Evidence Request List (ERL)
The SCF's Evidence Request List (ERL) is designed to standardize and streamline the evidence request process for a SCF-based assessment. However, the ERL can be used as a guidebook for "reasonable" artifacts to demonstrate evidence of due diligence and due care for other cybersecurity and/or privacy audits or assessments.
The ERL will be utilized as part of the SCF's Conformity Assessment Program (CAP) to identify reasonably-expected artifacts/evidence to meet applicable SCF controls, since the identified evidence artifacts are mapped to SCF controls. The benefits are:
- It levels the playing field by establishing evidence expectations upfront so there are no surprises; and
- It prevents an assessor from literally making up documentation requirements on the fly.
Since "time is money" when it comes to an audit/assessment, the ERL is specifically designed to make assessments more efficient, therefore less expensive. The ERL is one of the tabs that is included as part of the SCF:
| # | ERL # | Area of Focus | Documentation Artifact | Artifact Description | SCF Control Mappings |
| 1 | E-GOV-01 | Security & Privacy Program Management | Charter - Cybersecurity Program | Documented evidence of a corporate-level (C-Level) organization and resourcing for a cybersecurity & privacy governance program. | GOV-01 |
| 2 | E-GOV-02 | Security & Privacy Program Management | Charter - Privacy Program | Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. | GOV-01 PRI-01 |
| 3 | E-GOV-03 | Security & Privacy Program Management | Charter - Cybersecurity Steering Committee | Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of cybersecurity management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. | GOV-01.1 GOV-01.2 |
| 4 | E-GOV-04 | Security & Privacy Program Management | Charter - Privacy Steering Committee | Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. | GOV-01.2 CPL-02 |
| 5 | E-GOV-05 | Security & Privacy Program Management | Charter - Audit Committee | Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of internal and external audit management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. | GOV-01.2 CPL-02 |
| 6 | E-GOV-06 | Security & Privacy Program Management | Charter - Risk Committee | Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of risk management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. | GOV-01.2 CPL-02 |
| 7 | E-GOV-07 | Security & Privacy Program Management | Charter - Data Management Board (DMB) | Documented evidence of the organization's Data Management Board (DMB) charter and mission. | GOV-01.2 |
| 8 | E-GOV-08 | Security & Privacy Program Management | Cybersecurity & Privacy Policies | Documented evidence of an appropriately-scoped cybersecurity and privacy policies. Policies are high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements. | GOV-02 PRI-01 |
| 9 | E-GOV-09 | Security & Privacy Program Management | Cybersecurity & Privacy Standards | Documented evidence of an appropriately-scoped cybersecurity and privacy standards. Standards are mandatory requirements regarding processes, actions and configurations. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity and privacy protections | GOV-02 |
| 10 | E-GOV-10 | Security & Privacy Program Management | Cybersecurity & Privacy Controls | Documented evidence of an appropriately-scoped cybersecurity and privacy controls. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented. | GOV-09 CPL-01 CPL-01.2 |
| 11 | E-GOV-11 | Security & Privacy Program Management | Cybersecurity & Privacy Procedures | Documented evidence of an appropriate appropriately-scoped cybersecurity and privacy procedures. Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.” | GOV-02 OPS-01.1 |
| 12 | E-GOV-12 | Security & Privacy Program Management | Cybersecurity & Privacy Policies & Standards Reviews | Documented evidence of a periodic review process for the organization's cybersecurity and privacy policies and standards to identify necessary updates. | GOV-03 |
| 13 | E-GOV-13 | Security & Privacy Program Management | Measures of Performance (Metrics) | Documented evidence of formal measure of performance that are used to track the health of the cybersecurity and privacy program (e.g., metrics, KPIs, KRIs). | GOV-01.2 GOV-05 CPL-02 |
| 14 | E-AST-01 | Asset Management | IT Asset Management (ITAM) | Documented evidence of an IT Asset Management (ITAM) program. | AST-01 AST-03 AST-03.1 AST-10 |
| 15 | E-AST-02 | Asset Management | Asset Scoping Guidance | Documented evidence of an asset scoping guidance. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on defining in-scope systems, applications, services, processes and third-parties. | AST-04.1 AST-04.2 AST-04.3 CPL-01.2 IAO-01.1 |
| 16 | E-AST-03 | Asset Management | Asset Disposal Evidence | Documented evidence of a Vulnerability & Patch Management Program (VPMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | AST-09 DCH-08 DCH-09 DCH-09.1 |
| 17 | E-AST-04 | Asset Management | Asset Inventories - Hardware | Documented evidence of an inventory of the organization's technology hardware assets. | AST-02 |
| 18 | E-AST-05 | Asset Management | Asset Inventories - Software | Documented evidence of an inventory of the organization's software assets. | AST-02 |
| 19 | E-AST-06 | Asset Management | Asset Inventories - Cloud Service Provider (CSP) | Documented evidence of an inventory of the organization's cloud-based services (e.g., SaaS, IaaS, PaaS, etc.). | CLD-01 CLD-09 TPM-01.1 |
| 20 | E-AST-07 | Asset Management | Cyber-Physical Systems (CPS) | Documented evidence of an inventory of the organization's physical assets that process functions based on software and networks. | AST-02 EMB-01 |
| 21 | E-AST-08 | Asset Management | Asset Inventories - Sensitive / Regulated Data | Documented evidence of an inventory of the organization's sensitive/regulated data (including systems where sensitive/regulated data is stored, processed and/or transmitted). | CLD-10 DCH-06.2 BCD-11.2 PRI-05.5 |
| 22 | E-AST-09 | Asset Management | Computer Lifecycle Plan (CLP) | Documented evidence of a Computer Lifecycle Plan (CLP) that describes how the life of technology assets is managed. | SEA-07.1 TDA-17 |
| 23 | E-AST-10 | Asset Management | Prohibited Equipment List (PEM) | Documented evidence of equipment identified by Federal Acquisition Regulation (FAR) section 889 prohibitions for certain telecommunications equipment. | AST-17 |
| 24 | E-AST-11 | Asset Management | Data Retention Program | Documented evidence of a formal data retention program that governs the retention and destruction of data types. | DCH-18 MON-10 PRI-05 |
| 25 | E-AST-12 | Asset Management | Secure Baseline Configurations Reviews | Documented evidence of a review process to ensure Secure Baseline Configurations (SBC) are current and applicable. | CFG-02 CFG-02.5 NET-04 NET-04.1 NET-04.6 |
| 26 | E-AST-13 | Asset Management | Secure Baseline Configurations - Cloud-Based Services | Documented evidence of secure baseline configurations for all deployed types of cloud-based services or applications. | CFG-02 CFG-02.5 |
| 27 | E-AST-14 | Asset Management | Secure Baseline Configurations - Databases | Documented evidence of secure baseline configurations for all deployed types of databases. | CFG-02 CFG-02.5 |
| 28 | E-AST-15 | Asset Management | Secure Baseline Configurations - Embedded Technologies | Documented evidence of secure baseline configurations for all deployed types of embedded technologies. | CFG-02 CFG-02.5 |
| 29 | E-AST-16 | Asset Management | Secure Baseline Configurations - Major Applications | Documented evidence of secure baseline configurations for all deployed types of major applications. | CFG-02 CFG-02.5 |
| 30 | E-AST-17 | Asset Management | Secure Baseline Configurations - Minor Applications | Documented evidence of secure baseline configurations for all deployed types of minor applications. | CFG-02 CFG-02.5 |
| 31 | E-AST-18 | Asset Management | Secure Baseline Configurations - Mobile Devices | Documented evidence of secure baseline configurations for all deployed types of mobile devices. | CFG-02 CFG-02.5 |
| 32 | E-AST-19 | Asset Management | Secure Baseline Configurations - Network Devices | Documented evidence of secure baseline configurations for all deployed types of network devices. | CFG-02 CFG-02.5 NET-04 NET-04.1 |
| 33 | E-AST-20 | Asset Management | Secure Baseline Configurations - Server Class Systems | Documented evidence of secure baseline configurations for all deployed types of server-class operating systems. | CFG-02 CFG-02.5 |
| 34 | E-AST-21 | Asset Management | Secure Baseline Configurations - Workstation Class Systems | Documented evidence of secure baseline configurations for all deployed types of workstation-class operating systems. | CFG-02 CFG-02.5 |
| 35 | E-AST-22 | Asset Management | Provenance | Documented evidence of that tracks the origin, development, ownership, location and changes to systems, system components and associated data. | AST-03.2 |
| 36 | E-AST-23 | Asset Management | Geolocation Inventory | Documented evidence of designated internal and third-party facilities where organizational data is stored, transmitted and/or processed. | BCD-02.4 CLD-09 DCH-19 DCH-24 |
| 37 | E-AST-24 | Asset Management | Asset Categorization | Documented evidence of a methodology to categorize technology assets (e.g., criticality and data classification considerations) | AST-31 AST-31.1 |
| 38 | E-BCM-01 | Business Continuity | Continuity of Operations Plan (COOP) | Documented evidence of a Continuity of Operations Plan (COOP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | BCD-01 |
| 39 | E-BCM-02 | Business Continuity | Recovery Time Objectives (RTOs) | Documented evidence of Recovery Time Objectives (RTOs) that guide Continuity of Operations Plan (COOP)-related operations. | BCD-01.4 |
| 40 | E-BCM-03 | Business Continuity | Recovery Time Objectives (RTOs) | Documented evidence of Recovery Point Objectives (RPOs) that guide Continuity of Operations Plan (COOP)-related operations. | BCD-01.4 |
| 41 | E-BCM-04 | Business Continuity | COOP Root Cause Analysis (RCA) | Documented evidence of a Root Cause Analysis (RCA) from any Continuity of Operations Plan (COOP)-related training, testing or incident. | BCD-05 |
| 42 | E-BCM-05 | Business Continuity | COOP Updates | Documented evidence of a periodic review process for the organization's Continuity of Operations Plan (COOP) to identify necessary updates. | BCD-06 |
| 43 | E-BCM-06 | Business Continuity | COOP Testing | Documented evidence of a Continuity of Operations Plan (COOP)-related testing activity. | BCD-03.1 BCD-04 |
| 44 | E-BCM-07 | Business Continuity | COOP Training | Documented evidence of a Continuity of Operations Plan (COOP)-related training activity. | BCD-03 BCD-04 |
| 45 | E-BCM-08 | Business Continuity | COOP Criticality Analysis | Documented evidence of a Continuity of Operations Plan (COOP)-related criticality analysis. | BCD-02 |
| 46 | E-BCM-09 | Business Continuity | COOP Dependency Analysis | Documented evidence of a Continuity of Operations Plan (COOP)-related dependency analysis for applications, systems, services, facilities, stakeholders and third-parties. | AST-01.1 |
| 47 | E-BCM-10 | Business Continuity | Backups | Documented evidence of a Continuity of Operations Plan (COOP)-related data backup scheme that demonstrates the methods of data backup (including protection measures) for all data types to ensure business continuity requirements. | BCD-11 |
| 48 | E-BCM-11 | Business Continuity | Backups - Local | Documented evidence of event logs for the on-site / local data backup solution. | BCD-11 BCD-11.2 |
| 49 | E-BCM-12 | Business Continuity | Backups - Remote | Documented evidence of event logs for the off-site / remote data backup solution. | BCD-11 BCD-11.2 |
| 50 | E-BCM-13 | Business Continuity | Backups - Recovery | Documented evidence of a Continuity of Operations Plan (COOP)-related criticality analysis for applications, systems, services, facilities, stakeholders and third-parties. | BCD-11 BCD-11.1 |
| 51 | E-CHG-01 | Change Management | Business Impact Analysis (BIA) | Documented evidence of a Business Impact Analysis (BIA) for proposed changes. | RSK-08 |
| 52 | E-CHG-02 | Change Management | Charter - Change Control Board (CCB) | Documented evidence of the organization's Change Control Board (CCB) charter and mission. | CHG-01 CHG-02 |
| 53 | E-CHG-03 | Change Management | Change Control Board (CCB) Minutes | Documented evidence of Change Control Board (CCB) meeting minutes | CHG-02.2 |
| 54 | E-CHG-04 | Change Management | Evidence of Cybersecurity / Privacy Reviews | Documented evidence of Change Control Board (CCB) meeting-related cybersecurity and/or privacy reviews for proposed change(s). | CHG-02.3 |
| 55 | E-CPL-01 | Compliance | Statutory, Regulatory & Contractual Obligations | Documented evidence of applicable statutory, regulatory and/or contractual obligations for cybersecurity and privacy controls. | CPL-01 |
| 56 | E-CPL-02 | Compliance | Defined Compliance Scope (DCS) | Documented evidence of a formal scoping document that identifies applicable statutory, regulatory and/or contractual obligations for the organization. Defines the affected Lines of Business (LOB), internal / external stakeholders and facilities for the specific scope of compliance obligations. | AST-04.1 AST-04.2 AST-04.3 CPL-01.2 |
| 57 | E-CPL-03 | Compliance | Controls Responsibility Matrix (CRM) | Documented evidence of a Controls Responsibility Matrix (CRM), or similar documentation, that identifies the stakeholder involved in executing assigned controls (e.g., Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix). | AST-01.2 AST-03 CLD-06.1 TPM-05.4 |
| 58 | E-CPL-04 | Compliance | Internal Audit (IA) | Documented evidence of an Internal Audit (IA) capability. | CPL-02.1 |
| 59 | E-CPL-05 | Compliance | Internal Audit (IA) Findings | Documented evidence of a centrally-managed and prioritized repository Internal Audit (IA) findings. | CPL-01.1 CPL-03 GOV-01.2 |
| 60 | E-CPL-06 | Compliance | Manufacturer Disclosure Statement for Medical Device Security (MDS2) | Documented Manufacturer Disclosure Statement for Medical Device Security (MDS2) that communicates information about medical device security and privacy characteristics to current device owners and potential buyers. [note MDS2 is specific to medical device manufacturers] | TDA-01.1 TDA-02.1 TDA-02.5 TDA-04 TDA-04.1 TPM-04 TPM-04.2 |
| 61 | E-CPL-07 | Compliance | Control Assessments | Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity and privacy controls. | CPL-02 CPL-02.1 CPL-03 CPL-03.1 |
| 62 | E-CPL-08 | Compliance | Functional Review of Cybersecurity Controls | Documented evidence of control testing to ensure cybersecurity controls function as expected. | CPL-03.2 |
| 63 | E-CPL-09 | Compliance | Non-Compliance Oversight Reporting | Documented evidence of governance oversight reporting of non-compliance to the organization's executive leadership. | CPL-02 GOV-01.2 |
| 64 | E-CRY-01 | Cryptographic Protections | FIPS-Validated Certificates | Documented evidence of FIPS-validated cryptographic modules. [note FIPS-validated cryptography is specific to US government contractors for NIST SP 800-171 & CMMC compliance] | CRY-03 CRY-04 CRY-09 CRY-09.1 CRY-09.2 |
| 65 | E-DCH-01 | Data Protection | Data Classification Scheme | Documented evidence of an organization-specific data classification scheme. | AST-04.1 DCH-02 |
| 66 | E-DCH-02 | Data Protection | Data Handling Practices | Documented evidence of an organization-specific data handling practices (e.g., guidance specific the data classification scheme). | AST-04.1 DCH-02 |
| 67 | E-DCH-03 | Data Protection | Network Diagram - Global System View (GSV) | Documented evidence of a high-level network diagram that provides a conceptual, logical depiction of the network(s) to describe the interconnections of the systems/applications/services, including internal and external interfaces. | AST-04 NET-02 |
| 68 | E-DCH-04 | Data Protection | Network Diagram - Low Level | Documented evidence of a low-level network diagram that provides a detailed, logical depiction of assets on the network(s). | AST-04 NET-02 |
| 69 | E-DCH-05 | Data Protection | Data Flow Diagram (DFD) | Documented evidence of a Data Flow Diagram (DFD) that accurately identifies where sensitive/regulated data is stored, transmitted and/or processed. | AST-02.8 AST-04 NET-02 |
| 70 | E-DCH-06 | Data Protection | Third-Party Inventories | Documented evidence of an inventory of Third-Party Service Providers (TSP), contractors, vendors, etc. that directly or indirectly impact the organization's data, systems, applications, services and/or processes. | TPM-01.1 |
| 71 | E-DCH-07 | Data Protection | Media Sanitization Documentation | Documented evidence of media sanitization actions. | DCH-09 DCH-09.1 |
| 72 | E-DCH-08 | Data Protection | Authorization Documentation | Documented evidence of that identifies authorized users and processes acting on behalf of authorized users. | CFG-08 |
| 73 | E-SAT-01 | Education | Continuing Professional Education (CPE) | Documented evidence of Continuing Professional Education (CPE) requirements for cybersecurity and privacy personnel. | SAT-03.7 |
| 74 | E-SAT-02 | Education | Initial User Training | Documented evidence of initial user training for cybersecurity and/or privacy topics. | SAT-02 SAT-02.2 SAT-04 HRS-05.7 |
| 75 | E-SAT-03 | Education | Practical Exercises | Documented evidence of practical user training exercises for cybersecurity and/or privacy topics (e.g., phishing exercise). | SAT-02.1 SAT-03.1 SAT-04 |
| 76 | E-SAT-04 | Education | Recurring User Training | Documented evidence of recurring (e.g., annual) user training for cybersecurity and/or privacy topics. | SAT-03.4 SAT-03.6 SAT-03.7 SAT-04 HRS-05.7 |
| 77 | E-SAT-05 | Education | Role-Based Training | Documented evidence of specialized user training for privileged users, executives, individuals who handle sensitive/regulated data, etc. | SAT-03 SAT-03.4 SAT-03.5 SAT-04 |
| 78 | E-MON-01 | Event Log Monitoring | Evidence of Log Review Processes | Documented evidence of centralized collection and review/analysis of security event logs. | MON-01.2 MON-01.8 MON-02 MON-02.2 |
| 79 | E-MON-02 | Event Log Monitoring | Malware Activity | Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis process. | MON-01.8 MON-02.2 END-04.3 |
| 80 | E-MON-03 | Event Log Monitoring | Privileged User Oversight | Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis process. | MON-01.14 MON-01.15 |
| 81 | E-MON-04 | Event Log Monitoring | Rogue Devices | Documented evidence of rogue device identification is included as part of the centralized event log collection and review/analysis process. | AST-02.6 |
| 82 | E-MON-05 | Event Log Monitoring | Security Events | Documented evidence of security-relevant activities being logged and included as part of the centralized event log collection and review/analysis process. | MON-01.2 MON-01.8 MON-02 MON-02.2 |
| 83 | E-HRS-01 | Human Resources | Defined Cybersecurity & Privacy Roles | Documented evidence of a discrete roles for cybersecurity and privacy functions (e.g., position categorization). | GOV-04 HRS-02 HRS-03 HRS-03.1 |
| 84 | E-HRS-02 | Human Resources | Assigned Roles - Application Developers | List of employed or contract personnel assigned to application development roles. | HRS-02 HRS-02.1 HRS-03 |
| 85 | E-HRS-03 | Human Resources | Assigned Roles - Cybersecurity Staff | List of employed or contract personnel assigned to cybersecurity roles. | HRS-02 HRS-02.1 HRS-03 |
| 86 | E-HRS-04 | Human Resources | Assigned Roles - Privacy Staff | List of employed or contract personnel assigned to privacy roles. | HRS-02 HRS-02.1 HRS-03 |
| 87 | E-HRS-05 | Human Resources | Role Assignment - CISO | Documented evidence of a formal role assignment to the Chief Information Security Officer (CISO) position. | GOV-04 |
| 88 | E-HRS-06 | Human Resources | Role Assignment - COO | Documented evidence of a formal role assignment to the Chief Operations Officer (COO) position. | GOV-04 |
| 89 | E-HRS-07 | Human Resources | Role Assignment - CIO | Documented evidence of a formal role assignment to the Chief Information Officer (CIO) position. | GOV-04 |
| 90 | E-HRS-08 | Human Resources | Role Assignment - CPO | Documented evidence of a formal role assignment to the Chief Privacy Officer (CPO) position. | GOV-04 PRI-01.1 |
| 91 | E-HRS-09 | Human Resources | Role Assignment - CRO | Documented evidence of a formal role assignment to the Chief Risk Officer (CRO) position. | GOV-04 |
| 92 | E-HRS-10 | Human Resources | Role Assignment - DPO | Documented evidence of a formal role assignment to Data Protection Officer (DPO) positions. | GOV-04 PRI-01.4 |
| 93 | E-HRS-11 | Human Resources | Role Assignment - Sensitive / Regulated Data | Documented evidence of a formal role assignment to personnel who are cleared to handle sensitive/regulated data. | HRS-02 HRS-02.1 HRS-03 |
| 94 | E-HRS-12 | Human Resources | Role Review | Documented evidence of a formal review process to ensure personnel roles currently reflect business needs. | IAC-07 IAC-07.1 IAC-08 IAC-17 |
| 95 | E-HRS-13 | Human Resources | Defined Cybersecurity & Privacy Responsibilities | Documented evidence of a role-based cybersecurity and privacy responsibilities to ensure personnel are both educated on the role and are responsible for the associated control execution. | GOV-04 HRS-03 HRS-03.1 |
| 96 | E-HRS-14 | Human Resources | Responsibilities Review | Documented evidence of a formal review process to ensure assigned responsibilities currently reflect business needs for the assigned role. | IAC-17 |
| 97 | E-HRS-15 | Human Resources | Organization Chart | Current and accurate organization chart that depicts logical staff hierarchies. | GOV-04 GOV-04.1 GOV-04.2 |
| 98 | E-HRS-16 | Human Resources | Access Agreements | Documented evidence of personnel management practices protecting sensitive/regulated data through formal access agreements. | HRS-03.1 HRS-05 HRS-06 HRS-10 |
| 99 | E-HRS-17 | Human Resources | Background Checks | Documented evidence of personnel screening practices, which centers around some form of formalized background check process. | HRS-04 HRS-04.1 |
| 100 | E-HRS-18 | Human Resources | Provisioning Checklist (Onboarding) | Documented evidence of personnel management practices to formally onboard personnel into their assigned roles. | HRS-03 HRS-03.1 HRS-04.2 HRS-05.7 HRS-10 IAC-07 |
| 101 | E-HRS-19 | Human Resources | Deprovisioning Checklist (Offboarding) | Documented evidence of personnel management practices to formally offboard personnel from their assigned roles due to employment termination or role change. | HRS-06.2 HRS-09 HRS-09.1 HRS-09.2 HRS-09.3 IAC-07 IAC-07.1 IAC-07.2 |
| 102 | E-HRS-20 | Human Resources | Non-Disclosure Agreements (NDAs) | Documented evidence of the use of Non-Disclosure Agreements (NDAs) that restricts unauthorized sharing of sensitive/regulated data. | HRS-06.1 |
| 103 | E-HRS-21 | Human Resources | Position Competency Requirements | Documented evidence of personnel management practices to define minimum competency requirements for cybersecurity & privacy-related roles. | HRS-03.2 HRS-04 HRS-04.1 |
| 104 | E-HRS-22 | Human Resources | Rules of Behavior | Documented evidence of personnel management practices to define "acceptable use" or "rules of behavior" criteria that specify acceptable and unacceptable user behaviors. | HRS-02 HRS-02.1 HRS-03 HRS-05 HRS-05.1 HRS-05.2 HRS-05.3 HRS-05.4 HRS-05.5 HRS-10 |
| 105 | E-HRS-23 | Human Resources | Critical Cybersecurity & Privacy Skills | Documented evidence of personnel management practices to formally identify critical cybersecurity skills needed to support business operations. | HRS-03.2 HRS-13 |
| 106 | E-HRS-24 | Human Resources | Critical Cybersecurity & Privacy Skill Gaps | Documented evidence of personnel management practices to formally identify critical cybersecurity skill gaps. | HRS-13 HRS-13.1 |
| 107 | E-HRS-25 | Human Resources | Separation of Duties (SoD) | Documented evidence of personnel management practices to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion. | HRS-11 HRS-12 |
| 108 | E-HRS-26 | Human Resources | Vital Cybersecurity & Privacy Staff | Documented evidence of personnel management practices to formally identify vital cybersecurity & privacy personnel. | HRS-13.2 |
| 109 | E-IAM-01 | Identity & Access Management | Access Permission Review | Documented evidence of periodic access permission reviews. | IAC-17 |
| 110 | E-IAM-02 | Identity & Access Management | Defined Roles (RBAC) | Documented evidence of defined access control-specific roles (e.g., Role Based Access Control (RBAC)). | IAC-08 |
| 111 | E-IAM-03 | Identity & Access Management | Privileged User Inventory | Documented evidence of an inventory of privileged users across systems, applications and services (internal and external). | IAC-16 IAC-16.1 |
| 112 | E-IRO-01 | Incident Response | Incident Response Program (IRP) | Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | IRO-04 |
| 113 | E-IRO-02 | Incident Response | Indicators of Compromise (IOC) | Documented evidence of defined Indicators of Compromise (IOC). | IRO-03 |
| 114 | E-IRO-03 | Incident Response | Incident Tracking | Documented evidence of a centralized repository to track cybersecurity and privacy incidents. | IRO-02 IRO-09 |
| 115 | E-IRO-04 | Incident Response | IRP Testing | Documented evidence of an Incident Response Plan (IRP)-related testing activity. | IRO-06 |
| 116 | E-IRO-05 | Incident Response | Table Top Exercises | Documented evidence of "table top" exercises that test incident response practices. | IRO-05 |
| 117 | E-IRO-06 | Incident Response | IRP Training | Documented evidence of an Incident Response Plan (IRP)-related training activity. | IRO-05 |
| 118 | E-IRO-07 | Incident Response | IRP Updates | Documented evidence of a periodic review process for the organization's Incident Response Plan (IRP) to identify necessary updates. | IRO-04.2 |
| 119 | E-IRO-08 | Incident Response | Root Cause Analysis (RCA) | Documented evidence of a Root Cause Analysis (RCA) from any Incident Response Plan (IRP)-related training, testing or incident. | IRO-13 |
| 120 | E-IAO-01 | Information Assurance | Information Assurance Program (IAP) | Documented evidence of a Information Assurance Program (IAP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | IAO-01 |
| 121 | E-IAO-02 | Information Assurance | Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) | Documented evidence of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable AI-related testing, identification of incidents and information sharing. | AAT-10 |
| 122 | E-MNT-01 | Maintenance | Maintenance - Authorized Maintenance Personnel | Documented evidence of personnel who have designated maintenance roles. | MNT-06.1 |
| 123 | E-MNT-02 | Maintenance | Maintenance Plan | Documented evidence of a Maintenance Plan. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | MNT-01 |
| 124 | E-MNT-03 | Maintenance | Patch Management | Documented evidence of maintenance activities for systems, applications and services management (e.g., patch management). | VPM-01 VPM-04 VPM-05 |
| 125 | E-MNT-04 | Maintenance | Infrastructure Maintenance | Documented evidence of maintenance activities for the organization's infrastructure and supporting systems. | MNT-01 MNT-02 MNT-03 MNT-03.1 |
| 126 | E-NET-01 | Network Security | Content / DNS Filtering | Documented evidence of the methods that content / DNS filtering is implemented to prevent Internet traffic from prohibited content and/or hostile web sites. | NET-18 NET-18.1 |
| 127 | E-NET-02 | Network Security | Wireless Rogue Detection | Documented evidence of automated or manual means to detect rogue wireless devices. | NET-15.5 |
| 128 | E-NET-03 | Network Security | Work From Anywhere (WFA) Guidance (remote workers) | Documented evidence of administrative and technical measures that are enforced at "alternate work sites" which includes working from home or working while traveling on business. | NET-14 NET-14.5 |
| 129 | E-PES-01 | Physical Security | Environmental Monitoring | Documented evidence of environmental monitoring (e.g., water leaks, temperature, humidity, etc.) | PES-01 PES-07 PES-08 PES-09 |
| 130 | E-PES-02 | Physical Security | Visitor Logbook | Documented evidence of a visitor management and logging visitor activities. | PES-03 PES-03.3 PES-06 PES-06.4 |
| 131 | E-PES-03 | Physical Security | Defined Physical Security Roles | Documented evidence of defined physical access control-specific roles that limit physical access to rooms and/or facilities. | PES-02 PES-02.1 |
| 132 | E-PES-04 | Physical Security | Site Security Plan (Site Plan) | Documented evidence of a site security plan (site plan). | PES-01.1 |
| 133 | E-PRI-01 | Privacy | Accounting of Disclosures | Documented evidence of accounting for privacy-related disclosures. | PRI-14.1 |
| 134 | E-PRI-02 | Privacy | Authorized Use | Documented evidence of authorized use definitions for privacy-related data operations. | PRI-04 PRI-04.1 PRI-05 PRI-05.1 |
| 135 | E-PRI-03 | Privacy | Data Authority Registrations | Documented evidence of registrations made with applicable data authorities for privacy-related data processing. | PRI-15 |
| 136 | E-PRI-04 | Privacy | Data Protection Impact Assessment (DPIA) | Documented evidence of Data Protection Impact Assessment (DPIA). | RSK-10 |
| 137 | E-PRI-05 | Privacy | Data Sharing Agreement | Documented evidence of formal data sharing practices that address, at a minimum: • The business justification for the data sharing; • The type / category of data being shared; • The third-parties the data is being shared with; • Lawful bases for data sharing; and • Data subject rights. |
PRI-01.5 PRI-07 PRI-07.1 PRI-07.2 |
| 138 | E-PRI-06 | Privacy | Data Subject Access | Documented evidence of how data subject access requests are handled that includes intake through remediation. | PRI-06 |
| 139 | E-PRI-07 | Privacy | Personal Data Categories | Documented evidence of formal personal data categories. | PRI-05.7 |
| 140 | E-PRI-08 | Privacy | Privacy Notice | Documented evidence of a publicly-accessible privacy notice. | PRI-02 |
| 141 | E-PRM-01 | Resource Management | Cybersecurity Business Plan (CBP) | Documented evidence of a cybersecurity-specific business plan that documents a strategic plan and discrete objectives. | GOV-08 PRM-01.1 PRM-03 |
| 142 | E-PRM-02 | Resource Management | Portfolio Roadmap | Documented evidence of the organization's roadmap for implementing cybersecurity-related initiatives and technologies. | PRM-01 PRM-02 PRM-03 |
| 143 | E-PRM-03 | Resource Management | Secure Development Lifecycle (SDLC) | Documented evidence of a secure development lifecycle that the organization utilizes for new initiatives or significant changes to existing initiatives to ensure cybersecurity and privacy principles are identified and implemented by default. | PRM-04 PRM-05 PRM-06 PRM-07 |
| 144 | E-PRM-04 | Resource Management | Targeted Maturity Level | Documented evidence of a targeted level of control maturity from a Capability Maturity Model (CMM). | PRM-01.2 |
| 145 | E-RSK-01 | Risk Management | Risk Management Program (RMP) | Documented evidence of a Risk Management Program (RMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | RSK-01 |
| 146 | E-RSK-02 | Risk Management | Cybersecurity Supply Chain Risk Management (C-SCRM) | Documented evidence of a Cybersecurity Supply Chain Risk Management (C-SCRM). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | RSK-09 TPM-03 |
| 147 | E-RSK-03 | Risk Management | Plan of Actions & Milestones (POA&M) / Risk Register | Documented evidence of a POA&M, or risk register, that tracks control deficiencies from identification through remediation. | AST-02.4 CPL-02 RSK-04.1 |
| 148 | E-RSK-04 | Risk Management | Cybersecurity Risk Assessment (RA) | Documented evidence of a cybersecurity-specific risk assessment. | RSK-04 |
| 149 | E-RSK-05 | Risk Management | Supply Chain Risk Assessment (SCRA) | Documented evidence of supply chain-specific risk assessment that evaluates risks that are specific to its supply chain. | RSK-09.1 |
| 150 | E-RSK-06 | Risk Management | Risk Threshold | Documented evidence the organization has a defined risk threshold. | RSK-01.3 |
| 151 | E-RSK-07 | Risk Management | Risk Tolerance | Documented evidence the organization has a defined risk tolerance. | RSK-01.4 |
| 152 | E-TDA-01 | Technology Design & Acquisition | Secure Software Development Principles (SSDP) | Documented evidence of a Secure Software Development Principles (SSDP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | SEA-01 TDA-01 |
| 153 | E-TDA-02 | Technology Design & Acquisition | Security & Privacy by Design (SPBD) | Documented evidence of a Security & Privacy by Design (SPBD). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | SEA-01 TDA-01 |
| 154 | E-TDA-03 | Technology Design & Acquisition | Application Security Testing | Documented evidence of application security testing (e.g., DAST, SAST, fuzzing, etc.). | TDA-06.2 TDA-09 TDA-09.1 TDA-09.2 TDA-09.3 TDA-09.4 TDA-09.5 TDA-09.6 |
| 155 | E-TDA-04 | Technology Design & Acquisition | Design and Development Plan (DDP) | Documented evidence of an engineering method to control the design process and govern the lifecycle of the product/service. | SEA-01 SEA-02 SEA-03 TDA-02.3 TDA-05 TDA-06.3 |
| 156 | E-TDA-05 | Technology Design & Acquisition | Failure Mode and Effect Analysis (FMEA) | Documented evidence of an engineering method designed to define, identify, and present solutions for system failures, problems, or errors. | TDA-01.1 TDA-06.5 TDA-09 |
| 157 | E-TDA-06 | Technology Design & Acquisition | Multi Patient Harm View (MPHV) | Documented evidence of a description of a Multi Patient Harm View (MPHV) that explains how the device / system defends against and/or responds to attacks with the potential to harm multiple patients. [note MPHV is specific to medical device manufacturers] | TDA-01.1 TDA-02 TDA-04 TDA-04.1 |
| 158 | E-TDA-07 | Technology Design & Acquisition | Ports, Protocols & Services (PPS) | Documented evidence of all ports, protocols and services in use by the system, application or service. | TDA-01.1 TDA-02.1 TDA-02.5 TPM-04.2 |
| 159 | E-TDA-08 | Technology Design & Acquisition | Secure Engineering Principles (SEP) | Documented evidence of defined secure engineering principles used to ensure Confidentiality, Integrity, Availability & Safety (CIAS) concerns are properly addressed in the design and implementation of systems, applications and services. | SEA-01 TDA-01 TDA-06 |
| 160 | E-TDA-09 | Technology Design & Acquisition | Security Architecture View | Documented evidence that identifies security-relevant system elements and their interfaces: • Define security context, domains, boundaries, and external interfaces of the system; • Align the architecture with (a) the system security objectives and requirements, (b) security design characteristics; and • Establish traceability of architecture elements to user and system security requirements. |
CLD-02 SEA-01 SEA-02 SEA-03 |
| 161 | E-TDA-10 | Technology Design & Acquisition | Security Use Case View (SUCV) | Documented evidence of diagrams, with explanatory text, describing various security scenarios in each of the operational and clinical functionality states of the system and how the system addresses each scenario architecturally. [note SUCV is specific to medical device manufacturers] | TDA-04 TDA-04.1 TDA-06.2 |
| 162 | E-TDA-11 | Technology Design & Acquisition | Software Assurance Maturity Model (SAMM) | Documented evidence of a Software Assurance Maturity Model (SAMM). | TDA-06 TDA-06.3 |
| 163 | E-TDA-12 | Technology Design & Acquisition | Software Bill of Materials (SBOM) | Documented evidence of a Software Bill of Materials (SBOM). | TDA-04.2 |
| 164 | E-TDA-13 | Technology Design & Acquisition | Software Escrow | Documented evidence of a software escrow solution. | TDA-20.3 |
| 165 | E-TDA-14 | Technology Design & Acquisition | System Security & Privacy Plan (SSPP) | Documented evidence of at least one (1) System Security Plan (SSPP) that covers the sensitive/regulated data environment. There may be multiple SSPPs, based on applicable contracts. | AST-02.4 IAO-03 |
| 166 | E-TDA-15 | Technology Design & Acquisition | Updateability / Patchability View | Documented evidence of a description of the end-to-end process permitting software updates and patches to be deployed to the device/service. | TDA-01.1 TDA-01.2 TDA-04.1 |
| 167 | E-TDA-16 | Technology Design & Acquisition | Vulnerability Disclosure Program (VDP) | Documented evidence of a Vulnerability Disclosure Program (VDP) (e.g., bug bounty). | THR-06 |
| 168 | E-THR-01 | Threat Management | Indicators of Exposure (IOE) | Documented evidence of defined Indicators of Exposure (IOE). | THR-02 |
| 169 | E-THR-02 | Threat Management | Industry Associations / Memberships | Documented evidence of industry associations the organization utilizes to maintain situational awareness of evolving threats and trends. | GOV-07 |
| 170 | E-THR-03 | Threat Management | Threat Intelligence Feeds (TIF) | Documented evidence of threat intelligence feeds. | THR-03 |
| 171 | E-THR-04 | Threat Management | Threat Intelligence Program (TIP) | Documented evidence of a formal capability that intakes and analysis threat information to determine specific threat to the organization and necessary actions to mitigate the threat(s). | THR-01 THR-04 |
| 172 | E-THR-05 | Threat Management | Threat Mitigation | Documented evidence of steps taken to mitigate identified threats. | TDA-06.2 THR-07 VPM-01 VPM-04 |
| 173 | E-TPM-01 | Third-Party Management | Third-Party Contracts | Documented evidence of third-party contractual obligations for cybersecurity and privacy protections. | TPM-01 TPM-05 PRI-07 PRI-07.1 PRI-07.2 |
| 174 | E-TPM-02 | Third-Party Management | Third-Party Criticality Assessment | Documented evidence of third-party criticality assessment that evaluates the critical nature of each third-party the organization works with. | TPM-02 |
| 175 | E-TPM-03 | Third-Party Management | Third-Party Service Reviews | Documented evidence of a formal, annual stakeholder review of third-party services for each Third-Party Service Provider (TSP). | TPM-01 TPM-05 TPM-05.5 TPM-08 TPM-09 |
| 176 | E-TPM-04 | Third-Party Management | Service Level Agreements (SLAs) | Documented evidence of third-party Service Level Agreements (SLAs) to support business operations. | BCD-09.3 BCD-10.1 OPS-03 |
| 177 | E-TPM-05 | Third-Party Management | Break Clauses | Documented evidence of "break clauses" in third-party contracts. | TPM-05.7 |
| 178 | E-VPM-01 | Vulnerability & Patch Management | Vulnerability & Patch Management Program (VPMP) | Documented evidence of a Vulnerability & Patch Management Program (VPMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. | VPM-01 |
| 179 | E-VPM-02 | Vulnerability Management | Penetration Testing - Application | Documented evidence of Application Security Testing (AST) activities: • Abuse case, malformed, and unexpected inputs (e.g., Robustness or Fuzz testing); • Attack surface analysis; • Vulnerability chaining; • Closed box testing of known vulnerability scanning; • Software composition analysis of binary executable files; and/or • Static and dynamic code analysis, including testing for credentials that are “hardcoded,” default, easily guessed, and easily compromised. |
VPM-07 |
| 180 | E-VPM-03 | Vulnerability Management | Penetration Testing - Network | Documented evidence of internal and external network penetration testing activities that focus on discovering and exploiting security vulnerabilities. | VPM-07 |
| 181 | E-VPM-04 | Vulnerability Management | Red Team Testing | Documented evidence of "red team" testing. | VPM-07.1 |
| 182 | E-VPM-05 | Vulnerability Management | Vulnerability Assessments | Documented evidence of internal and external vulnerability assessment activities. | VPM-06 VPM-06.6 VPM-06.7 |