2.1.6",
+    "tail": "aicpa_tsc_v2017:p2.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.1.1",
+    "tail": "aicpa_tsc_v2017:p3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.1.2",
+    "tail": "aicpa_tsc_v2017:p3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.1.3",
+    "tail": "aicpa_tsc_v2017:p3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.1.4",
+    "tail": "aicpa_tsc_v2017:p3.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.2.1",
+    "tail": "aicpa_tsc_v2017:p3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p3.2.2",
+    "tail": "aicpa_tsc_v2017:p3.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.1.1",
+    "tail": "aicpa_tsc_v2017:p4.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.2.1",
+    "tail": "aicpa_tsc_v2017:p4.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.2.2",
+    "tail": "aicpa_tsc_v2017:p4.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.3.1",
+    "tail": "aicpa_tsc_v2017:p4.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.3.2",
+    "tail": "aicpa_tsc_v2017:p4.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p4.3.3",
+    "tail": "aicpa_tsc_v2017:p4.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.1.1",
+    "tail": "aicpa_tsc_v2017:p5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.1.2",
+    "tail": "aicpa_tsc_v2017:p5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.1.3",
+    "tail": "aicpa_tsc_v2017:p5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.1.4",
+    "tail": "aicpa_tsc_v2017:p5.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.2.1",
+    "tail": "aicpa_tsc_v2017:p5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.2.2",
+    "tail": "aicpa_tsc_v2017:p5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p5.2.3",
+    "tail": "aicpa_tsc_v2017:p5.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.1.1",
+    "tail": "aicpa_tsc_v2017:p6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.1.2",
+    "tail": "aicpa_tsc_v2017:p6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.1.3",
+    "tail": "aicpa_tsc_v2017:p6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.1.4",
+    "tail": "aicpa_tsc_v2017:p6.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.2.1",
+    "tail": "aicpa_tsc_v2017:p6.2",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.3.1",
+    "tail": "aicpa_tsc_v2017:p6.3",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.4.1",
+    "tail": "aicpa_tsc_v2017:p6.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.4.2",
+    "tail": "aicpa_tsc_v2017:p6.4",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.5.1",
+    "tail": "aicpa_tsc_v2017:p6.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.5.2",
+    "tail": "aicpa_tsc_v2017:p6.5",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.6.1",
+    "tail": "aicpa_tsc_v2017:p6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.6.2",
+    "tail": "aicpa_tsc_v2017:p6.6",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.7.1",
+    "tail": "aicpa_tsc_v2017:p6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p6.7.2",
+    "tail": "aicpa_tsc_v2017:p6.7",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p7.1.1",
+    "tail": "aicpa_tsc_v2017:p7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p7.1.2",
+    "tail": "aicpa_tsc_v2017:p7.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.1",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.2",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.3",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.4",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.5",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "aicpa_tsc_v2017",
+    "head": "aicpa_tsc_v2017:p8.1.6",
+    "tail": "aicpa_tsc_v2017:p8.1",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-01",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-01.1",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-01.2",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-02",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-03",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-04",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-05",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-05.1",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-05.2",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-06",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-07",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-08",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-09",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-10",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-11",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-12",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-13",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-14",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15.1",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15.2",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15.3",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15.4",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:gov-15.5",
+    "tail": "scf:gov",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-01",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-01.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-01.2",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-01.3",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.2",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.3",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.4",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.5",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.6",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.7",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.8",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.9",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.10",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-02.11",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-03",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-03.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-03.2",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-04",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-04.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-04.2",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-04.3",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-05",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-05.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-06",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-06.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-07",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-08",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-09",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-10",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-11",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-12",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-13",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-14",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-14.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-14.2",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-15",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-15.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-16",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-17",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-18",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-19",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-20",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-21",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-22",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-23",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-24",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-25",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-26",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-27",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-28",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-28.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-29",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-29.1",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ast-30",
+    "tail": "scf:ast",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-01",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-01.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-01.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-01.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-01.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-02",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-02.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-02.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-02.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-02.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-03",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-03.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-03.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-04",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-04.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-04.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-05",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-06",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-07",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-08",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-08.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-08.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-09.5",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-10",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-10.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-10.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-10.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-10.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.5",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.6",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.7",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-11.8",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-12",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-12.1",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-12.2",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-12.3",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-12.4",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-13",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-14",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:bcd-15",
+    "tail": "scf:bcd",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cap-01",
+    "tail": "scf:cap",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cap-02",
+    "tail": "scf:cap",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cap-03",
+    "tail": "scf:cap",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cap-04",
+    "tail": "scf:cap",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-01",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02.1",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02.2",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02.3",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02.4",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-02.5",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-03",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04.1",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04.2",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04.3",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04.4",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-04.5",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-05",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-06",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:chg-06.1",
+    "tail": "scf:chg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-01",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-01.1",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-01.2",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-02",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-03",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-04",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-05",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-06",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-06.1",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-06.2",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-06.3",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-06.4",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-07",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-08",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-09",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-10",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-11",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cld-12",
+    "tail": "scf:cld",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-01",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-01.1",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-01.2",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-02",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-02.1",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-03",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-03.1",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-03.2",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-04",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-05",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-05.1",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-05.2",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cpl-06",
+    "tail": "scf:cpl",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-01",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-01.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.2",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.3",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.4",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.5",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.6",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.7",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.8",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-02.9",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-03",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-03.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-03.2",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-03.3",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-03.4",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-04",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-04.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-04.2",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-05",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-05.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-05.2",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-06",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-07",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-08",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cfg-08.1",
+    "tail": "scf:cfg",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.4",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.5",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.6",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.7",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.8",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.9",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.10",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.11",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.12",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.13",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.14",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.15",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.16",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-01.17",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.4",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.5",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.6",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.7",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-02.8",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.4",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.5",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.6",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-03.7",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-04",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-05",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-05.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-05.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-06",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-06.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-06.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-07",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-07.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-08",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-08.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-08.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-08.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-08.4",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-09",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-09.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-10",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-11",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-11.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-11.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-11.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-12",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-13",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-14",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-14.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-15",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-16",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-16.1",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-16.2",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-16.3",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mon-16.4",
+    "tail": "scf:mon",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01.1",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01.2",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01.3",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01.4",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-01.5",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-02",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-03",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-04",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-05",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-05.1",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-05.2",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-05.3",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-06",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-07",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-08",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-08.1",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.1",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.2",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.3",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.4",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.5",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.6",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-09.7",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-10",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:cry-11",
+    "tail": "scf:cry",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-01",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-01.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-01.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-01.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-02",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-02.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-03",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-03.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-03.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-03.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-04",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-04.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.4",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.5",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.6",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.7",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.8",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.9",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.10",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-05.11",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06.4",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-06.5",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-07",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-07.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-07.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-08",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09.4",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-09.5",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-10",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-10.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-10.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-11",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-12",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-13",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-13.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-13.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-13.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-13.4",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-14",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-14.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-14.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-14.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-15",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-16",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-17",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-18",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-18.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-18.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-18.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-19",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-20",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-21",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-22",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-22.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-22.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-22.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.2",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.3",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.4",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.5",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.6",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.7",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.8",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-23.9",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-24",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-24.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-25",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-25.1",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:dch-26",
+    "tail": "scf:dch",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-01",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-02",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-03",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-04",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-05",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-06",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-07",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-08",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-09",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-10",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-11",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-12",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-13",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-14",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-15",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-16",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-17",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-18",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:emb-19",
+    "tail": "scf:emb",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-01",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-02",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-03",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-03.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-03.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.3",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.4",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.5",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.6",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-04.7",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-05",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.3",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.4",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.5",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.6",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-06.7",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-07",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-08",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-08.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-08.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-09",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-10",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-11",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-12",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-13",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-13.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-13.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-13.3",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-13.4",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-14",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-14.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-14.2",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-15",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-16",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:end-16.1",
+    "tail": "scf:end",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-01",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-02",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-02.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-02.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-03",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-03.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-03.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-04",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-04.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-04.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-04.3",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-04.4",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.3",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.4",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.5",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.6",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-05.7",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-06",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-06.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-06.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-07",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-07.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-08",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-09",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-09.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-09.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-09.3",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-09.4",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-10",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-11",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-12",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-12.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-13",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-13.1",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-13.2",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-13.3",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:hrs-13.4",
+    "tail": "scf:hrs",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-01",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-01.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-02",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-02.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-02.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-02.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-02.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-03.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-04",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-04.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-05",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-05.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-05.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-06",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-06.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-06.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-06.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-06.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-07",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-07.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-07.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-08",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-09.6",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.6",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.7",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.8",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.9",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.10",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.11",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-10.12",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-11",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-12",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-12.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-13",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-13.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-13.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-14",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.6",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.7",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.8",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-15.9",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-16",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-16.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-16.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-17",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-18",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-19",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-20.6",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.6",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-21.7",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-22",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-23",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-24",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-24.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-25",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-25.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-26",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-27",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28.1",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28.2",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28.3",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28.4",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-28.5",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iac-29",
+    "tail": "scf:iac",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-01",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.3",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.4",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.5",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-02.6",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-03",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-04",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-04.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-04.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-04.3",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-05",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-05.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-05.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-06",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-06.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-07",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-08",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-09",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-09.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-10",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-10.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-10.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-10.3",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-10.4",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-11",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-11.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-11.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-12",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-12.1",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-12.2",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-12.3",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-12.4",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-13",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-14",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-15",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iro-16",
+    "tail": "scf:iro",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-01",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-01.1",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-02",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-02.1",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-02.2",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-02.3",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-02.4",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-03",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-03.1",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-03.2",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-04",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-05",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-05.1",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-06",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:iao-07",
+    "tail": "scf:iao",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-01",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-02",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-02.1",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-03",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-03.1",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-03.2",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-03.3",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-04",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-04.1",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-04.2",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-04.3",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-04.4",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.1",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.2",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.3",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.4",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.5",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.6",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-05.7",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-06",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-06.1",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-06.2",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-07",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-08",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-09",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-10",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mnt-11",
+    "tail": "scf:mnt",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-01",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-02",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-03",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-04",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-05",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-06",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-07",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-08",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-09",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-10",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:mdm-11",
+    "tail": "scf:mdm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-01",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-01.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-02",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-02.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-02.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-02.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.5",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.6",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.7",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-03.8",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.5",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.6",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.7",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.8",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.9",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.10",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.11",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.12",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-04.13",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-05",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-05.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-05.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-06.5",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-07",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-08",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-08.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-08.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-09",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-09.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-09.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-10",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-10.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-10.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-10.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-10.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-11",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-12",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-12.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-12.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-13",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.5",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.6",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.7",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-14.8",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15.4",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-15.5",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-16",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-17",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-18",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-18.1",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-18.2",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:net-18.3",
+    "tail": "scf:net",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-01",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-01.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-02",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-02.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-02.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-03",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-03.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-03.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-03.3",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-03.4",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-04",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-04.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-04.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-04.3",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-05",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-05.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-05.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.3",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.4",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.5",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-06.6",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.3",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.4",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.5",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.6",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-07.7",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-08",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-08.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-08.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-08.3",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-09",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-09.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-10",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-11",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-12",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-12.1",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-12.2",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-13",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-14",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-15",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-16",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-17",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pes-18",
+    "tail": "scf:pes",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-01.7",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-02.7",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.7",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-03.8",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-04.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-05.7",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.5",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.6",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-06.7",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-07",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-07.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-07.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-07.3",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-07.4",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-08",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-09",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-10",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-10.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-10.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-11",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-12",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-13",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-14",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-14.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-14.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-15",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-16",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-17",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-17.1",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:pri-17.2",
+    "tail": "scf:pri",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-01",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-01.1",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-01.2",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-02",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-03",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-04",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-05",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-06",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-07",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:prm-08",
+    "tail": "scf:prm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-01",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-01.1",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-02",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-02.1",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-03",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-04",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-04.1",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-05",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-06",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-06.1",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-06.2",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-07",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-08",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-09",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-09.1",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-10",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:rsk-11",
+    "tail": "scf:rsk",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-01",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-01.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-02",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-02.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-02.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-02.3",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-03",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-03.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-03.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-04",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-04.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-04.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-04.3",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-05",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-06",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-07",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-07.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-07.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-07.3",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-08",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-08.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-09",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-09.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-10",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-11",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-12",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-13",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-13.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-14",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-14.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-14.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-15",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-16",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-17",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-18",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-18.1",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-18.2",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-19",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sea-20",
+    "tail": "scf:sea",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-01",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-01.1",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-02",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-03",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-04",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:ops-05",
+    "tail": "scf:ops",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-01",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-02",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-02.1",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-02.2",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.1",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.2",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.3",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.4",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.5",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.6",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.7",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-03.8",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:sat-04",
+    "tail": "scf:sat",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-01",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-01.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-01.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-01.3",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.3",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.4",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.5",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.6",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-02.7",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-03",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-03.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-04",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-04.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-04.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-05",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-05.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-05.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06.3",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06.4",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-06.5",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-07",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-08",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-08.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.3",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.4",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.5",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.6",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-09.7",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-10",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-10.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-11",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-11.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-11.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-12",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-13",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-14",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-14.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-14.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-15",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-16",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-17",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-17.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-18",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-19",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-20",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-20.1",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-20.2",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tda-20.3",
+    "tail": "scf:tda",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-01",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-01.1",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-02",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-03",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-03.1",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-03.2",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-03.3",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-04",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-04.1",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-04.2",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-04.3",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-04.4",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.1",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.2",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.3",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.4",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.5",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-05.6",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-06",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-07",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-08",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:tpm-09",
+    "tail": "scf:tpm",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:11.5",
-    "tail": "nist_800_171_v1:3.1.12",
+    "source": "scf",
+    "head": "scf:tpm-10",
+    "tail": "scf:tpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:11.5",
-    "tail": "nist_800_171_v1:3.1.13",
+    "source": "scf",
+    "head": "scf:tpm-11",
+    "tail": "scf:tpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:16.11",
-    "tail": "nist_800_171_v1:3.1.10",
+    "source": "scf",
+    "head": "scf:thr-01",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:closeMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:16.11",
-    "tail": "nist_800_171_v1:3.1.10",
+    "source": "scf",
+    "head": "scf:thr-02",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:11.5",
-    "tail": "nist_800_171_v1:3.1.13",
+    "source": "scf",
+    "head": "scf:thr-03",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.11",
-    "tail": "nist_800_171_v1:3.1.13",
+    "source": "scf",
+    "head": "scf:thr-04",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.12",
-    "tail": "nist_800_171_v1:3.1.12",
+    "source": "scf",
+    "head": "scf:thr-05",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.2",
-    "tail": "nist_800_171_v1:3.1.16",
+    "source": "scf",
+    "head": "scf:thr-06",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.11",
-    "tail": "nist_800_171_v1:3.1.16",
+    "source": "scf",
+    "head": "scf:thr-07",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.11",
-    "tail": "nist_800_171_v1:3.1.17",
+    "source": "scf",
+    "head": "scf:thr-08",
+    "tail": "scf:thr",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.7",
-    "tail": "nist_800_171_v1:3.1.1",
+    "source": "scf",
+    "head": "scf:vpm-01",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.1",
-    "tail": "nist_800_171_v1:3.1.1",
+    "source": "scf",
+    "head": "scf:vpm-01.1",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.2",
-    "tail": "nist_800_171_v1:3.1.1",
+    "source": "scf",
+    "head": "scf:vpm-02",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:4",
-    "tail": "nist_800_171_v1:3.1.4",
+    "source": "scf",
+    "head": "scf:vpm-03",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:4",
-    "tail": "nist_800_171_v1:3.1.5",
+    "source": "scf",
+    "head": "scf:vpm-04",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:4",
-    "tail": "nist_800_171_v1:3.1.6",
+    "source": "scf",
+    "head": "scf:vpm-04.1",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:4.1",
-    "tail": "nist_800_171_v1:3.1.7",
+    "source": "scf",
+    "head": "scf:vpm-04.2",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.4",
-    "tail": "nist_800_171_v1:3.10.1",
+    "source": "scf",
+    "head": "scf:vpm-05",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.4",
-    "tail": "nist_800_171_v1:3.10.2",
+    "source": "scf",
+    "head": "scf:vpm-05.1",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.5",
-    "tail": "nist_800_171_v1:3.10.2",
+    "source": "scf",
+    "head": "scf:vpm-05.2",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12",
-    "tail": "nist_800_171_v1:3.1.22",
+    "source": "scf",
+    "head": "scf:vpm-05.3",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12",
-    "tail": "nist_800_171_v1:3.1.3",
+    "source": "scf",
+    "head": "scf:vpm-05.4",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:12.12",
-    "tail": "nist_800_171_v1:3.1.16",
+    "source": "scf",
+    "head": "scf:vpm-05.5",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.5",
-    "tail": "nist_800_171_v1:3.10.4",
+    "source": "scf",
+    "head": "scf:vpm-06",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "cis_csc_v7.1",
-    "head": "cis_csc_v7.1:1.5",
-    "tail": "nist_800_171_v1:3.10.5",
+    "source": "scf",
+    "head": "scf:vpm-06.1",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-11",
-    "tail": "cis_csc_v7.1:16.11",
+    "source": "scf",
+    "head": "scf:vpm-06.2",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-11(1)",
-    "tail": "nist_800_171_v1:3.1.10",
+    "source": "scf",
+    "head": "scf:vpm-06.3",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:closeMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-13",
-    "tail": "cis_csc_v7.1:1.7",
+    "source": "scf",
+    "head": "scf:vpm-06.4",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-16(2)",
-    "tail": "cis_csc_v7.1:14.6",
+    "source": "scf",
+    "head": "scf:vpm-06.5",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(1)",
-    "tail": "cis_csc_v7.1:12.12",
+    "source": "scf",
+    "head": "scf:vpm-06.6",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(1)",
-    "tail": "cis_csc_v7.1:13.1",
+    "source": "scf",
+    "head": "scf:vpm-06.7",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(1)",
-    "tail": "cis_csc_v7.1:14.5",
+    "source": "scf",
+    "head": "scf:vpm-06.8",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(2)",
-    "tail": "cis_csc_v7.1:11.5",
+    "source": "scf",
+    "head": "scf:vpm-06.9",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(2)",
-    "tail": "cis_csc_v7.1:16.5",
+    "source": "scf",
+    "head": "scf:vpm-07",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(2)",
-    "tail": "cis_csc_v7.1:16.4",
+    "source": "scf",
+    "head": "scf:vpm-07.1",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-17(2)",
-    "tail": "nist_800_171_v1:3.1.17",
+    "source": "scf",
+    "head": "scf:vpm-08",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-19(5)",
-    "tail": "cis_csc_v7.1:13.6",
+    "source": "scf",
+    "head": "scf:vpm-09",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-18(1)",
-    "tail": "cis_csc_v7.1:15.8",
+    "source": "scf",
+    "head": "scf:vpm-10",
+    "tail": "scf:vpm",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-18(3)",
-    "tail": "cis_csc_v7.1:15.4",
+    "source": "scf",
+    "head": "scf:web-01",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-2(4)",
-    "tail": "cis_csc_v7.1:16",
+    "source": "scf",
+    "head": "scf:web-01.1",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:closeMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-2(12)",
-    "tail": "cis_csc_v7.1:16.13",
+    "source": "scf",
+    "head": "scf:web-02",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-2(7)",
-    "tail": "cis_csc_v7.1:4",
+    "source": "scf",
+    "head": "scf:web-03",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-2(3)",
-    "tail": "cis_csc_v7.1:16.9",
+    "source": "scf",
+    "head": "scf:web-04",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:closeMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-18(5)",
-    "tail": "cis_csc_v7.1:15.9",
+    "source": "scf",
+    "head": "scf:web-05",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-20",
-    "tail": "cis_csc_v7.1:13.8",
+    "source": "scf",
+    "head": "scf:web-06",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:relatedMatch"
+    "type_skos": "skos:broadMatch"
   },
   {
-    "source": "nist_800_53_v4",
-    "head": "nist_800_53_v4:ac-20(2)",
-    "tail": "nist_800_171_v1:3.1.21",
+    "source": "scf",
+    "head": "scf:web-07",
+    "tail": "scf:web",
     "type_raw": null,
-    "type_skos": "skos:closeMatch"
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-08",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-09",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-10",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-11",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-12",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
+  },
+  {
+    "source": "scf",
+    "head": "scf:web-13",
+    "tail": "scf:web",
+    "type_raw": null,
+    "type_skos": "skos:broadMatch"
   }
 ]
diff --git a/data/relationships.jsonl b/data/relationships.jsonl
index 37fd238..13260e8 100644
--- a/data/relationships.jsonl
+++ b/data/relationships.jsonl
@@ -1173,6 +1173,94 @@
 {"source":"nist_800_171_v1","head":"nist_800_171_v1:3.1.7","tail":"nist_800_171_v1:3.1","type_raw":null,"type_skos":"skos:broadMatch"}
 {"source":"nist_800_171_v1","head":"nist_800_171_v1:3.1.8","tail":"nist_800_171_v1:3.1","type_raw":null,"type_skos":"skos:broadMatch"}
 {"source":"nist_800_171_v1","head":"nist_800_171_v1:3.1.9","tail":"nist_800_171_v1:3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.1","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.2","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.3","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.4","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.5","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.10.6","tail":"nist_800_171_v1:3.10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.11.1","tail":"nist_800_171_v1:3.11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.11.2","tail":"nist_800_171_v1:3.11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.11.3","tail":"nist_800_171_v1:3.11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.12.1","tail":"nist_800_171_v1:3.12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.12.2","tail":"nist_800_171_v1:3.12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.12.3","tail":"nist_800_171_v1:3.12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.12.4","tail":"nist_800_171_v1:3.12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.1","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.10","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.11","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.12","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.13","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.14","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.15","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.16","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.2","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.3","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.4","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.5","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.6","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.7","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.8","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.13.9","tail":"nist_800_171_v1:3.13","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.1","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.2","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.3","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.4","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.5","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.6","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.14.7","tail":"nist_800_171_v1:3.14","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.2.1","tail":"nist_800_171_v1:3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.2.2","tail":"nist_800_171_v1:3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.2.3","tail":"nist_800_171_v1:3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.1","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.2","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.3","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.4","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.5","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.6","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.7","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.8","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.3.9","tail":"nist_800_171_v1:3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.1","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.2","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.3","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.4","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.5","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.6","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.7","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.8","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.4.9","tail":"nist_800_171_v1:3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.1","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.10","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.11","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.2","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.3","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.4","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.5","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.6","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.7","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.8","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.5.9","tail":"nist_800_171_v1:3.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.6.1","tail":"nist_800_171_v1:3.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.6.2","tail":"nist_800_171_v1:3.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.6.3","tail":"nist_800_171_v1:3.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.1","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.2","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.3","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.4","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.5","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.7.6","tail":"nist_800_171_v1:3.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.1","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.2","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.3","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.4","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.5","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.6","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.7","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.8","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.8.9","tail":"nist_800_171_v1:3.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.9.1","tail":"nist_800_171_v1:3.9","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"nist_800_171_v1","head":"nist_800_171_v1:3.9.2","tail":"nist_800_171_v1:3.9","type_raw":null,"type_skos":"skos:broadMatch"}
 {"source":"cis_csc_v7.1","head":"cis_csc_v7.1:1","tail":"nist_800_171_v1:3.1.1","type_raw":null,"type_skos":"skos:relatedMatch"}
 {"source":"cis_csc_v7.1","head":"cis_csc_v7.1:11.5","tail":"nist_800_171_v1:3.1.12","type_raw":null,"type_skos":"skos:relatedMatch"}
 {"source":"cis_csc_v7.1","head":"cis_csc_v7.1:11.5","tail":"nist_800_171_v1:3.1.13","type_raw":null,"type_skos":"skos:relatedMatch"}
@@ -1220,3 +1308,2595 @@
 {"source":"nist_800_53_v4","head":"nist_800_53_v4:ac-18(5)","tail":"cis_csc_v7.1:15.9","type_raw":null,"type_skos":"skos:relatedMatch"}
 {"source":"nist_800_53_v4","head":"nist_800_53_v4:ac-20","tail":"cis_csc_v7.1:13.8","type_raw":null,"type_skos":"skos:relatedMatch"}
 {"source":"nist_800_53_v4","head":"nist_800_53_v4:ac-20(2)","tail":"nist_800_171_v1:3.1.21","type_raw":null,"type_skos":"skos:closeMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te","tail":"fsscc_profile_v1.0:gv","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am","tail":"fsscc_profile_v1.0:id","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra","tail":"fsscc_profile_v1.0:id","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ma","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt","tail":"fsscc_profile_v1.0:pr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae","tail":"fsscc_profile_v1.0:de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm","tail":"fsscc_profile_v1.0:de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp","tail":"fsscc_profile_v1.0:de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.rp","tail":"fsscc_profile_v1.0:rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co","tail":"fsscc_profile_v1.0:rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an","tail":"fsscc_profile_v1.0:rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi","tail":"fsscc_profile_v1.0:rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im","tail":"fsscc_profile_v1.0:rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp","tail":"fsscc_profile_v1.0:rc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.im","tail":"fsscc_profile_v1.0:rc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co","tail":"fsscc_profile_v1.0:rc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id","tail":"fsscc_profile_v1.0:dm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed","tail":"fsscc_profile_v1.0:dm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs","tail":"fsscc_profile_v1.0:dm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be","tail":"fsscc_profile_v1.0:dm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1","tail":"fsscc_profile_v1.0:gv.sf","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-2","tail":"fsscc_profile_v1.0:gv.sf","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-3","tail":"fsscc_profile_v1.0:gv.sf","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-4","tail":"fsscc_profile_v1.0:gv.sf","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1","tail":"fsscc_profile_v1.0:gv.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-2","tail":"fsscc_profile_v1.0:gv.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-3","tail":"fsscc_profile_v1.0:gv.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-1","tail":"fsscc_profile_v1.0:gv.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-2","tail":"fsscc_profile_v1.0:gv.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-3","tail":"fsscc_profile_v1.0:gv.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-1","tail":"fsscc_profile_v1.0:gv.rr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-2","tail":"fsscc_profile_v1.0:gv.rr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-1","tail":"fsscc_profile_v1.0:gv.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-2","tail":"fsscc_profile_v1.0:gv.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-1","tail":"fsscc_profile_v1.0:gv.ir","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-2","tail":"fsscc_profile_v1.0:gv.ir","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-3","tail":"fsscc_profile_v1.0:gv.ir","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-1","tail":"fsscc_profile_v1.0:gv.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-2","tail":"fsscc_profile_v1.0:gv.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-3","tail":"fsscc_profile_v1.0:gv.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te-1","tail":"fsscc_profile_v1.0:gv.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te-2","tail":"fsscc_profile_v1.0:gv.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-1","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-2","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-3","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-4","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-5","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-6","tail":"fsscc_profile_v1.0:id.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-1","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-2","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-3","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-4","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-6","tail":"fsscc_profile_v1.0:id.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-1","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-2","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-3","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-4","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-5","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-6","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-7","tail":"fsscc_profile_v1.0:pr.ac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-1","tail":"fsscc_profile_v1.0:pr.at","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-2","tail":"fsscc_profile_v1.0:pr.at","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-3","tail":"fsscc_profile_v1.0:pr.at","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-4","tail":"fsscc_profile_v1.0:pr.at","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-5","tail":"fsscc_profile_v1.0:pr.at","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-1","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-2","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-3","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-4","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-5","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-6","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-7","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-8","tail":"fsscc_profile_v1.0:pr.ds","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-1","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-2","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-3","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-4","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-5","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-6","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-7","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-8","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-9","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-10","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-11","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-12","tail":"fsscc_profile_v1.0:pr.ip","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ma-1","tail":"fsscc_profile_v1.0:pr.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ma-2","tail":"fsscc_profile_v1.0:pr.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-1","tail":"fsscc_profile_v1.0:pr.pt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-2","tail":"fsscc_profile_v1.0:pr.pt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-3","tail":"fsscc_profile_v1.0:pr.pt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-4","tail":"fsscc_profile_v1.0:pr.pt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-5","tail":"fsscc_profile_v1.0:pr.pt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-1","tail":"fsscc_profile_v1.0:de.ae","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-2","tail":"fsscc_profile_v1.0:de.ae","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-3","tail":"fsscc_profile_v1.0:de.ae","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-4","tail":"fsscc_profile_v1.0:de.ae","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-5","tail":"fsscc_profile_v1.0:de.ae","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-1","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-2","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-3","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-4","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-5","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-6","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-7","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-8","tail":"fsscc_profile_v1.0:de.cm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-1","tail":"fsscc_profile_v1.0:de.dp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-2","tail":"fsscc_profile_v1.0:de.dp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-3","tail":"fsscc_profile_v1.0:de.dp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-4","tail":"fsscc_profile_v1.0:de.dp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-5","tail":"fsscc_profile_v1.0:de.dp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.rp-1","tail":"fsscc_profile_v1.0:rs.rp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-1","tail":"fsscc_profile_v1.0:rs.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-2","tail":"fsscc_profile_v1.0:rs.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-3","tail":"fsscc_profile_v1.0:rs.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-4","tail":"fsscc_profile_v1.0:rs.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-5","tail":"fsscc_profile_v1.0:rs.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-1","tail":"fsscc_profile_v1.0:rs.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-2","tail":"fsscc_profile_v1.0:rs.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-3","tail":"fsscc_profile_v1.0:rs.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-4","tail":"fsscc_profile_v1.0:rs.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-5","tail":"fsscc_profile_v1.0:rs.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-1","tail":"fsscc_profile_v1.0:rs.mi","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-2","tail":"fsscc_profile_v1.0:rs.mi","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-3","tail":"fsscc_profile_v1.0:rs.mi","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-1","tail":"fsscc_profile_v1.0:rs.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-2","tail":"fsscc_profile_v1.0:rs.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1","tail":"fsscc_profile_v1.0:rc.rp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.im-1","tail":"fsscc_profile_v1.0:rc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.im-2","tail":"fsscc_profile_v1.0:rc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-1","tail":"fsscc_profile_v1.0:rc.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-2","tail":"fsscc_profile_v1.0:rc.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-3","tail":"fsscc_profile_v1.0:rc.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-1","tail":"fsscc_profile_v1.0:dm.id","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-2","tail":"fsscc_profile_v1.0:dm.id","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-1","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-3","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-5","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-7","tail":"fsscc_profile_v1.0:dm.ed","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-1","tail":"fsscc_profile_v1.0:dm.rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2","tail":"fsscc_profile_v1.0:dm.rs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-1","tail":"fsscc_profile_v1.0:dm.be","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-2","tail":"fsscc_profile_v1.0:dm.be","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-3","tail":"fsscc_profile_v1.0:dm.be","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1.1","tail":"fsscc_profile_v1.0:gv.sf-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1.2","tail":"fsscc_profile_v1.0:gv.sf-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1.3","tail":"fsscc_profile_v1.0:gv.sf-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1.4","tail":"fsscc_profile_v1.0:gv.sf-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-1.5","tail":"fsscc_profile_v1.0:gv.sf-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-2.1","tail":"fsscc_profile_v1.0:gv.sf-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-3.1","tail":"fsscc_profile_v1.0:gv.sf-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-3.2","tail":"fsscc_profile_v1.0:gv.sf-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-3.3","tail":"fsscc_profile_v1.0:gv.sf-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sf-4.1","tail":"fsscc_profile_v1.0:gv.sf-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.1","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.2","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.3","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.4","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.5","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-1.6","tail":"fsscc_profile_v1.0:gv.rm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-2.1","tail":"fsscc_profile_v1.0:gv.rm-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-2.2","tail":"fsscc_profile_v1.0:gv.rm-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-2.3","tail":"fsscc_profile_v1.0:gv.rm-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-3.1","tail":"fsscc_profile_v1.0:gv.rm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-3.2","tail":"fsscc_profile_v1.0:gv.rm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rm-3.3","tail":"fsscc_profile_v1.0:gv.rm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-1.1","tail":"fsscc_profile_v1.0:gv.pl-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-1.2","tail":"fsscc_profile_v1.0:gv.pl-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-2.1","tail":"fsscc_profile_v1.0:gv.pl-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-2.2","tail":"fsscc_profile_v1.0:gv.pl-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-2.3","tail":"fsscc_profile_v1.0:gv.pl-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-3.1","tail":"fsscc_profile_v1.0:gv.pl-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-3.2","tail":"fsscc_profile_v1.0:gv.pl-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.pl-3.3","tail":"fsscc_profile_v1.0:gv.pl-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-1.1","tail":"fsscc_profile_v1.0:gv.rr-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-2.1","tail":"fsscc_profile_v1.0:gv.rr-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-2.2","tail":"fsscc_profile_v1.0:gv.rr-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-2.3","tail":"fsscc_profile_v1.0:gv.rr-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.rr-2.4","tail":"fsscc_profile_v1.0:gv.rr-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-1.1","tail":"fsscc_profile_v1.0:gv.sp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-1.2","tail":"fsscc_profile_v1.0:gv.sp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-2.1","tail":"fsscc_profile_v1.0:gv.sp-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-2.2","tail":"fsscc_profile_v1.0:gv.sp-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.sp-2.3","tail":"fsscc_profile_v1.0:gv.sp-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-1.1","tail":"fsscc_profile_v1.0:gv.ir-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-1.2","tail":"fsscc_profile_v1.0:gv.ir-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-1.3","tail":"fsscc_profile_v1.0:gv.ir-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-1.4","tail":"fsscc_profile_v1.0:gv.ir-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-2.1","tail":"fsscc_profile_v1.0:gv.ir-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-2.2","tail":"fsscc_profile_v1.0:gv.ir-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.ir-3.1","tail":"fsscc_profile_v1.0:gv.ir-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-1.1","tail":"fsscc_profile_v1.0:gv.au-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-1.2","tail":"fsscc_profile_v1.0:gv.au-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-1.3","tail":"fsscc_profile_v1.0:gv.au-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-1.4","tail":"fsscc_profile_v1.0:gv.au-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-2.1","tail":"fsscc_profile_v1.0:gv.au-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-2.2","tail":"fsscc_profile_v1.0:gv.au-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-3.1","tail":"fsscc_profile_v1.0:gv.au-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-3.2","tail":"fsscc_profile_v1.0:gv.au-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.au-3.3","tail":"fsscc_profile_v1.0:gv.au-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te-1.1","tail":"fsscc_profile_v1.0:gv.te-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te-1.2","tail":"fsscc_profile_v1.0:gv.te-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:gv.te-2.1","tail":"fsscc_profile_v1.0:gv.te-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-1.1","tail":"fsscc_profile_v1.0:id.am-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-2.1","tail":"fsscc_profile_v1.0:id.am-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-3.1","tail":"fsscc_profile_v1.0:id.am-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-3.2","tail":"fsscc_profile_v1.0:id.am-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-3.3","tail":"fsscc_profile_v1.0:id.am-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-4.1","tail":"fsscc_profile_v1.0:id.am-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-5.1","tail":"fsscc_profile_v1.0:id.am-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-5.2","tail":"fsscc_profile_v1.0:id.am-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.am-6.1","tail":"fsscc_profile_v1.0:id.am-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-1.1","tail":"fsscc_profile_v1.0:id.ra-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-2.1","tail":"fsscc_profile_v1.0:id.ra-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-3.1","tail":"fsscc_profile_v1.0:id.ra-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-3.2","tail":"fsscc_profile_v1.0:id.ra-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-3.3","tail":"fsscc_profile_v1.0:id.ra-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-4.1","tail":"fsscc_profile_v1.0:id.ra-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.1","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.2","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.3","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.4","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.5","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-5.6","tail":"fsscc_profile_v1.0:id.ra-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-6.1","tail":"fsscc_profile_v1.0:id.ra-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:id.ra-6.2","tail":"fsscc_profile_v1.0:id.ra-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-1.1","tail":"fsscc_profile_v1.0:pr.ac-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-1.2","tail":"fsscc_profile_v1.0:pr.ac-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-1.3","tail":"fsscc_profile_v1.0:pr.ac-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-2.1","tail":"fsscc_profile_v1.0:pr.ac-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-3.1","tail":"fsscc_profile_v1.0:pr.ac-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-3.2","tail":"fsscc_profile_v1.0:pr.ac-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-4.1","tail":"fsscc_profile_v1.0:pr.ac-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-4.2","tail":"fsscc_profile_v1.0:pr.ac-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-4.3","tail":"fsscc_profile_v1.0:pr.ac-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-5.1","tail":"fsscc_profile_v1.0:pr.ac-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-5.2","tail":"fsscc_profile_v1.0:pr.ac-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-6.1","tail":"fsscc_profile_v1.0:pr.ac-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-7.1","tail":"fsscc_profile_v1.0:pr.ac-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ac-7.2","tail":"fsscc_profile_v1.0:pr.ac-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-1.1","tail":"fsscc_profile_v1.0:pr.at-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-1.2","tail":"fsscc_profile_v1.0:pr.at-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-1.3","tail":"fsscc_profile_v1.0:pr.at-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-2.1","tail":"fsscc_profile_v1.0:pr.at-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-2.2","tail":"fsscc_profile_v1.0:pr.at-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-2.3","tail":"fsscc_profile_v1.0:pr.at-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-3.1","tail":"fsscc_profile_v1.0:pr.at-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-3.2","tail":"fsscc_profile_v1.0:pr.at-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-3.3","tail":"fsscc_profile_v1.0:pr.at-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-4.1","tail":"fsscc_profile_v1.0:pr.at-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-4.2","tail":"fsscc_profile_v1.0:pr.at-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.at-5.1","tail":"fsscc_profile_v1.0:pr.at-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-1.1","tail":"fsscc_profile_v1.0:pr.ds-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-1.2","tail":"fsscc_profile_v1.0:pr.ds-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-2.1","tail":"fsscc_profile_v1.0:pr.ds-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-2.2","tail":"fsscc_profile_v1.0:pr.ds-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-3.1","tail":"fsscc_profile_v1.0:pr.ds-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-4.1","tail":"fsscc_profile_v1.0:pr.ds-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-5.1","tail":"fsscc_profile_v1.0:pr.ds-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-6.1","tail":"fsscc_profile_v1.0:pr.ds-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-7.1","tail":"fsscc_profile_v1.0:pr.ds-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ds-8.1","tail":"fsscc_profile_v1.0:pr.ds-8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-1.1","tail":"fsscc_profile_v1.0:pr.ip-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-1.2","tail":"fsscc_profile_v1.0:pr.ip-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-1.3","tail":"fsscc_profile_v1.0:pr.ip-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-2.1","tail":"fsscc_profile_v1.0:pr.ip-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-2.2","tail":"fsscc_profile_v1.0:pr.ip-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-2.3","tail":"fsscc_profile_v1.0:pr.ip-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-3.1","tail":"fsscc_profile_v1.0:pr.ip-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-4.1","tail":"fsscc_profile_v1.0:pr.ip-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-4.2","tail":"fsscc_profile_v1.0:pr.ip-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-4.3","tail":"fsscc_profile_v1.0:pr.ip-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-4.4","tail":"fsscc_profile_v1.0:pr.ip-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-5.1","tail":"fsscc_profile_v1.0:pr.ip-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-6.1","tail":"fsscc_profile_v1.0:pr.ip-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-7.1","tail":"fsscc_profile_v1.0:pr.ip-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-8.1","tail":"fsscc_profile_v1.0:pr.ip-8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-9.1","tail":"fsscc_profile_v1.0:pr.ip-9","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-9.2","tail":"fsscc_profile_v1.0:pr.ip-9","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-10.1","tail":"fsscc_profile_v1.0:pr.ip-10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-10.2","tail":"fsscc_profile_v1.0:pr.ip-10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-10.3","tail":"fsscc_profile_v1.0:pr.ip-10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-10.4","tail":"fsscc_profile_v1.0:pr.ip-10","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-11.1","tail":"fsscc_profile_v1.0:pr.ip-11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-11.2","tail":"fsscc_profile_v1.0:pr.ip-11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-11.3","tail":"fsscc_profile_v1.0:pr.ip-11","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-12.1","tail":"fsscc_profile_v1.0:pr.ip-12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-12.2","tail":"fsscc_profile_v1.0:pr.ip-12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-12.3","tail":"fsscc_profile_v1.0:pr.ip-12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ip-12.4","tail":"fsscc_profile_v1.0:pr.ip-12","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ma-1.1","tail":"fsscc_profile_v1.0:pr.ma-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.ma-2.1","tail":"fsscc_profile_v1.0:pr.ma-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-1.1","tail":"fsscc_profile_v1.0:pr.pt-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-1.2","tail":"fsscc_profile_v1.0:pr.pt-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-2.1","tail":"fsscc_profile_v1.0:pr.pt-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-3.1","tail":"fsscc_profile_v1.0:pr.pt-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-4.1","tail":"fsscc_profile_v1.0:pr.pt-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:pr.pt-5.1","tail":"fsscc_profile_v1.0:pr.pt-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-1.1","tail":"fsscc_profile_v1.0:de.ae-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-2.1","tail":"fsscc_profile_v1.0:de.ae-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-3.1","tail":"fsscc_profile_v1.0:de.ae-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-3.2","tail":"fsscc_profile_v1.0:de.ae-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-4.1","tail":"fsscc_profile_v1.0:de.ae-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.ae-5.1","tail":"fsscc_profile_v1.0:de.ae-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-1.1","tail":"fsscc_profile_v1.0:de.cm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-1.2","tail":"fsscc_profile_v1.0:de.cm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-1.3","tail":"fsscc_profile_v1.0:de.cm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-1.4","tail":"fsscc_profile_v1.0:de.cm-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-2.1","tail":"fsscc_profile_v1.0:de.cm-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-3.1","tail":"fsscc_profile_v1.0:de.cm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-3.2","tail":"fsscc_profile_v1.0:de.cm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-3.3","tail":"fsscc_profile_v1.0:de.cm-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-4.1","tail":"fsscc_profile_v1.0:de.cm-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-4.2","tail":"fsscc_profile_v1.0:de.cm-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-5.1","tail":"fsscc_profile_v1.0:de.cm-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-6.1","tail":"fsscc_profile_v1.0:de.cm-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-6.2","tail":"fsscc_profile_v1.0:de.cm-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-6.3","tail":"fsscc_profile_v1.0:de.cm-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-7.1","tail":"fsscc_profile_v1.0:de.cm-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-7.2","tail":"fsscc_profile_v1.0:de.cm-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-7.3","tail":"fsscc_profile_v1.0:de.cm-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-7.4","tail":"fsscc_profile_v1.0:de.cm-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-8.1","tail":"fsscc_profile_v1.0:de.cm-8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.cm-8.2","tail":"fsscc_profile_v1.0:de.cm-8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-1.1","tail":"fsscc_profile_v1.0:de.dp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-2.1","tail":"fsscc_profile_v1.0:de.dp-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-3.1","tail":"fsscc_profile_v1.0:de.dp-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-4.1","tail":"fsscc_profile_v1.0:de.dp-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-4.2","tail":"fsscc_profile_v1.0:de.dp-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:de.dp-5.1","tail":"fsscc_profile_v1.0:de.dp-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.rp-1.1","tail":"fsscc_profile_v1.0:rs.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-1.1","tail":"fsscc_profile_v1.0:rs.co-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-1.2","tail":"fsscc_profile_v1.0:rs.co-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-1.3","tail":"fsscc_profile_v1.0:rs.co-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-2.1","tail":"fsscc_profile_v1.0:rs.co-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-2.2","tail":"fsscc_profile_v1.0:rs.co-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-2.3","tail":"fsscc_profile_v1.0:rs.co-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-2.4","tail":"fsscc_profile_v1.0:rs.co-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-3.1","tail":"fsscc_profile_v1.0:rs.co-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-3.2","tail":"fsscc_profile_v1.0:rs.co-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-4.1","tail":"fsscc_profile_v1.0:rs.co-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-5.1","tail":"fsscc_profile_v1.0:rs.co-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-5.2","tail":"fsscc_profile_v1.0:rs.co-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.co-5.3","tail":"fsscc_profile_v1.0:rs.co-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-1.1","tail":"fsscc_profile_v1.0:rs.an-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-2.1","tail":"fsscc_profile_v1.0:rs.an-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-2.2","tail":"fsscc_profile_v1.0:rs.an-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-3.1","tail":"fsscc_profile_v1.0:rs.an-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-4.1","tail":"fsscc_profile_v1.0:rs.an-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-5.1","tail":"fsscc_profile_v1.0:rs.an-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-5.2","tail":"fsscc_profile_v1.0:rs.an-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.an-5.3","tail":"fsscc_profile_v1.0:rs.an-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-1.1","tail":"fsscc_profile_v1.0:rs.mi-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-1.2","tail":"fsscc_profile_v1.0:rs.mi-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-2.1","tail":"fsscc_profile_v1.0:rs.mi-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-3.1","tail":"fsscc_profile_v1.0:rs.mi-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.mi-3.2","tail":"fsscc_profile_v1.0:rs.mi-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-1.1","tail":"fsscc_profile_v1.0:rs.im-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-1.2","tail":"fsscc_profile_v1.0:rs.im-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-1.3","tail":"fsscc_profile_v1.0:rs.im-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rs.im-2.1","tail":"fsscc_profile_v1.0:rs.im-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.1","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.2","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.3","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.4","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.5","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.rp-1.6","tail":"fsscc_profile_v1.0:rc.rp-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.im-1.1","tail":"fsscc_profile_v1.0:rc.im-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.im-2.1","tail":"fsscc_profile_v1.0:rc.im-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-1.1","tail":"fsscc_profile_v1.0:rc.co-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-1.2","tail":"fsscc_profile_v1.0:rc.co-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-2.1","tail":"fsscc_profile_v1.0:rc.co-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:rc.co-3.1","tail":"fsscc_profile_v1.0:rc.co-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-1.1","tail":"fsscc_profile_v1.0:dm.id-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-1.2","tail":"fsscc_profile_v1.0:dm.id-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-1.3","tail":"fsscc_profile_v1.0:dm.id-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-1.4","tail":"fsscc_profile_v1.0:dm.id-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.id-2.1","tail":"fsscc_profile_v1.0:dm.id-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-1.1","tail":"fsscc_profile_v1.0:dm.ed-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-1.2","tail":"fsscc_profile_v1.0:dm.ed-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-1.3","tail":"fsscc_profile_v1.0:dm.ed-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2.1","tail":"fsscc_profile_v1.0:dm.ed-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2.2","tail":"fsscc_profile_v1.0:dm.ed-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2.3","tail":"fsscc_profile_v1.0:dm.ed-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2.4","tail":"fsscc_profile_v1.0:dm.ed-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-2.5","tail":"fsscc_profile_v1.0:dm.ed-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-3.1","tail":"fsscc_profile_v1.0:dm.ed-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-3.2","tail":"fsscc_profile_v1.0:dm.ed-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4.1","tail":"fsscc_profile_v1.0:dm.ed-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4.2","tail":"fsscc_profile_v1.0:dm.ed-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4.3","tail":"fsscc_profile_v1.0:dm.ed-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4.4","tail":"fsscc_profile_v1.0:dm.ed-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-4.5","tail":"fsscc_profile_v1.0:dm.ed-4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-5.1","tail":"fsscc_profile_v1.0:dm.ed-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-5.2","tail":"fsscc_profile_v1.0:dm.ed-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-5.3","tail":"fsscc_profile_v1.0:dm.ed-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-5.4","tail":"fsscc_profile_v1.0:dm.ed-5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.1","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.2","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.3","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.4","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.5","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.6","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-6.7","tail":"fsscc_profile_v1.0:dm.ed-6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-7.1","tail":"fsscc_profile_v1.0:dm.ed-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-7.2","tail":"fsscc_profile_v1.0:dm.ed-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-7.3","tail":"fsscc_profile_v1.0:dm.ed-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.ed-7.4","tail":"fsscc_profile_v1.0:dm.ed-7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-1.1","tail":"fsscc_profile_v1.0:dm.rs-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-1.2","tail":"fsscc_profile_v1.0:dm.rs-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-1.3","tail":"fsscc_profile_v1.0:dm.rs-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2.1","tail":"fsscc_profile_v1.0:dm.rs-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2.2","tail":"fsscc_profile_v1.0:dm.rs-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2.3","tail":"fsscc_profile_v1.0:dm.rs-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2.4","tail":"fsscc_profile_v1.0:dm.rs-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.rs-2.5","tail":"fsscc_profile_v1.0:dm.rs-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-1.1","tail":"fsscc_profile_v1.0:dm.be-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-1.2","tail":"fsscc_profile_v1.0:dm.be-1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-2.1","tail":"fsscc_profile_v1.0:dm.be-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-2.2","tail":"fsscc_profile_v1.0:dm.be-2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"fsscc_profile_v1.0","head":"fsscc_profile_v1.0:dm.be-3.1","tail":"fsscc_profile_v1.0:dm.be-3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g","tail":"ffiec_cat_v2017.05:d1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm","tail":"ffiec_cat_v2017.05:d1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r","tail":"ffiec_cat_v2017.05:d1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc","tail":"ffiec_cat_v2017.05:d1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti","tail":"ffiec_cat_v2017.05:d2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma","tail":"ffiec_cat_v2017.05:d2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is","tail":"ffiec_cat_v2017.05:d2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc","tail":"ffiec_cat_v2017.05:d3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc","tail":"ffiec_cat_v2017.05:d3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc","tail":"ffiec_cat_v2017.05:d3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c","tail":"ffiec_cat_v2017.05:d4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm","tail":"ffiec_cat_v2017.05:d4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir","tail":"ffiec_cat_v2017.05:d5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr","tail":"ffiec_cat_v2017.05:d5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er","tail":"ffiec_cat_v2017.05:d5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov","tail":"ffiec_cat_v2017.05:d1.g","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp","tail":"ffiec_cat_v2017.05:d1.g","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it","tail":"ffiec_cat_v2017.05:d1.g","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp","tail":"ffiec_cat_v2017.05:d1.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra","tail":"ffiec_cat_v2017.05:d1.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au","tail":"ffiec_cat_v2017.05:d1.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st","tail":"ffiec_cat_v2017.05:d1.r","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr","tail":"ffiec_cat_v2017.05:d1.tc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu","tail":"ffiec_cat_v2017.05:d1.tc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti","tail":"ffiec_cat_v2017.05:d2.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma","tail":"ffiec_cat_v2017.05:d2.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is","tail":"ffiec_cat_v2017.05:d2.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im","tail":"ffiec_cat_v2017.05:d3.pc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am","tail":"ffiec_cat_v2017.05:d3.pc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de","tail":"ffiec_cat_v2017.05:d3.pc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se","tail":"ffiec_cat_v2017.05:d3.pc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th","tail":"ffiec_cat_v2017.05:d3.dc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an","tail":"ffiec_cat_v2017.05:d3.dc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev","tail":"ffiec_cat_v2017.05:d3.dc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa","tail":"ffiec_cat_v2017.05:d3.cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re","tail":"ffiec_cat_v2017.05:d3.cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co","tail":"ffiec_cat_v2017.05:d4.c","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd","tail":"ffiec_cat_v2017.05:d4.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co","tail":"ffiec_cat_v2017.05:d4.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om","tail":"ffiec_cat_v2017.05:d4.rm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl","tail":"ffiec_cat_v2017.05:d5.ir","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te","tail":"ffiec_cat_v2017.05:d5.ir","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de","tail":"ffiec_cat_v2017.05:d5.dr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re","tail":"ffiec_cat_v2017.05:d5.dr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es","tail":"ffiec_cat_v2017.05:d5.er","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b","tail":"ffiec_cat_v2017.05:d1.g.ov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.e","tail":"ffiec_cat_v2017.05:d1.g.ov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int","tail":"ffiec_cat_v2017.05:d1.g.ov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a","tail":"ffiec_cat_v2017.05:d1.g.ov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.inn","tail":"ffiec_cat_v2017.05:d1.g.ov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b","tail":"ffiec_cat_v2017.05:d1.g.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.e","tail":"ffiec_cat_v2017.05:d1.g.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int","tail":"ffiec_cat_v2017.05:d1.g.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a","tail":"ffiec_cat_v2017.05:d1.g.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.inn","tail":"ffiec_cat_v2017.05:d1.g.sp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.b","tail":"ffiec_cat_v2017.05:d1.g.it","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.e","tail":"ffiec_cat_v2017.05:d1.g.it","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.int","tail":"ffiec_cat_v2017.05:d1.g.it","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.a","tail":"ffiec_cat_v2017.05:d1.g.it","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.inn","tail":"ffiec_cat_v2017.05:d1.g.it","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.b","tail":"ffiec_cat_v2017.05:d1.rm.rmp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.e","tail":"ffiec_cat_v2017.05:d1.rm.rmp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int","tail":"ffiec_cat_v2017.05:d1.rm.rmp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a","tail":"ffiec_cat_v2017.05:d1.rm.rmp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.inn","tail":"ffiec_cat_v2017.05:d1.rm.rmp","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.b","tail":"ffiec_cat_v2017.05:d1.rm.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.e","tail":"ffiec_cat_v2017.05:d1.rm.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.int","tail":"ffiec_cat_v2017.05:d1.rm.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.a","tail":"ffiec_cat_v2017.05:d1.rm.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.inn","tail":"ffiec_cat_v2017.05:d1.rm.ra","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.b","tail":"ffiec_cat_v2017.05:d1.rm.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e","tail":"ffiec_cat_v2017.05:d1.rm.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.int","tail":"ffiec_cat_v2017.05:d1.rm.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.a","tail":"ffiec_cat_v2017.05:d1.rm.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.inn","tail":"ffiec_cat_v2017.05:d1.rm.au","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.b","tail":"ffiec_cat_v2017.05:d1.r.st","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.e","tail":"ffiec_cat_v2017.05:d1.r.st","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.int","tail":"ffiec_cat_v2017.05:d1.r.st","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.a","tail":"ffiec_cat_v2017.05:d1.r.st","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.inn","tail":"ffiec_cat_v2017.05:d1.r.st","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.b","tail":"ffiec_cat_v2017.05:d1.tc.tr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e","tail":"ffiec_cat_v2017.05:d1.tc.tr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.int","tail":"ffiec_cat_v2017.05:d1.tc.tr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.a","tail":"ffiec_cat_v2017.05:d1.tc.tr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.inn","tail":"ffiec_cat_v2017.05:d1.tc.tr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.b","tail":"ffiec_cat_v2017.05:d1.tc.cu","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.e","tail":"ffiec_cat_v2017.05:d1.tc.cu","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.int","tail":"ffiec_cat_v2017.05:d1.tc.cu","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.a","tail":"ffiec_cat_v2017.05:d1.tc.cu","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.inn","tail":"ffiec_cat_v2017.05:d1.tc.cu","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.b","tail":"ffiec_cat_v2017.05:d2.ti.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.e","tail":"ffiec_cat_v2017.05:d2.ti.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.int","tail":"ffiec_cat_v2017.05:d2.ti.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.a","tail":"ffiec_cat_v2017.05:d2.ti.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.inn","tail":"ffiec_cat_v2017.05:d2.ti.ti","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.b","tail":"ffiec_cat_v2017.05:d2.ma.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.e","tail":"ffiec_cat_v2017.05:d2.ma.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.int","tail":"ffiec_cat_v2017.05:d2.ma.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a","tail":"ffiec_cat_v2017.05:d2.ma.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.inn","tail":"ffiec_cat_v2017.05:d2.ma.ma","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.b","tail":"ffiec_cat_v2017.05:d2.is.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.e","tail":"ffiec_cat_v2017.05:d2.is.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.int","tail":"ffiec_cat_v2017.05:d2.is.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.a","tail":"ffiec_cat_v2017.05:d2.is.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.inn","tail":"ffiec_cat_v2017.05:d2.is.is","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b","tail":"ffiec_cat_v2017.05:d3.pc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e","tail":"ffiec_cat_v2017.05:d3.pc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int","tail":"ffiec_cat_v2017.05:d3.pc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.a","tail":"ffiec_cat_v2017.05:d3.pc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.inn","tail":"ffiec_cat_v2017.05:d3.pc.im","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b","tail":"ffiec_cat_v2017.05:d3.pc.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e","tail":"ffiec_cat_v2017.05:d3.pc.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int","tail":"ffiec_cat_v2017.05:d3.pc.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.a","tail":"ffiec_cat_v2017.05:d3.pc.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn","tail":"ffiec_cat_v2017.05:d3.pc.am","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.b","tail":"ffiec_cat_v2017.05:d3.pc.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e","tail":"ffiec_cat_v2017.05:d3.pc.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.int","tail":"ffiec_cat_v2017.05:d3.pc.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.a","tail":"ffiec_cat_v2017.05:d3.pc.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.inn","tail":"ffiec_cat_v2017.05:d3.pc.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.b","tail":"ffiec_cat_v2017.05:d3.pc.se","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.e","tail":"ffiec_cat_v2017.05:d3.pc.se","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.int","tail":"ffiec_cat_v2017.05:d3.pc.se","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.a","tail":"ffiec_cat_v2017.05:d3.pc.se","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.inn","tail":"ffiec_cat_v2017.05:d3.pc.se","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.b","tail":"ffiec_cat_v2017.05:d3.dc.th","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e","tail":"ffiec_cat_v2017.05:d3.dc.th","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.int","tail":"ffiec_cat_v2017.05:d3.dc.th","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.a","tail":"ffiec_cat_v2017.05:d3.dc.th","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.inn","tail":"ffiec_cat_v2017.05:d3.dc.th","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b","tail":"ffiec_cat_v2017.05:d3.dc.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.e","tail":"ffiec_cat_v2017.05:d3.dc.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int","tail":"ffiec_cat_v2017.05:d3.dc.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a","tail":"ffiec_cat_v2017.05:d3.dc.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.inn","tail":"ffiec_cat_v2017.05:d3.dc.an","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b","tail":"ffiec_cat_v2017.05:d3.dc.ev","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.e","tail":"ffiec_cat_v2017.05:d3.dc.ev","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.int","tail":"ffiec_cat_v2017.05:d3.dc.ev","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.a","tail":"ffiec_cat_v2017.05:d3.dc.ev","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.inn","tail":"ffiec_cat_v2017.05:d3.dc.ev","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.b","tail":"ffiec_cat_v2017.05:d3.cc.pa","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e","tail":"ffiec_cat_v2017.05:d3.cc.pa","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.int","tail":"ffiec_cat_v2017.05:d3.cc.pa","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.a","tail":"ffiec_cat_v2017.05:d3.cc.pa","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.inn","tail":"ffiec_cat_v2017.05:d3.cc.pa","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.b","tail":"ffiec_cat_v2017.05:d3.cc.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.e","tail":"ffiec_cat_v2017.05:d3.cc.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int","tail":"ffiec_cat_v2017.05:d3.cc.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.a","tail":"ffiec_cat_v2017.05:d3.cc.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.inn","tail":"ffiec_cat_v2017.05:d3.cc.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.b","tail":"ffiec_cat_v2017.05:d4.c.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.e","tail":"ffiec_cat_v2017.05:d4.c.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.int","tail":"ffiec_cat_v2017.05:d4.c.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.a","tail":"ffiec_cat_v2017.05:d4.c.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.inn","tail":"ffiec_cat_v2017.05:d4.c.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.b","tail":"ffiec_cat_v2017.05:d4.rm.dd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.e","tail":"ffiec_cat_v2017.05:d4.rm.dd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.int","tail":"ffiec_cat_v2017.05:d4.rm.dd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.a","tail":"ffiec_cat_v2017.05:d4.rm.dd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.inn","tail":"ffiec_cat_v2017.05:d4.rm.dd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b","tail":"ffiec_cat_v2017.05:d4.rm.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.e","tail":"ffiec_cat_v2017.05:d4.rm.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.int","tail":"ffiec_cat_v2017.05:d4.rm.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.a","tail":"ffiec_cat_v2017.05:d4.rm.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.inn","tail":"ffiec_cat_v2017.05:d4.rm.co","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.b","tail":"ffiec_cat_v2017.05:d4.rm.om","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.e","tail":"ffiec_cat_v2017.05:d4.rm.om","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.int","tail":"ffiec_cat_v2017.05:d4.rm.om","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.a","tail":"ffiec_cat_v2017.05:d4.rm.om","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.inn","tail":"ffiec_cat_v2017.05:d4.rm.om","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b","tail":"ffiec_cat_v2017.05:d5.ir.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e","tail":"ffiec_cat_v2017.05:d5.ir.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.int","tail":"ffiec_cat_v2017.05:d5.ir.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.a","tail":"ffiec_cat_v2017.05:d5.ir.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.inn","tail":"ffiec_cat_v2017.05:d5.ir.pl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.b","tail":"ffiec_cat_v2017.05:d5.ir.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.e","tail":"ffiec_cat_v2017.05:d5.ir.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int","tail":"ffiec_cat_v2017.05:d5.ir.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a","tail":"ffiec_cat_v2017.05:d5.ir.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.inn","tail":"ffiec_cat_v2017.05:d5.ir.te","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.b","tail":"ffiec_cat_v2017.05:d5.dr.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.e","tail":"ffiec_cat_v2017.05:d5.dr.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int","tail":"ffiec_cat_v2017.05:d5.dr.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.a","tail":"ffiec_cat_v2017.05:d5.dr.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.inn","tail":"ffiec_cat_v2017.05:d5.dr.de","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.b","tail":"ffiec_cat_v2017.05:d5.dr.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e","tail":"ffiec_cat_v2017.05:d5.dr.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.int","tail":"ffiec_cat_v2017.05:d5.dr.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.a","tail":"ffiec_cat_v2017.05:d5.dr.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.inn","tail":"ffiec_cat_v2017.05:d5.dr.re","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.b","tail":"ffiec_cat_v2017.05:d5.er.es","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.e","tail":"ffiec_cat_v2017.05:d5.er.es","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.int","tail":"ffiec_cat_v2017.05:d5.er.es","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.a","tail":"ffiec_cat_v2017.05:d5.er.es","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.inn","tail":"ffiec_cat_v2017.05:d5.er.es","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b.1","tail":"ffiec_cat_v2017.05:d1.g.ov.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b.2","tail":"ffiec_cat_v2017.05:d1.g.ov.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b.3","tail":"ffiec_cat_v2017.05:d1.g.ov.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b.4","tail":"ffiec_cat_v2017.05:d1.g.ov.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.b.5","tail":"ffiec_cat_v2017.05:d1.g.ov.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.e.1","tail":"ffiec_cat_v2017.05:d1.g.ov.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.e.2","tail":"ffiec_cat_v2017.05:d1.g.ov.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.e.3","tail":"ffiec_cat_v2017.05:d1.g.ov.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.e.4","tail":"ffiec_cat_v2017.05:d1.g.ov.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.1","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.2","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.3","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.4","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.5","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.6","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.7","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.int.8","tail":"ffiec_cat_v2017.05:d1.g.ov.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.1","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.2","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.3","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.4","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.5","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.a.6","tail":"ffiec_cat_v2017.05:d1.g.ov.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.inn.1","tail":"ffiec_cat_v2017.05:d1.g.ov.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.ov.inn.2","tail":"ffiec_cat_v2017.05:d1.g.ov.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.1","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.2","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.3","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.4","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.5","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.6","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.b.7","tail":"ffiec_cat_v2017.05:d1.g.sp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.e.1","tail":"ffiec_cat_v2017.05:d1.g.sp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.e.2","tail":"ffiec_cat_v2017.05:d1.g.sp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.e.3","tail":"ffiec_cat_v2017.05:d1.g.sp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int.1","tail":"ffiec_cat_v2017.05:d1.g.sp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int.2","tail":"ffiec_cat_v2017.05:d1.g.sp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int.3","tail":"ffiec_cat_v2017.05:d1.g.sp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int.4","tail":"ffiec_cat_v2017.05:d1.g.sp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.int.5","tail":"ffiec_cat_v2017.05:d1.g.sp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a.1","tail":"ffiec_cat_v2017.05:d1.g.sp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a.2","tail":"ffiec_cat_v2017.05:d1.g.sp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a.3","tail":"ffiec_cat_v2017.05:d1.g.sp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a.4","tail":"ffiec_cat_v2017.05:d1.g.sp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.a.5","tail":"ffiec_cat_v2017.05:d1.g.sp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.sp.inn.1","tail":"ffiec_cat_v2017.05:d1.g.sp.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.b.1","tail":"ffiec_cat_v2017.05:d1.g.it.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.b.2","tail":"ffiec_cat_v2017.05:d1.g.it.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.b.3","tail":"ffiec_cat_v2017.05:d1.g.it.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.b.4","tail":"ffiec_cat_v2017.05:d1.g.it.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.e.1","tail":"ffiec_cat_v2017.05:d1.g.it.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.e.2","tail":"ffiec_cat_v2017.05:d1.g.it.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.e.3","tail":"ffiec_cat_v2017.05:d1.g.it.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.e.4","tail":"ffiec_cat_v2017.05:d1.g.it.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.int.1","tail":"ffiec_cat_v2017.05:d1.g.it.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.int.2","tail":"ffiec_cat_v2017.05:d1.g.it.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.a.1","tail":"ffiec_cat_v2017.05:d1.g.it.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.a.2","tail":"ffiec_cat_v2017.05:d1.g.it.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.a.3","tail":"ffiec_cat_v2017.05:d1.g.it.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.a.4","tail":"ffiec_cat_v2017.05:d1.g.it.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.inn.1","tail":"ffiec_cat_v2017.05:d1.g.it.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.g.it.inn.2","tail":"ffiec_cat_v2017.05:d1.g.it.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.b.1","tail":"ffiec_cat_v2017.05:d1.rm.rmp.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.e.1","tail":"ffiec_cat_v2017.05:d1.rm.rmp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.e.2","tail":"ffiec_cat_v2017.05:d1.rm.rmp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.e.3","tail":"ffiec_cat_v2017.05:d1.rm.rmp.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int.1","tail":"ffiec_cat_v2017.05:d1.rm.rmp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int.2","tail":"ffiec_cat_v2017.05:d1.rm.rmp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int.3","tail":"ffiec_cat_v2017.05:d1.rm.rmp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int.4","tail":"ffiec_cat_v2017.05:d1.rm.rmp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.int.5","tail":"ffiec_cat_v2017.05:d1.rm.rmp.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a.1","tail":"ffiec_cat_v2017.05:d1.rm.rmp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a.2","tail":"ffiec_cat_v2017.05:d1.rm.rmp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a.3","tail":"ffiec_cat_v2017.05:d1.rm.rmp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a.4","tail":"ffiec_cat_v2017.05:d1.rm.rmp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.a.5","tail":"ffiec_cat_v2017.05:d1.rm.rmp.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.inn.1","tail":"ffiec_cat_v2017.05:d1.rm.rmp.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.rmp.inn.2","tail":"ffiec_cat_v2017.05:d1.rm.rmp.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.b.1","tail":"ffiec_cat_v2017.05:d1.rm.ra.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.b.2","tail":"ffiec_cat_v2017.05:d1.rm.ra.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.b.3","tail":"ffiec_cat_v2017.05:d1.rm.ra.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.e.1","tail":"ffiec_cat_v2017.05:d1.rm.ra.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.e.2","tail":"ffiec_cat_v2017.05:d1.rm.ra.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.e.3","tail":"ffiec_cat_v2017.05:d1.rm.ra.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.int.1","tail":"ffiec_cat_v2017.05:d1.rm.ra.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.a.1","tail":"ffiec_cat_v2017.05:d1.rm.ra.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.inn.1","tail":"ffiec_cat_v2017.05:d1.rm.ra.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.inn.2","tail":"ffiec_cat_v2017.05:d1.rm.ra.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.ra.inn.3","tail":"ffiec_cat_v2017.05:d1.rm.ra.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.b.1","tail":"ffiec_cat_v2017.05:d1.rm.au.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.b.2","tail":"ffiec_cat_v2017.05:d1.rm.au.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.b.3","tail":"ffiec_cat_v2017.05:d1.rm.au.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.b.4","tail":"ffiec_cat_v2017.05:d1.rm.au.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e.1","tail":"ffiec_cat_v2017.05:d1.rm.au.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e.2","tail":"ffiec_cat_v2017.05:d1.rm.au.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e.3","tail":"ffiec_cat_v2017.05:d1.rm.au.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e.4","tail":"ffiec_cat_v2017.05:d1.rm.au.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.e.5","tail":"ffiec_cat_v2017.05:d1.rm.au.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.int.1","tail":"ffiec_cat_v2017.05:d1.rm.au.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.int.2","tail":"ffiec_cat_v2017.05:d1.rm.au.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.int.3","tail":"ffiec_cat_v2017.05:d1.rm.au.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.int.4","tail":"ffiec_cat_v2017.05:d1.rm.au.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.a.1","tail":"ffiec_cat_v2017.05:d1.rm.au.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.a.2","tail":"ffiec_cat_v2017.05:d1.rm.au.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.a.3","tail":"ffiec_cat_v2017.05:d1.rm.au.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.inn.1","tail":"ffiec_cat_v2017.05:d1.rm.au.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.rm.au.inn.2","tail":"ffiec_cat_v2017.05:d1.rm.au.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.b.1","tail":"ffiec_cat_v2017.05:d1.r.st.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.b.2","tail":"ffiec_cat_v2017.05:d1.r.st.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.e.1","tail":"ffiec_cat_v2017.05:d1.r.st.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.e.2","tail":"ffiec_cat_v2017.05:d1.r.st.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.e.3","tail":"ffiec_cat_v2017.05:d1.r.st.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.e.4","tail":"ffiec_cat_v2017.05:d1.r.st.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.int.1","tail":"ffiec_cat_v2017.05:d1.r.st.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.a.1","tail":"ffiec_cat_v2017.05:d1.r.st.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.a.2","tail":"ffiec_cat_v2017.05:d1.r.st.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.r.st.inn.1","tail":"ffiec_cat_v2017.05:d1.r.st.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.b.1","tail":"ffiec_cat_v2017.05:d1.tc.tr.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.b.2","tail":"ffiec_cat_v2017.05:d1.tc.tr.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.b.3","tail":"ffiec_cat_v2017.05:d1.tc.tr.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.b.4","tail":"ffiec_cat_v2017.05:d1.tc.tr.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e.1","tail":"ffiec_cat_v2017.05:d1.tc.tr.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e.2","tail":"ffiec_cat_v2017.05:d1.tc.tr.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e.3","tail":"ffiec_cat_v2017.05:d1.tc.tr.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e.4","tail":"ffiec_cat_v2017.05:d1.tc.tr.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.e.5","tail":"ffiec_cat_v2017.05:d1.tc.tr.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.int.1","tail":"ffiec_cat_v2017.05:d1.tc.tr.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.int.2","tail":"ffiec_cat_v2017.05:d1.tc.tr.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.int.3","tail":"ffiec_cat_v2017.05:d1.tc.tr.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.int.4","tail":"ffiec_cat_v2017.05:d1.tc.tr.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.a.1","tail":"ffiec_cat_v2017.05:d1.tc.tr.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.tr.inn.1","tail":"ffiec_cat_v2017.05:d1.tc.tr.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.b.1","tail":"ffiec_cat_v2017.05:d1.tc.cu.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.e.1","tail":"ffiec_cat_v2017.05:d1.tc.cu.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.e.2","tail":"ffiec_cat_v2017.05:d1.tc.cu.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.e.3","tail":"ffiec_cat_v2017.05:d1.tc.cu.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.int.1","tail":"ffiec_cat_v2017.05:d1.tc.cu.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.int.2","tail":"ffiec_cat_v2017.05:d1.tc.cu.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.int.3","tail":"ffiec_cat_v2017.05:d1.tc.cu.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.a.1","tail":"ffiec_cat_v2017.05:d1.tc.cu.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d1.tc.cu.inn.1","tail":"ffiec_cat_v2017.05:d1.tc.cu.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.b.1","tail":"ffiec_cat_v2017.05:d2.ti.ti.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.b.2","tail":"ffiec_cat_v2017.05:d2.ti.ti.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.b.3","tail":"ffiec_cat_v2017.05:d2.ti.ti.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.e.1","tail":"ffiec_cat_v2017.05:d2.ti.ti.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.int.1","tail":"ffiec_cat_v2017.05:d2.ti.ti.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.int.2","tail":"ffiec_cat_v2017.05:d2.ti.ti.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.int.3","tail":"ffiec_cat_v2017.05:d2.ti.ti.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.a.1","tail":"ffiec_cat_v2017.05:d2.ti.ti.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.a.2","tail":"ffiec_cat_v2017.05:d2.ti.ti.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.a.3","tail":"ffiec_cat_v2017.05:d2.ti.ti.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.inn.1","tail":"ffiec_cat_v2017.05:d2.ti.ti.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ti.ti.inn.2","tail":"ffiec_cat_v2017.05:d2.ti.ti.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.b.1","tail":"ffiec_cat_v2017.05:d2.ma.ma.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.b.2","tail":"ffiec_cat_v2017.05:d2.ma.ma.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.e.1","tail":"ffiec_cat_v2017.05:d2.ma.ma.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.e.2","tail":"ffiec_cat_v2017.05:d2.ma.ma.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.e.3","tail":"ffiec_cat_v2017.05:d2.ma.ma.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.e.4","tail":"ffiec_cat_v2017.05:d2.ma.ma.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.int.1","tail":"ffiec_cat_v2017.05:d2.ma.ma.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.int.2","tail":"ffiec_cat_v2017.05:d2.ma.ma.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.int.3","tail":"ffiec_cat_v2017.05:d2.ma.ma.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.int.4","tail":"ffiec_cat_v2017.05:d2.ma.ma.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a.1","tail":"ffiec_cat_v2017.05:d2.ma.ma.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a.2","tail":"ffiec_cat_v2017.05:d2.ma.ma.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a.3","tail":"ffiec_cat_v2017.05:d2.ma.ma.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a.4","tail":"ffiec_cat_v2017.05:d2.ma.ma.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.a.5","tail":"ffiec_cat_v2017.05:d2.ma.ma.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.inn.1","tail":"ffiec_cat_v2017.05:d2.ma.ma.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.inn.2","tail":"ffiec_cat_v2017.05:d2.ma.ma.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.ma.ma.inn.3","tail":"ffiec_cat_v2017.05:d2.ma.ma.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.b.1","tail":"ffiec_cat_v2017.05:d2.is.is.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.b.2","tail":"ffiec_cat_v2017.05:d2.is.is.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.b.3","tail":"ffiec_cat_v2017.05:d2.is.is.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.e.1","tail":"ffiec_cat_v2017.05:d2.is.is.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.e.2","tail":"ffiec_cat_v2017.05:d2.is.is.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.int.1","tail":"ffiec_cat_v2017.05:d2.is.is.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.int.2","tail":"ffiec_cat_v2017.05:d2.is.is.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.int.3","tail":"ffiec_cat_v2017.05:d2.is.is.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.int.4","tail":"ffiec_cat_v2017.05:d2.is.is.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.a.1","tail":"ffiec_cat_v2017.05:d2.is.is.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.a.2","tail":"ffiec_cat_v2017.05:d2.is.is.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.a.3","tail":"ffiec_cat_v2017.05:d2.is.is.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.inn.1","tail":"ffiec_cat_v2017.05:d2.is.is.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.inn.2","tail":"ffiec_cat_v2017.05:d2.is.is.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d2.is.is.inn.3","tail":"ffiec_cat_v2017.05:d2.is.is.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.1","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.2","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.3","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.4","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.5","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.6","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.7","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.8","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.9","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.b.10","tail":"ffiec_cat_v2017.05:d3.pc.im.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.1","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.2","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.3","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.4","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.5","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.6","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.7","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.e.8","tail":"ffiec_cat_v2017.05:d3.pc.im.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.1","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.2","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.3","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.4","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.5","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.int.6","tail":"ffiec_cat_v2017.05:d3.pc.im.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.a.1","tail":"ffiec_cat_v2017.05:d3.pc.im.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.a.2","tail":"ffiec_cat_v2017.05:d3.pc.im.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.a.3","tail":"ffiec_cat_v2017.05:d3.pc.im.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.inn.1","tail":"ffiec_cat_v2017.05:d3.pc.im.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.inn.2","tail":"ffiec_cat_v2017.05:d3.pc.im.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.inn.3","tail":"ffiec_cat_v2017.05:d3.pc.im.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.im.inn.4","tail":"ffiec_cat_v2017.05:d3.pc.im.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.1","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.2","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.3","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.4","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.5","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.6","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.7","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.8","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.9","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.10","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.11","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.12","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.13","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.14","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.15","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.16","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.17","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.b.18","tail":"ffiec_cat_v2017.05:d3.pc.am.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e.1","tail":"ffiec_cat_v2017.05:d3.pc.am.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e.2","tail":"ffiec_cat_v2017.05:d3.pc.am.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e.3","tail":"ffiec_cat_v2017.05:d3.pc.am.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e.4","tail":"ffiec_cat_v2017.05:d3.pc.am.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.e.5","tail":"ffiec_cat_v2017.05:d3.pc.am.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.1","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.2","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.3","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.4","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.5","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.6","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.7","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.int.8","tail":"ffiec_cat_v2017.05:d3.pc.am.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.a.1","tail":"ffiec_cat_v2017.05:d3.pc.am.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.a.2","tail":"ffiec_cat_v2017.05:d3.pc.am.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn.1","tail":"ffiec_cat_v2017.05:d3.pc.am.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn.2","tail":"ffiec_cat_v2017.05:d3.pc.am.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn.3","tail":"ffiec_cat_v2017.05:d3.pc.am.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn.4","tail":"ffiec_cat_v2017.05:d3.pc.am.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.am.inn.5","tail":"ffiec_cat_v2017.05:d3.pc.am.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.b.1","tail":"ffiec_cat_v2017.05:d3.pc.de.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.1","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.2","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.3","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.4","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.5","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.6","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.e.7","tail":"ffiec_cat_v2017.05:d3.pc.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.int.1","tail":"ffiec_cat_v2017.05:d3.pc.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.int.2","tail":"ffiec_cat_v2017.05:d3.pc.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.int.3","tail":"ffiec_cat_v2017.05:d3.pc.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.a.1","tail":"ffiec_cat_v2017.05:d3.pc.de.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.a.2","tail":"ffiec_cat_v2017.05:d3.pc.de.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.de.inn.1","tail":"ffiec_cat_v2017.05:d3.pc.de.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.b.1","tail":"ffiec_cat_v2017.05:d3.pc.se.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.b.2","tail":"ffiec_cat_v2017.05:d3.pc.se.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.b.3","tail":"ffiec_cat_v2017.05:d3.pc.se.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.b.4","tail":"ffiec_cat_v2017.05:d3.pc.se.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.e.1","tail":"ffiec_cat_v2017.05:d3.pc.se.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.int.1","tail":"ffiec_cat_v2017.05:d3.pc.se.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.int.2","tail":"ffiec_cat_v2017.05:d3.pc.se.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.int.3","tail":"ffiec_cat_v2017.05:d3.pc.se.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.int.4","tail":"ffiec_cat_v2017.05:d3.pc.se.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.a.1","tail":"ffiec_cat_v2017.05:d3.pc.se.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.a.2","tail":"ffiec_cat_v2017.05:d3.pc.se.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.a.3","tail":"ffiec_cat_v2017.05:d3.pc.se.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.pc.se.inn.1","tail":"ffiec_cat_v2017.05:d3.pc.se.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.b.1","tail":"ffiec_cat_v2017.05:d3.dc.th.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.b.2","tail":"ffiec_cat_v2017.05:d3.dc.th.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.b.3","tail":"ffiec_cat_v2017.05:d3.dc.th.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.b.4","tail":"ffiec_cat_v2017.05:d3.dc.th.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.1","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.2","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.3","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.4","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.5","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.e.6","tail":"ffiec_cat_v2017.05:d3.dc.th.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.int.1","tail":"ffiec_cat_v2017.05:d3.dc.th.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.int.2","tail":"ffiec_cat_v2017.05:d3.dc.th.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.a.1","tail":"ffiec_cat_v2017.05:d3.dc.th.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.a.2","tail":"ffiec_cat_v2017.05:d3.dc.th.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.a.3","tail":"ffiec_cat_v2017.05:d3.dc.th.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.inn.1","tail":"ffiec_cat_v2017.05:d3.dc.th.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.th.inn.2","tail":"ffiec_cat_v2017.05:d3.dc.th.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b.1","tail":"ffiec_cat_v2017.05:d3.dc.an.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b.2","tail":"ffiec_cat_v2017.05:d3.dc.an.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b.3","tail":"ffiec_cat_v2017.05:d3.dc.an.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b.4","tail":"ffiec_cat_v2017.05:d3.dc.an.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.b.5","tail":"ffiec_cat_v2017.05:d3.dc.an.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.e.1","tail":"ffiec_cat_v2017.05:d3.dc.an.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.e.2","tail":"ffiec_cat_v2017.05:d3.dc.an.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.e.3","tail":"ffiec_cat_v2017.05:d3.dc.an.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.e.4","tail":"ffiec_cat_v2017.05:d3.dc.an.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.1","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.2","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.3","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.4","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.5","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.int.6","tail":"ffiec_cat_v2017.05:d3.dc.an.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a.1","tail":"ffiec_cat_v2017.05:d3.dc.an.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a.2","tail":"ffiec_cat_v2017.05:d3.dc.an.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a.3","tail":"ffiec_cat_v2017.05:d3.dc.an.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a.4","tail":"ffiec_cat_v2017.05:d3.dc.an.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.a.5","tail":"ffiec_cat_v2017.05:d3.dc.an.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.inn.1","tail":"ffiec_cat_v2017.05:d3.dc.an.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.an.inn.2","tail":"ffiec_cat_v2017.05:d3.dc.an.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b.1","tail":"ffiec_cat_v2017.05:d3.dc.ev.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b.2","tail":"ffiec_cat_v2017.05:d3.dc.ev.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b.3","tail":"ffiec_cat_v2017.05:d3.dc.ev.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b.4","tail":"ffiec_cat_v2017.05:d3.dc.ev.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.b.5","tail":"ffiec_cat_v2017.05:d3.dc.ev.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.e.1","tail":"ffiec_cat_v2017.05:d3.dc.ev.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.int.1","tail":"ffiec_cat_v2017.05:d3.dc.ev.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.int.2","tail":"ffiec_cat_v2017.05:d3.dc.ev.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.int.3","tail":"ffiec_cat_v2017.05:d3.dc.ev.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.a.1","tail":"ffiec_cat_v2017.05:d3.dc.ev.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.a.2","tail":"ffiec_cat_v2017.05:d3.dc.ev.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.a.3","tail":"ffiec_cat_v2017.05:d3.dc.ev.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.a.4","tail":"ffiec_cat_v2017.05:d3.dc.ev.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.inn.1","tail":"ffiec_cat_v2017.05:d3.dc.ev.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.dc.ev.inn.2","tail":"ffiec_cat_v2017.05:d3.dc.ev.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.b.1","tail":"ffiec_cat_v2017.05:d3.cc.pa.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.b.2","tail":"ffiec_cat_v2017.05:d3.cc.pa.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.b.3","tail":"ffiec_cat_v2017.05:d3.cc.pa.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e.1","tail":"ffiec_cat_v2017.05:d3.cc.pa.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e.2","tail":"ffiec_cat_v2017.05:d3.cc.pa.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e.3","tail":"ffiec_cat_v2017.05:d3.cc.pa.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e.4","tail":"ffiec_cat_v2017.05:d3.cc.pa.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.e.5","tail":"ffiec_cat_v2017.05:d3.cc.pa.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.int.1","tail":"ffiec_cat_v2017.05:d3.cc.pa.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.a.1","tail":"ffiec_cat_v2017.05:d3.cc.pa.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.a.2","tail":"ffiec_cat_v2017.05:d3.cc.pa.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.inn.1","tail":"ffiec_cat_v2017.05:d3.cc.pa.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.pa.inn.2","tail":"ffiec_cat_v2017.05:d3.cc.pa.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.b.1","tail":"ffiec_cat_v2017.05:d3.cc.re.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.e.1","tail":"ffiec_cat_v2017.05:d3.cc.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.e.2","tail":"ffiec_cat_v2017.05:d3.cc.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.1","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.2","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.3","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.4","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.5","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.int.6","tail":"ffiec_cat_v2017.05:d3.cc.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.a.1","tail":"ffiec_cat_v2017.05:d3.cc.re.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d3.cc.re.inn.1","tail":"ffiec_cat_v2017.05:d3.cc.re.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.b.1","tail":"ffiec_cat_v2017.05:d4.c.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.b.2","tail":"ffiec_cat_v2017.05:d4.c.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.b.3","tail":"ffiec_cat_v2017.05:d4.c.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.b.4","tail":"ffiec_cat_v2017.05:d4.c.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.e.1","tail":"ffiec_cat_v2017.05:d4.c.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.e.2","tail":"ffiec_cat_v2017.05:d4.c.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.e.3","tail":"ffiec_cat_v2017.05:d4.c.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.e.4","tail":"ffiec_cat_v2017.05:d4.c.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.int.1","tail":"ffiec_cat_v2017.05:d4.c.co.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.int.2","tail":"ffiec_cat_v2017.05:d4.c.co.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.int.3","tail":"ffiec_cat_v2017.05:d4.c.co.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.int.4","tail":"ffiec_cat_v2017.05:d4.c.co.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.a.1","tail":"ffiec_cat_v2017.05:d4.c.co.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.a.2","tail":"ffiec_cat_v2017.05:d4.c.co.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.inn.1","tail":"ffiec_cat_v2017.05:d4.c.co.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.c.co.inn.2","tail":"ffiec_cat_v2017.05:d4.c.co.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.b.1","tail":"ffiec_cat_v2017.05:d4.rm.dd.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.b.2","tail":"ffiec_cat_v2017.05:d4.rm.dd.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.b.3","tail":"ffiec_cat_v2017.05:d4.rm.dd.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.e.1","tail":"ffiec_cat_v2017.05:d4.rm.dd.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.e.2","tail":"ffiec_cat_v2017.05:d4.rm.dd.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.int.1","tail":"ffiec_cat_v2017.05:d4.rm.dd.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.int.2","tail":"ffiec_cat_v2017.05:d4.rm.dd.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.a.1","tail":"ffiec_cat_v2017.05:d4.rm.dd.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.a.2","tail":"ffiec_cat_v2017.05:d4.rm.dd.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.inn.1","tail":"ffiec_cat_v2017.05:d4.rm.dd.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.dd.inn.2","tail":"ffiec_cat_v2017.05:d4.rm.dd.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.1","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.2","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.3","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.4","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.5","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.b.6","tail":"ffiec_cat_v2017.05:d4.rm.co.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.e.1","tail":"ffiec_cat_v2017.05:d4.rm.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.e.2","tail":"ffiec_cat_v2017.05:d4.rm.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.e.3","tail":"ffiec_cat_v2017.05:d4.rm.co.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.int.1","tail":"ffiec_cat_v2017.05:d4.rm.co.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.a.1","tail":"ffiec_cat_v2017.05:d4.rm.co.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.a.2","tail":"ffiec_cat_v2017.05:d4.rm.co.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.co.inn.1","tail":"ffiec_cat_v2017.05:d4.rm.co.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.b.1","tail":"ffiec_cat_v2017.05:d4.rm.om.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.b.2","tail":"ffiec_cat_v2017.05:d4.rm.om.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.b.3","tail":"ffiec_cat_v2017.05:d4.rm.om.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.e.1","tail":"ffiec_cat_v2017.05:d4.rm.om.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.e.2","tail":"ffiec_cat_v2017.05:d4.rm.om.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.e.3","tail":"ffiec_cat_v2017.05:d4.rm.om.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.e.4","tail":"ffiec_cat_v2017.05:d4.rm.om.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.int.1","tail":"ffiec_cat_v2017.05:d4.rm.om.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.int.2","tail":"ffiec_cat_v2017.05:d4.rm.om.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.a.1","tail":"ffiec_cat_v2017.05:d4.rm.om.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d4.rm.om.inn.1","tail":"ffiec_cat_v2017.05:d4.rm.om.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.1","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.2","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.3","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.4","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.5","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.b.6","tail":"ffiec_cat_v2017.05:d5.ir.pl.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e.1","tail":"ffiec_cat_v2017.05:d5.ir.pl.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e.2","tail":"ffiec_cat_v2017.05:d5.ir.pl.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e.3","tail":"ffiec_cat_v2017.05:d5.ir.pl.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e.4","tail":"ffiec_cat_v2017.05:d5.ir.pl.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.e.5","tail":"ffiec_cat_v2017.05:d5.ir.pl.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.int.1","tail":"ffiec_cat_v2017.05:d5.ir.pl.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.int.2","tail":"ffiec_cat_v2017.05:d5.ir.pl.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.int.3","tail":"ffiec_cat_v2017.05:d5.ir.pl.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.int.4","tail":"ffiec_cat_v2017.05:d5.ir.pl.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.a.1","tail":"ffiec_cat_v2017.05:d5.ir.pl.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.a.2","tail":"ffiec_cat_v2017.05:d5.ir.pl.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.a.3","tail":"ffiec_cat_v2017.05:d5.ir.pl.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.inn.1","tail":"ffiec_cat_v2017.05:d5.ir.pl.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.pl.inn.2","tail":"ffiec_cat_v2017.05:d5.ir.pl.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.b.1","tail":"ffiec_cat_v2017.05:d5.ir.te.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.b.2","tail":"ffiec_cat_v2017.05:d5.ir.te.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.b.3","tail":"ffiec_cat_v2017.05:d5.ir.te.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.e.1","tail":"ffiec_cat_v2017.05:d5.ir.te.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.e.2","tail":"ffiec_cat_v2017.05:d5.ir.te.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.e.3","tail":"ffiec_cat_v2017.05:d5.ir.te.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int.1","tail":"ffiec_cat_v2017.05:d5.ir.te.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int.2","tail":"ffiec_cat_v2017.05:d5.ir.te.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int.3","tail":"ffiec_cat_v2017.05:d5.ir.te.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int.4","tail":"ffiec_cat_v2017.05:d5.ir.te.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.int.5","tail":"ffiec_cat_v2017.05:d5.ir.te.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a.1","tail":"ffiec_cat_v2017.05:d5.ir.te.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a.2","tail":"ffiec_cat_v2017.05:d5.ir.te.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a.3","tail":"ffiec_cat_v2017.05:d5.ir.te.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a.4","tail":"ffiec_cat_v2017.05:d5.ir.te.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.a.5","tail":"ffiec_cat_v2017.05:d5.ir.te.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.inn.1","tail":"ffiec_cat_v2017.05:d5.ir.te.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.inn.2","tail":"ffiec_cat_v2017.05:d5.ir.te.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.inn.3","tail":"ffiec_cat_v2017.05:d5.ir.te.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.ir.te.inn.4","tail":"ffiec_cat_v2017.05:d5.ir.te.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.b.1","tail":"ffiec_cat_v2017.05:d5.dr.de.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.b.2","tail":"ffiec_cat_v2017.05:d5.dr.de.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.b.3","tail":"ffiec_cat_v2017.05:d5.dr.de.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.e.1","tail":"ffiec_cat_v2017.05:d5.dr.de.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int.1","tail":"ffiec_cat_v2017.05:d5.dr.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int.2","tail":"ffiec_cat_v2017.05:d5.dr.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int.3","tail":"ffiec_cat_v2017.05:d5.dr.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int.4","tail":"ffiec_cat_v2017.05:d5.dr.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.int.5","tail":"ffiec_cat_v2017.05:d5.dr.de.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.a.1","tail":"ffiec_cat_v2017.05:d5.dr.de.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.a.2","tail":"ffiec_cat_v2017.05:d5.dr.de.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.de.inn.1","tail":"ffiec_cat_v2017.05:d5.dr.de.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.b.1","tail":"ffiec_cat_v2017.05:d5.dr.re.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.1","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.2","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.3","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.4","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.5","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.6","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.7","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.e.8","tail":"ffiec_cat_v2017.05:d5.dr.re.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.int.1","tail":"ffiec_cat_v2017.05:d5.dr.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.int.2","tail":"ffiec_cat_v2017.05:d5.dr.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.int.3","tail":"ffiec_cat_v2017.05:d5.dr.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.int.4","tail":"ffiec_cat_v2017.05:d5.dr.re.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.a.1","tail":"ffiec_cat_v2017.05:d5.dr.re.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.a.2","tail":"ffiec_cat_v2017.05:d5.dr.re.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.a.3","tail":"ffiec_cat_v2017.05:d5.dr.re.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.inn.1","tail":"ffiec_cat_v2017.05:d5.dr.re.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.dr.re.inn.2","tail":"ffiec_cat_v2017.05:d5.dr.re.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.b.1","tail":"ffiec_cat_v2017.05:d5.er.es.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.b.2","tail":"ffiec_cat_v2017.05:d5.er.es.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.b.3","tail":"ffiec_cat_v2017.05:d5.er.es.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.b.4","tail":"ffiec_cat_v2017.05:d5.er.es.b","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.e.1","tail":"ffiec_cat_v2017.05:d5.er.es.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.e.2","tail":"ffiec_cat_v2017.05:d5.er.es.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.e.3","tail":"ffiec_cat_v2017.05:d5.er.es.e","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.int.1","tail":"ffiec_cat_v2017.05:d5.er.es.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.int.2","tail":"ffiec_cat_v2017.05:d5.er.es.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.int.3","tail":"ffiec_cat_v2017.05:d5.er.es.int","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.a.1","tail":"ffiec_cat_v2017.05:d5.er.es.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.a.2","tail":"ffiec_cat_v2017.05:d5.er.es.a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"ffiec_cat_v2017.05","head":"ffiec_cat_v2017.05:d5.er.es.inn.1","tail":"ffiec_cat_v2017.05:d5.er.es.inn","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9","tail":"aicpa_tsc_v2017:cc","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1","tail":"aicpa_tsc_v2017:a","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1","tail":"aicpa_tsc_v2017:c","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1","tail":"aicpa_tsc_v2017:pi","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p7","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8","tail":"aicpa_tsc_v2017:p","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1","tail":"aicpa_tsc_v2017:cc1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.2","tail":"aicpa_tsc_v2017:cc1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3","tail":"aicpa_tsc_v2017:cc1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4","tail":"aicpa_tsc_v2017:cc1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5","tail":"aicpa_tsc_v2017:cc1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.1","tail":"aicpa_tsc_v2017:cc2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2","tail":"aicpa_tsc_v2017:cc2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3","tail":"aicpa_tsc_v2017:cc2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1","tail":"aicpa_tsc_v2017:cc3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2","tail":"aicpa_tsc_v2017:cc3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3","tail":"aicpa_tsc_v2017:cc3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4","tail":"aicpa_tsc_v2017:cc3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1","tail":"aicpa_tsc_v2017:cc4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.2","tail":"aicpa_tsc_v2017:cc4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1","tail":"aicpa_tsc_v2017:cc5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.2","tail":"aicpa_tsc_v2017:cc5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3","tail":"aicpa_tsc_v2017:cc5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.2","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.3","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.4","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.5","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6 ","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.7","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8","tail":"aicpa_tsc_v2017:cc6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1","tail":"aicpa_tsc_v2017:cc7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.2","tail":"aicpa_tsc_v2017:cc7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3","tail":"aicpa_tsc_v2017:cc7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4","tail":"aicpa_tsc_v2017:cc7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5","tail":"aicpa_tsc_v2017:cc7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1","tail":"aicpa_tsc_v2017:cc8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.1","tail":"aicpa_tsc_v2017:cc9","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2","tail":"aicpa_tsc_v2017:cc9","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.1","tail":"aicpa_tsc_v2017:a1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2","tail":"aicpa_tsc_v2017:a1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.3","tail":"aicpa_tsc_v2017:a1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.1","tail":"aicpa_tsc_v2017:c1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.2","tail":"aicpa_tsc_v2017:c1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.1","tail":"aicpa_tsc_v2017:pi1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.2","tail":"aicpa_tsc_v2017:pi1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3","tail":"aicpa_tsc_v2017:pi1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.4","tail":"aicpa_tsc_v2017:pi1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.5","tail":"aicpa_tsc_v2017:pi1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1.1","tail":"aicpa_tsc_v2017:p1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1","tail":"aicpa_tsc_v2017:p2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.1","tail":"aicpa_tsc_v2017:p3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.2","tail":"aicpa_tsc_v2017:p3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.1","tail":"aicpa_tsc_v2017:p4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.2","tail":"aicpa_tsc_v2017:p4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.3","tail":"aicpa_tsc_v2017:p4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.1","tail":"aicpa_tsc_v2017:p5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.2","tail":"aicpa_tsc_v2017:p5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.1","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.2","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.3","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.4","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.5","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.6","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.7","tail":"aicpa_tsc_v2017:p6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p7.1","tail":"aicpa_tsc_v2017:p7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1","tail":"aicpa_tsc_v2017:p8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1.1","tail":"aicpa_tsc_v2017:cc1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1.2","tail":"aicpa_tsc_v2017:cc1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1.3","tail":"aicpa_tsc_v2017:cc1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1.4","tail":"aicpa_tsc_v2017:cc1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.1.5","tail":"aicpa_tsc_v2017:cc1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.2.1","tail":"aicpa_tsc_v2017:cc1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.2.2","tail":"aicpa_tsc_v2017:cc1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.2.3","tail":"aicpa_tsc_v2017:cc1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.2.4","tail":"aicpa_tsc_v2017:cc1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3.1","tail":"aicpa_tsc_v2017:cc1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3.2","tail":"aicpa_tsc_v2017:cc1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3.3","tail":"aicpa_tsc_v2017:cc1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3.4","tail":"aicpa_tsc_v2017:cc1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.3.5","tail":"aicpa_tsc_v2017:cc1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.1","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.2","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.3","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.4","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.5","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.6","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.4.7","tail":"aicpa_tsc_v2017:cc1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5.1","tail":"aicpa_tsc_v2017:cc1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5.2","tail":"aicpa_tsc_v2017:cc1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5.3","tail":"aicpa_tsc_v2017:cc1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5.4","tail":"aicpa_tsc_v2017:cc1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc1.5.5","tail":"aicpa_tsc_v2017:cc1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.1.1","tail":"aicpa_tsc_v2017:cc2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.1.2","tail":"aicpa_tsc_v2017:cc2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.1.3","tail":"aicpa_tsc_v2017:cc2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.1.4","tail":"aicpa_tsc_v2017:cc2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.1","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.2","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.3","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.4","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.5","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.6","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.7","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.8","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.9","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.10","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.2.11","tail":"aicpa_tsc_v2017:cc2.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.1","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.2","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.3","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.4","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.5","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.6","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.7","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.8","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.9","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.10","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc2.3.11","tail":"aicpa_tsc_v2017:cc2.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.1","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.2","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.3","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.4","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.5","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.6","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.7","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.8","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.9","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.10","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.11","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.12","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.13","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.14","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.15","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.1.16","tail":"aicpa_tsc_v2017:cc3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.1","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.2","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.3","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.4","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.5","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.6","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.7","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.2.8","tail":"aicpa_tsc_v2017:cc3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3.1","tail":"aicpa_tsc_v2017:cc3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3.2","tail":"aicpa_tsc_v2017:cc3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3.3","tail":"aicpa_tsc_v2017:cc3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3.4","tail":"aicpa_tsc_v2017:cc3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.3.5","tail":"aicpa_tsc_v2017:cc3.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4.1","tail":"aicpa_tsc_v2017:cc3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4.2","tail":"aicpa_tsc_v2017:cc3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4.3","tail":"aicpa_tsc_v2017:cc3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4.4","tail":"aicpa_tsc_v2017:cc3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc3.4.5","tail":"aicpa_tsc_v2017:cc3.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.1","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.2","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.3","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.4","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.5","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.6","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.7","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.1.8","tail":"aicpa_tsc_v2017:cc4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.2.1","tail":"aicpa_tsc_v2017:cc4.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.2.2","tail":"aicpa_tsc_v2017:cc4.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc4.2.3","tail":"aicpa_tsc_v2017:cc4.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.1","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.2","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.3","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.4","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.5","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.1.6","tail":"aicpa_tsc_v2017:cc5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.2.1","tail":"aicpa_tsc_v2017:cc5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.2.2","tail":"aicpa_tsc_v2017:cc5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.2.3","tail":"aicpa_tsc_v2017:cc5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.2.4","tail":"aicpa_tsc_v2017:cc5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.1","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.2","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.3","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.4","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.5","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc5.3.6","tail":"aicpa_tsc_v2017:cc5.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.1","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.2","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.3","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.4","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.5","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.6","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.7","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.8","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.9","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.1.10","tail":"aicpa_tsc_v2017:cc6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.2.1","tail":"aicpa_tsc_v2017:cc6.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.2.2","tail":"aicpa_tsc_v2017:cc6.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.2.3","tail":"aicpa_tsc_v2017:cc6.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.3.1","tail":"aicpa_tsc_v2017:cc6.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.3.2","tail":"aicpa_tsc_v2017:cc6.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.3.3","tail":"aicpa_tsc_v2017:cc6.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.4.1","tail":"aicpa_tsc_v2017:cc6.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.4.2","tail":"aicpa_tsc_v2017:cc6.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.4.3","tail":"aicpa_tsc_v2017:cc6.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.5.1","tail":"aicpa_tsc_v2017:cc6.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.5.2","tail":"aicpa_tsc_v2017:cc6.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6.1","tail":"aicpa_tsc_v2017:cc6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6.2","tail":"aicpa_tsc_v2017:cc6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6.3","tail":"aicpa_tsc_v2017:cc6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.6.4","tail":"aicpa_tsc_v2017:cc6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.7.1","tail":"aicpa_tsc_v2017:cc6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.7.2","tail":"aicpa_tsc_v2017:cc6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.7.3","tail":"aicpa_tsc_v2017:cc6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.7.4","tail":"aicpa_tsc_v2017:cc6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8.1","tail":"aicpa_tsc_v2017:cc6.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8.2","tail":"aicpa_tsc_v2017:cc6.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8.3","tail":"aicpa_tsc_v2017:cc6.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8.4","tail":"aicpa_tsc_v2017:cc6.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc6.8.5","tail":"aicpa_tsc_v2017:cc6.8","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1.1","tail":"aicpa_tsc_v2017:cc7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1.2","tail":"aicpa_tsc_v2017:cc7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1.3","tail":"aicpa_tsc_v2017:cc7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1.4","tail":"aicpa_tsc_v2017:cc7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.1.5","tail":"aicpa_tsc_v2017:cc7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.2.1","tail":"aicpa_tsc_v2017:cc7.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.2.2","tail":"aicpa_tsc_v2017:cc7.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.2.3","tail":"aicpa_tsc_v2017:cc7.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.2.4","tail":"aicpa_tsc_v2017:cc7.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3.1","tail":"aicpa_tsc_v2017:cc7.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3.2","tail":"aicpa_tsc_v2017:cc7.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3.3","tail":"aicpa_tsc_v2017:cc7.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3.4","tail":"aicpa_tsc_v2017:cc7.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.3.5","tail":"aicpa_tsc_v2017:cc7.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.1","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.2","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.3","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.4","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.5","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.6","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.7","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.8","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.9","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.10","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.11","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.12","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.4.13","tail":"aicpa_tsc_v2017:cc7.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.1","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.2","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.3","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.4","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.5","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc7.5.6","tail":"aicpa_tsc_v2017:cc7.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.1","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.2","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.3","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.4","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.5","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.6","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.7","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.8","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.9","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.10","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.11","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.12","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.13","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.14","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc8.1.15","tail":"aicpa_tsc_v2017:cc8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.1.1","tail":"aicpa_tsc_v2017:cc9.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.1.2","tail":"aicpa_tsc_v2017:cc9.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.1","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.2","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.3","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.4","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.5","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.6","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.7","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.8","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.9","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.10","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.11","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:cc9.2.12","tail":"aicpa_tsc_v2017:cc9.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.1.1","tail":"aicpa_tsc_v2017:a1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.1.2","tail":"aicpa_tsc_v2017:a1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.1.3","tail":"aicpa_tsc_v2017:a1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.1","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.2","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.3","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.4","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.5","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.6","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.7","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.8","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.9","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.2.10","tail":"aicpa_tsc_v2017:a1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.3.1","tail":"aicpa_tsc_v2017:a1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:a1.3.2","tail":"aicpa_tsc_v2017:a1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.1.1","tail":"aicpa_tsc_v2017:c1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.1.2","tail":"aicpa_tsc_v2017:c1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.2.1","tail":"aicpa_tsc_v2017:c1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:c1.2.2","tail":"aicpa_tsc_v2017:c1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.1.1","tail":"aicpa_tsc_v2017:pi1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.2.1","tail":"aicpa_tsc_v2017:pi1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.2.2","tail":"aicpa_tsc_v2017:pi1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.2.3","tail":"aicpa_tsc_v2017:pi1.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3.1","tail":"aicpa_tsc_v2017:pi1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3.2","tail":"aicpa_tsc_v2017:pi1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3.3","tail":"aicpa_tsc_v2017:pi1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3.4","tail":"aicpa_tsc_v2017:pi1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.3.5","tail":"aicpa_tsc_v2017:pi1.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.4.1","tail":"aicpa_tsc_v2017:pi1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.4.2","tail":"aicpa_tsc_v2017:pi1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.4.3","tail":"aicpa_tsc_v2017:pi1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.4.4","tail":"aicpa_tsc_v2017:pi1.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.5.1","tail":"aicpa_tsc_v2017:pi1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.5.2","tail":"aicpa_tsc_v2017:pi1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.5.3","tail":"aicpa_tsc_v2017:pi1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:pi1.5.4","tail":"aicpa_tsc_v2017:pi1.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1.1.1","tail":"aicpa_tsc_v2017:p1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1.1.2","tail":"aicpa_tsc_v2017:p1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1.1.3","tail":"aicpa_tsc_v2017:p1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p1.1.4","tail":"aicpa_tsc_v2017:p1.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.1","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.2","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.3","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.4","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.5","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p2.1.6","tail":"aicpa_tsc_v2017:p2.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.1.1","tail":"aicpa_tsc_v2017:p3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.1.2","tail":"aicpa_tsc_v2017:p3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.1.3","tail":"aicpa_tsc_v2017:p3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.1.4","tail":"aicpa_tsc_v2017:p3.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.2.1","tail":"aicpa_tsc_v2017:p3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p3.2.2","tail":"aicpa_tsc_v2017:p3.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.1.1","tail":"aicpa_tsc_v2017:p4.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.2.1","tail":"aicpa_tsc_v2017:p4.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.2.2","tail":"aicpa_tsc_v2017:p4.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.3.1","tail":"aicpa_tsc_v2017:p4.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.3.2","tail":"aicpa_tsc_v2017:p4.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p4.3.3","tail":"aicpa_tsc_v2017:p4.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.1.1","tail":"aicpa_tsc_v2017:p5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.1.2","tail":"aicpa_tsc_v2017:p5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.1.3","tail":"aicpa_tsc_v2017:p5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.1.4","tail":"aicpa_tsc_v2017:p5.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.2.1","tail":"aicpa_tsc_v2017:p5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.2.2","tail":"aicpa_tsc_v2017:p5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p5.2.3","tail":"aicpa_tsc_v2017:p5.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.1.1","tail":"aicpa_tsc_v2017:p6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.1.2","tail":"aicpa_tsc_v2017:p6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.1.3","tail":"aicpa_tsc_v2017:p6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.1.4","tail":"aicpa_tsc_v2017:p6.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.2.1","tail":"aicpa_tsc_v2017:p6.2","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.3.1","tail":"aicpa_tsc_v2017:p6.3","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.4.1","tail":"aicpa_tsc_v2017:p6.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.4.2","tail":"aicpa_tsc_v2017:p6.4","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.5.1","tail":"aicpa_tsc_v2017:p6.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.5.2","tail":"aicpa_tsc_v2017:p6.5","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.6.1","tail":"aicpa_tsc_v2017:p6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.6.2","tail":"aicpa_tsc_v2017:p6.6","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.7.1","tail":"aicpa_tsc_v2017:p6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p6.7.2","tail":"aicpa_tsc_v2017:p6.7","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p7.1.1","tail":"aicpa_tsc_v2017:p7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p7.1.2","tail":"aicpa_tsc_v2017:p7.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.1","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.2","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.3","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.4","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.5","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"aicpa_tsc_v2017","head":"aicpa_tsc_v2017:p8.1.6","tail":"aicpa_tsc_v2017:p8.1","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-01","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-01.1","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-01.2","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-02","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-03","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-04","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-05","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-05.1","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-05.2","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-06","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-07","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-08","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-09","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-10","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-11","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-12","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-13","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-14","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15.1","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15.2","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15.3","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15.4","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:gov-15.5","tail":"scf:gov","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-01","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-01.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-01.2","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-01.3","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.2","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.3","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.4","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.5","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.6","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.7","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.8","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.9","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.10","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-02.11","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-03","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-03.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-03.2","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-04","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-04.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-04.2","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-04.3","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-05","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-05.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-06","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-06.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-07","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-08","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-09","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-10","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-11","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-12","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-13","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-14","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-14.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-14.2","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-15","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-15.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-16","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-17","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-18","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-19","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-20","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-21","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-22","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-23","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-24","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-25","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-26","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-27","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-28","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-28.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-29","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-29.1","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ast-30","tail":"scf:ast","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-01","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-01.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-01.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-01.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-01.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-02","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-02.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-02.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-02.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-02.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-03","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-03.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-03.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-04","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-04.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-04.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-05","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-06","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-07","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-08","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-08.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-08.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-09.5","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-10","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-10.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-10.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-10.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-10.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.5","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.6","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.7","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-11.8","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-12","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-12.1","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-12.2","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-12.3","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-12.4","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-13","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-14","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:bcd-15","tail":"scf:bcd","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cap-01","tail":"scf:cap","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cap-02","tail":"scf:cap","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cap-03","tail":"scf:cap","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cap-04","tail":"scf:cap","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-01","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02.1","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02.2","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02.3","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02.4","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-02.5","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-03","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04.1","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04.2","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04.3","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04.4","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-04.5","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-05","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-06","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:chg-06.1","tail":"scf:chg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-01","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-01.1","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-01.2","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-02","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-03","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-04","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-05","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-06","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-06.1","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-06.2","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-06.3","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-06.4","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-07","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-08","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-09","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-10","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-11","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cld-12","tail":"scf:cld","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-01","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-01.1","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-01.2","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-02","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-02.1","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-03","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-03.1","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-03.2","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-04","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-05","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-05.1","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-05.2","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cpl-06","tail":"scf:cpl","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-01","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-01.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.2","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.3","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.4","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.5","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.6","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.7","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.8","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-02.9","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-03","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-03.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-03.2","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-03.3","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-03.4","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-04","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-04.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-04.2","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-05","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-05.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-05.2","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-06","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-07","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-08","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cfg-08.1","tail":"scf:cfg","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.4","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.5","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.6","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.7","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.8","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.9","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.10","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.11","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.12","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.13","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.14","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.15","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.16","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-01.17","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.4","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.5","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.6","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.7","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-02.8","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.4","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.5","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.6","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-03.7","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-04","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-05","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-05.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-05.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-06","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-06.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-06.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-07","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-07.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-08","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-08.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-08.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-08.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-08.4","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-09","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-09.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-10","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-11","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-11.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-11.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-11.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-12","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-13","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-14","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-14.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-15","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-16","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-16.1","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-16.2","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-16.3","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mon-16.4","tail":"scf:mon","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01.1","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01.2","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01.3","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01.4","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-01.5","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-02","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-03","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-04","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-05","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-05.1","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-05.2","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-05.3","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-06","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-07","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-08","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-08.1","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.1","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.2","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.3","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.4","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.5","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.6","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-09.7","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-10","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:cry-11","tail":"scf:cry","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-01","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-01.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-01.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-01.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-02","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-02.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-03","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-03.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-03.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-03.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-04","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-04.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.4","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.5","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.6","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.7","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.8","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.9","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.10","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-05.11","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06.4","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-06.5","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-07","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-07.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-07.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-08","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09.4","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-09.5","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-10","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-10.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-10.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-11","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-12","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-13","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-13.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-13.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-13.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-13.4","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-14","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-14.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-14.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-14.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-15","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-16","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-17","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-18","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-18.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-18.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-18.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-19","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-20","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-21","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-22","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-22.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-22.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-22.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.2","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.3","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.4","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.5","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.6","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.7","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.8","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-23.9","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-24","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-24.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-25","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-25.1","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:dch-26","tail":"scf:dch","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-01","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-02","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-03","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-04","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-05","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-06","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-07","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-08","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-09","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-10","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-11","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-12","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-13","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-14","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-15","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-16","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-17","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-18","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:emb-19","tail":"scf:emb","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-01","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-02","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-03","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-03.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-03.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.3","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.4","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.5","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.6","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-04.7","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-05","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.3","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.4","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.5","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.6","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-06.7","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-07","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-08","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-08.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-08.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-09","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-10","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-11","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-12","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-13","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-13.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-13.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-13.3","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-13.4","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-14","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-14.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-14.2","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-15","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-16","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:end-16.1","tail":"scf:end","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-01","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-02","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-02.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-02.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-03","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-03.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-03.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-04","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-04.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-04.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-04.3","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-04.4","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.3","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.4","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.5","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.6","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-05.7","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-06","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-06.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-06.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-07","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-07.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-08","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-09","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-09.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-09.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-09.3","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-09.4","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-10","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-11","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-12","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-12.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-13","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-13.1","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-13.2","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-13.3","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:hrs-13.4","tail":"scf:hrs","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-01","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-01.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-02","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-02.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-02.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-02.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-02.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-03.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-04","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-04.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-05","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-05.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-05.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-06","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-06.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-06.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-06.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-06.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-07","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-07.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-07.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-08","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-09.6","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.6","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.7","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.8","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.9","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.10","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.11","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-10.12","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-11","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-12","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-12.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-13","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-13.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-13.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-14","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.6","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.7","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.8","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-15.9","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-16","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-16.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-16.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-17","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-18","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-19","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-20.6","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.6","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-21.7","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-22","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-23","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-24","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-24.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-25","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-25.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-26","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-27","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28.1","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28.2","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28.3","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28.4","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-28.5","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iac-29","tail":"scf:iac","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-01","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.3","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.4","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.5","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-02.6","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-03","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-04","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-04.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-04.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-04.3","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-05","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-05.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-05.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-06","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-06.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-07","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-08","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-09","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-09.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-10","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-10.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-10.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-10.3","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-10.4","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-11","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-11.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-11.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-12","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-12.1","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-12.2","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-12.3","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-12.4","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-13","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-14","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-15","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iro-16","tail":"scf:iro","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-01","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-01.1","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-02","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-02.1","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-02.2","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-02.3","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-02.4","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-03","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-03.1","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-03.2","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-04","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-05","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-05.1","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-06","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:iao-07","tail":"scf:iao","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-01","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-02","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-02.1","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-03","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-03.1","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-03.2","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-03.3","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-04","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-04.1","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-04.2","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-04.3","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-04.4","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.1","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.2","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.3","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.4","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.5","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.6","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-05.7","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-06","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-06.1","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-06.2","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-07","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-08","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-09","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-10","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mnt-11","tail":"scf:mnt","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-01","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-02","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-03","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-04","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-05","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-06","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-07","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-08","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-09","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-10","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:mdm-11","tail":"scf:mdm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-01","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-01.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-02","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-02.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-02.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-02.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.5","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.6","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.7","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-03.8","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.5","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.6","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.7","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.8","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.9","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.10","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.11","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.12","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-04.13","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-05","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-05.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-05.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-06.5","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-07","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-08","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-08.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-08.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-09","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-09.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-09.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-10","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-10.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-10.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-10.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-10.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-11","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-12","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-12.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-12.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-13","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.5","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.6","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.7","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-14.8","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15.4","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-15.5","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-16","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-17","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-18","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-18.1","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-18.2","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:net-18.3","tail":"scf:net","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-01","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-01.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-02","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-02.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-02.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-03","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-03.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-03.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-03.3","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-03.4","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-04","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-04.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-04.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-04.3","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-05","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-05.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-05.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.3","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.4","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.5","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-06.6","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.3","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.4","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.5","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.6","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-07.7","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-08","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-08.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-08.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-08.3","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-09","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-09.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-10","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-11","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-12","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-12.1","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-12.2","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-13","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-14","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-15","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-16","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-17","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pes-18","tail":"scf:pes","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-01.7","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-02.7","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.7","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-03.8","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-04.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-05.7","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.5","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.6","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-06.7","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-07","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-07.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-07.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-07.3","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-07.4","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-08","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-09","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-10","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-10.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-10.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-11","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-12","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-13","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-14","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-14.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-14.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-15","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-16","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-17","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-17.1","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:pri-17.2","tail":"scf:pri","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-01","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-01.1","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-01.2","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-02","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-03","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-04","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-05","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-06","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-07","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:prm-08","tail":"scf:prm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-01","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-01.1","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-02","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-02.1","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-03","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-04","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-04.1","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-05","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-06","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-06.1","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-06.2","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-07","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-08","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-09","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-09.1","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-10","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:rsk-11","tail":"scf:rsk","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-01","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-01.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-02","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-02.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-02.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-02.3","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-03","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-03.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-03.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-04","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-04.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-04.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-04.3","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-05","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-06","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-07","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-07.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-07.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-07.3","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-08","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-08.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-09","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-09.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-10","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-11","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-12","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-13","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-13.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-14","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-14.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-14.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-15","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-16","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-17","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-18","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-18.1","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-18.2","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-19","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sea-20","tail":"scf:sea","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-01","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-01.1","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-02","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-03","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-04","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:ops-05","tail":"scf:ops","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-01","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-02","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-02.1","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-02.2","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.1","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.2","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.3","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.4","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.5","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.6","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.7","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-03.8","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:sat-04","tail":"scf:sat","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-01","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-01.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-01.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-01.3","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.3","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.4","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.5","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.6","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-02.7","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-03","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-03.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-04","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-04.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-04.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-05","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-05.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-05.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06.3","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06.4","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-06.5","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-07","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-08","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-08.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.3","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.4","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.5","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.6","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-09.7","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-10","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-10.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-11","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-11.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-11.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-12","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-13","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-14","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-14.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-14.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-15","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-16","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-17","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-17.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-18","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-19","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-20","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-20.1","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-20.2","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tda-20.3","tail":"scf:tda","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-01","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-01.1","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-02","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-03","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-03.1","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-03.2","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-03.3","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-04","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-04.1","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-04.2","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-04.3","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-04.4","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.1","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.2","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.3","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.4","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.5","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-05.6","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-06","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-07","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-08","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-09","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-10","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:tpm-11","tail":"scf:tpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-01","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-02","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-03","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-04","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-05","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-06","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-07","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:thr-08","tail":"scf:thr","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-01","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-01.1","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-02","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-03","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-04","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-04.1","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-04.2","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05.1","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05.2","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05.3","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05.4","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-05.5","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.1","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.2","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.3","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.4","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.5","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.6","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.7","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.8","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-06.9","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-07","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-07.1","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-08","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-09","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:vpm-10","tail":"scf:vpm","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-01","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-01.1","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-02","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-03","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-04","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-05","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-06","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-07","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-08","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-09","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-10","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-11","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-12","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}
+{"source":"scf","head":"scf:web-13","tail":"scf:web","type_raw":null,"type_skos":"skos:broadMatch"}